1 / 25

A provably secure secret handshake with dynamic controlled matching

A provably secure secret handshake with dynamic controlled matching. Alessandro Sorniotti, Refik Molva Computers and Security, Volume 29, Issue 5, July 2010 , pp 619-627. Outline. Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis

tamal
Download Presentation

A provably secure secret handshake with dynamic controlled matching

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A provably secure secret handshake with dynamic controlled matching Alessandro Sorniotti, Refik Molva Computers and Security, Volume 29, Issue 5, July 2010 , pp 619-627

  2. Outline • Introduction • Preliminaries • The scheme – SecureMatching • The scheme – Secret Handshake • Security analysis • Conclusion

  3. Introduction • Secret Handshake • 2003, proposed by Balfang et al. • 2個使用者同時確認彼此是否為同單位的成員 • Certification authority • 有能力證明與驗證使用者身份。 • 發行property credential與matching reference,讓使用者能夠證明自己與驗證對方。 • 環境:untraceable and anonymous

  4. Introduction • Matchmaking • 1985, presented by Baldwin and Gramlich. • 解決HS的問題,但不同的地方是 • 使用者可以與其他單位的人進行通訊 • 與HS主要的不同點 • Matchmaking user可以設定自己的credential與matching reference

  5. Introduction • 本文提出 • Secret handshake scheme with dynamic controlled matching • 使用者向CA要求發行credential與reference,而有能力證明與驗證。

  6. Outline • Introduction • Preliminaries • The scheme – SecureMatching • The scheme – Secret Handshake • Security analysis • Conclusion

  7. Preliminaries • U: a set of users • P: a set of properties • (G1, +) and (G2, *): two groups of order q for some large prime q. • e: G1 × G1 → G2 is a bilinear map • Bilinear: P, Q∈G1 and a, b∈Zq*, e(aP, bQ) = e(P, Q)ab • Non-degenerate: e(P, P)≠1 is a generator of G2. • Computable: an efficient algorithm exists to compute e(P, Q) for all P, Q∈G1. • H: P → G1 is a one-way hash function.

  8. Outline • Introduction • Preliminaries • The scheme – SecureMatching • The scheme – Secret Handshake • Security analysis • Conclusion

  9. SecureMatching • Prover-verifier protocol • 證明者必須說服驗證者我是該單位的成員。 • Prover: 利用credential來說服verifier • Verifier: 利用reference來驗證prover

  10. SecureMatching • Setup: • P ∈RG1: a random generator of G1. • r, s, t, v∈RZq*: random values. • R = rP, S = sP, T = tP, V = vrP • System public parameters = {q, P, R, S, T, V, e, G1, G2, H} • System secret parameters = {r, s, t, v}

  11. SecureMatching • Join • User u∈U • Secret value xu∈RZq* • Xu = xus-1rP

  12. SecureMatching • Certify • 當CA接收到使用者u的要求才開始執行 • 使用者u隸屬於單位p∈P • CA先確認(u, p)是否合法,確認無誤,發行credential credp = vH(p)給使用者u • 使用者u驗證: e(credp, R) = e(H(p), V) • 驗證式成立,接受憑證;否則,放棄憑證。

  13. SecureMatching • Grant • 當CA接收到使用者u的要求才開始執行 • 使用者u想與單位p∈P進行通訊 • CA先確認p是否為u的允許通訊單位 • 確認無誤,發行matching reference matchu,p = t-1r(credp + xuP)給使用者u • 使用者u驗證: e(matchu,p, T) = e(H(p), V)e(Xu, S) • 驗證式成立,接受reference;否則,放棄reference。

  14. SecureMatching • Matching • A: prover,A有credpA來證明隸屬於單位pA • B: verifier,B拿matchB,pB來驗證 • Protocol • 1. B→A: • B產生n∈RZq*, 送N1 = nP, N2 = nR給A • 2. A→B: • A檢查e(N1, P) = e(N2, R) • 確認正確,A產生r1, r2∈RZq*, 送disguisedCredpA = <r1credpA, r2N2, r1r2S, r1r2T>給B

  15. SecureMatching • Matching • Protocol • 3. B檢查如果K = 1,代表B確定A是單位pA的人(i.e. pA跟pB是相同單位)

  16. Outline • Introduction • Preliminaries • The scheme – SecureMatching • The scheme – Secret Handshake • Security analysis • Conclusion

  17. Secret Handshake • 如何從SM到SHS • Session key的交換 • 在SM協定中,雙方成立後,key才有效

  18. Secret Handshake • Secret Handshake nAP, nAR XA matchA,p2 credp1 nBP, nBR r1B(credp2 + r3BP) r2B(nAR), r1Br2BS, r1Br2BT credp2 matchB,p1 XB Bob Alice r1A r2A r3A nA r1B r2B r3B nB r1A(credp1 + r3AP) r2A(nBR), r1Ar2AS, r1Ar2AT

  19. Secret Handshake • Secret Handshake • Alice與Bob檢查方程式KAlice算出KA = e(P, P)r1B r2B r3B r Bob 算出KB = e(P, P)r1A r2A r3A r • K’ = (KA)r1A r2A r3AK’’ = (KB)r1B r2B r3B如果K’ = K’’,則雙方成功交換session key

  20. Outline • Introduction • Preliminaries • The scheme – SecureMatching • The scheme – Secret Handshake • Security analysis • Conclusion

  21. Security analysis • Attack types • Linking • 攻擊者有能力得知相同兩人進行不同次的協定 • Untraceability • Knowing • 惡意verifier不用正確的reference,即可驗證prover的單位 • Detector resistance • Forging • 惡意prover不用正確的credential,即可說服verifier • Impersonation resistance

  22. Security analysis • Security of SecureMatching and secret handshake • Untraceability • Detector resistance • Impersonation resistance • BDDH assumption • 給定(P, aP, bP, cP, xP),決定x = abc

  23. Security analysis • Untraceability • 給攻擊者2份disguised credential,攻擊者有能力證明這2份是相同單位的credential • Detector resistance • 攻擊者不用正確的reference,成功的與合法prover進行協定 • Impersonation resistance • 攻擊者偽造出一份假的credential,有能力說服合法verifier

  24. Outline • Introduction • Preliminaries • The scheme – SecureMatching • The scheme – Secret Handshake • Security analysis • Conclusion

  25. Conclusion • 利用SecureMatching來達成secret handshake • User的loading

More Related