1 / 25

Identification & ZKIP

Identification & ZKIP. Contents. Introduction Passwords Challenge-Response ZKIP. Why do need Identification ?. 1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine) 2. In store credit card purchases

noah-jordan
Download Presentation

Identification & ZKIP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identification & ZKIP

  2. Contents Introduction Passwords Challenge-Response ZKIP

  3. Why do need Identification ? 1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine) 2. In store credit card purchases 3. Prepaid calling card : Asking a service by telephone card or membership cards 4. Remote login: Remote access to host under Client /Server environment 5. Access to restricted areas, etc.

  4. Identification by personal info.

  5. Biometric Information Extracted from A. Jail’s presentation in SCIS2006, Japan

  6. Way of Identification • Password-based scheme (weak authentication) • crypt passwd under UNIX • one-time password • Challenge-Response scheme (strong authentication) • Symmetric cryptosystem • MAC(keyed-hash) function • Asymmetric cryptosystem • Cryptographic Protocols • Fiat-Shamir identification protocol • Schnorr identification protocol, etc

  7. Identification by Password Prover Verifier passwd table passwd,A A A h(passwd) y = h accept passwd n reject

  8. Attack against Fixed PWDs • Replay fixed pwds • Observe pwd as it is typed in • Eavesdrop the data in cleartext • Not suitable over open communication networks • Exhaustive pwd search • Let E(c) be the entropy of 8-char pwds from choices • E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6 • Pwd guessing and dictionary attacks • A large dictionary contains 250,000 words • Dictionary attack: order lists and compared to entries in the encrypted dictionary • Combine numerical and alphabetical characters.

  9. crypt passwd in UNIX I1= 0…0 next input Ii 2  i 25 64 user salt truncate to 8 ASCII chars; 0-pad if necessary user passwd 56 DES* 12 output, Oi 64 O25 12 Repack 76 bits into 11 7-bit characters salt : 12-bit random from system clock when select passwd. DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations, encrypted passwd /etc/passwd

  10. Challenge-Response Protocol • Assumption • Secret Key : known to only P and V • Random Challenge : P and V have perfect random number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions • MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)

  11. Challenge-Response Scheme(I) K V P random challenge,x x y=eK(x) y y’=eK(x) y=y’ ? • Vulnerable to parallel session attack (man-in-the-middle). • Need to change x to be ID(V)||r • Using Symmetric Cryptosystem

  12. Challenge-Response Scheme(II) PK V P random challenge,x x y=e[sK,x] y y’= d[pk ,x] y = y’ ? • Using Asymmetric Cryptosystem P can prove to have secret information in either way : (1) P decrypts a challenge encrypted under P’s public key. (2) P digitally signs a challenge.

  13. Zero-Knowledge Interactive Proof(I) • GMR (Goldwasser, Micali, Rackoff) • “The knowledge complexity of interactive-proof systems”, Proc. of 17th ACM Sym. on Theory of Computation, pp.291-304, 1985 • “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp.186-208, 1989 (revised version) • ZKIP (Zero Knowledge Interactive Proof) : between P and V • Completeness : Only true P can prove V. • Soundness : False P’ can’t prove V. • 0-Knowledge : No knowledge transfer to V.

  14. Zero Knowledge Interactive Proof(II)

  15. Concept of ZKIP

  16. Classification of ZKIPs Property Perfect Computational Statistical ZK Interactive Object Membership Knowledge Computational power 1P/1V WH Model 0-K Minimum Know. Oracle ZKIP GMR Model * P:infinite, V: poly Non-interactive MP BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly) MV *AM-game : GMR model and V has random coin.

  17. Classification of ZKIPs Property Perfect Computational Statistical ZK Interactive Object Membership Knowledge Computational power 1P/1V WH Model 0-K Minimum Know. Oracle ZKIP GMR Model * P:infinite, V: poly Non-interactive MP BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly) MV *AM-game : GMR model and V has random coin.

  18. F-S Identification (I) (Preparation) (TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization. (P) (i) private key: choose random value S, s.t. gcd(S,n)=1. (1 < S < n) (ii) public key : P computes I=S2mod n, and publishes (I,n) as public Goal P has to convince V that he knows his private key S and its corresponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.

  19. F-S Identification (II) 1. P chooses random value r (1<r<n) and computes x=r2mod n. then sends x to V. 2. V requests from P one of the following request at random (a) r or (b) rS mod n 3. P sends the requested information to V. 4. V verifies that he received the right answer by checking whether (a) r2 = x mod n or (b) (rS)2 = xI mod n 5. If verification fails, V concludes that P does not know S, and thus he is not the claimed party. 6. This protocol is repeatedt(usually 20 or 30) times, and if in all of them the verification succeeds, V concludes that P is the claimed party.

  20. F-S Identification (III) public : I,n n=pq, I=S2 mod n P V x 2.ei={0,1} ei Repeat t-times y 3. If ei=0, send y=r If ei=1, send y=rS 4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n? * commitment-witness-challenge-response-verification and repeat

  21. Security of F-S scheme (1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n. (2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance. (3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t.(t=20 or 30) (4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information :he learns that I is a quadratic residue

  22. Schnorr Identification (I) • Based on DLP under Trusted Authority (TA) • TA decides public parameters • p : large prime (1024 bit) • q : large prime divisor of p-1 (160 bit) • α Zp* has order q • t : security parameter s.t. q > 2t • Public parameters : p, q, α, t • Prover choose • private key : a ( 1 ≤ a ≤q-1) • public key v = α–amod p • Honest Verifier (choose r at random by the scheme) ZKIP

  23. Schnorr Identification (II) Public par. : p,q,α,t private key : a, public key: v 1. Select random k P V 2. Verify P’s public key generate random challenge , cert(P) r 3. y = k + ar mod q y 4. Verify

  24. Schnorr Identification (III) • (TA) • p=88667, q=1031, t=10, α=70322 has order q in Zp* • (P) • private key a = 755 • public key v = α-a mod p = 703221031-755 mod 88667 = 13136 • P: random k = 543, αk mod p = 70322543 mod 88667 = 84109, commit • V: random challenge r =1000 • P: y= k + ar mod q = 543 + 755x1000 mod 1031= 851 • V: on receiving y, verify that 84109 = 70322851 131361000 mod 88667. If equals, accept

  25. Other Identification schemes Okamoto Identification scheme (p.378) Guillou-Quisquarter Identification scheme (p. 383) ID-based identification Others

More Related