250 likes | 361 Views
Identification & ZKIP. Contents. Introduction Passwords Challenge-Response ZKIP. Why do need Identification ?. 1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine) 2. In store credit card purchases
E N D
Contents Introduction Passwords Challenge-Response ZKIP
Why do need Identification ? 1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine) 2. In store credit card purchases 3. Prepaid calling card : Asking a service by telephone card or membership cards 4. Remote login: Remote access to host under Client /Server environment 5. Access to restricted areas, etc.
Biometric Information Extracted from A. Jail’s presentation in SCIS2006, Japan
Way of Identification • Password-based scheme (weak authentication) • crypt passwd under UNIX • one-time password • Challenge-Response scheme (strong authentication) • Symmetric cryptosystem • MAC(keyed-hash) function • Asymmetric cryptosystem • Cryptographic Protocols • Fiat-Shamir identification protocol • Schnorr identification protocol, etc
Identification by Password Prover Verifier passwd table passwd,A A A h(passwd) y = h accept passwd n reject
Attack against Fixed PWDs • Replay fixed pwds • Observe pwd as it is typed in • Eavesdrop the data in cleartext • Not suitable over open communication networks • Exhaustive pwd search • Let E(c) be the entropy of 8-char pwds from choices • E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6 • Pwd guessing and dictionary attacks • A large dictionary contains 250,000 words • Dictionary attack: order lists and compared to entries in the encrypted dictionary • Combine numerical and alphabetical characters.
crypt passwd in UNIX I1= 0…0 next input Ii 2 i 25 64 user salt truncate to 8 ASCII chars; 0-pad if necessary user passwd 56 DES* 12 output, Oi 64 O25 12 Repack 76 bits into 11 7-bit characters salt : 12-bit random from system clock when select passwd. DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations, encrypted passwd /etc/passwd
Challenge-Response Protocol • Assumption • Secret Key : known to only P and V • Random Challenge : P and V have perfect random number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions • MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)
Challenge-Response Scheme(I) K V P random challenge,x x y=eK(x) y y’=eK(x) y=y’ ? • Vulnerable to parallel session attack (man-in-the-middle). • Need to change x to be ID(V)||r • Using Symmetric Cryptosystem
Challenge-Response Scheme(II) PK V P random challenge,x x y=e[sK,x] y y’= d[pk ,x] y = y’ ? • Using Asymmetric Cryptosystem P can prove to have secret information in either way : (1) P decrypts a challenge encrypted under P’s public key. (2) P digitally signs a challenge.
Zero-Knowledge Interactive Proof(I) • GMR (Goldwasser, Micali, Rackoff) • “The knowledge complexity of interactive-proof systems”, Proc. of 17th ACM Sym. on Theory of Computation, pp.291-304, 1985 • “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp.186-208, 1989 (revised version) • ZKIP (Zero Knowledge Interactive Proof) : between P and V • Completeness : Only true P can prove V. • Soundness : False P’ can’t prove V. • 0-Knowledge : No knowledge transfer to V.
Classification of ZKIPs Property Perfect Computational Statistical ZK Interactive Object Membership Knowledge Computational power 1P/1V WH Model 0-K Minimum Know. Oracle ZKIP GMR Model * P:infinite, V: poly Non-interactive MP BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly) MV *AM-game : GMR model and V has random coin.
Classification of ZKIPs Property Perfect Computational Statistical ZK Interactive Object Membership Knowledge Computational power 1P/1V WH Model 0-K Minimum Know. Oracle ZKIP GMR Model * P:infinite, V: poly Non-interactive MP BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly) MV *AM-game : GMR model and V has random coin.
F-S Identification (I) (Preparation) (TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization. (P) (i) private key: choose random value S, s.t. gcd(S,n)=1. (1 < S < n) (ii) public key : P computes I=S2mod n, and publishes (I,n) as public Goal P has to convince V that he knows his private key S and its corresponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.
F-S Identification (II) 1. P chooses random value r (1<r<n) and computes x=r2mod n. then sends x to V. 2. V requests from P one of the following request at random (a) r or (b) rS mod n 3. P sends the requested information to V. 4. V verifies that he received the right answer by checking whether (a) r2 = x mod n or (b) (rS)2 = xI mod n 5. If verification fails, V concludes that P does not know S, and thus he is not the claimed party. 6. This protocol is repeatedt(usually 20 or 30) times, and if in all of them the verification succeeds, V concludes that P is the claimed party.
F-S Identification (III) public : I,n n=pq, I=S2 mod n P V x 2.ei={0,1} ei Repeat t-times y 3. If ei=0, send y=r If ei=1, send y=rS 4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n? * commitment-witness-challenge-response-verification and repeat
Security of F-S scheme (1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n. (2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance. (3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t.(t=20 or 30) (4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information :he learns that I is a quadratic residue
Schnorr Identification (I) • Based on DLP under Trusted Authority (TA) • TA decides public parameters • p : large prime (1024 bit) • q : large prime divisor of p-1 (160 bit) • α Zp* has order q • t : security parameter s.t. q > 2t • Public parameters : p, q, α, t • Prover choose • private key : a ( 1 ≤ a ≤q-1) • public key v = α–amod p • Honest Verifier (choose r at random by the scheme) ZKIP
Schnorr Identification (II) Public par. : p,q,α,t private key : a, public key: v 1. Select random k P V 2. Verify P’s public key generate random challenge , cert(P) r 3. y = k + ar mod q y 4. Verify
Schnorr Identification (III) • (TA) • p=88667, q=1031, t=10, α=70322 has order q in Zp* • (P) • private key a = 755 • public key v = α-a mod p = 703221031-755 mod 88667 = 13136 • P: random k = 543, αk mod p = 70322543 mod 88667 = 84109, commit • V: random challenge r =1000 • P: y= k + ar mod q = 543 + 755x1000 mod 1031= 851 • V: on receiving y, verify that 84109 = 70322851 131361000 mod 88667. If equals, accept
Other Identification schemes Okamoto Identification scheme (p.378) Guillou-Quisquarter Identification scheme (p. 383) ID-based identification Others