Lecture 17: Public-Key Protocols David Evans CS588: Cryptography

advertisement
Lecture 17:
Public-Key Protocols
CS588: Cryptography
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Story So Far
• Symmetric Encryption
– Amplify and time-shift a small secret to
transmit large secrets
• Asymmetric Encryption
– Use a trustworthy non-secret to establish
secrets, check signatures
• Proving an encryption algorithm is secure
is either:
– Reasonably easy if it is a perfect cipher
– Essentially impossible if it is not
12 April 2005
University of Virginia CS 588
2
Plan for Rest of the Course
• Today, Thursday: some interesting
applications of cryptography
• Next Tuesday: Quantum/visual crypto
• Next Thursday, April 26: Software system
security: real world security is mostly not
about cryptography If there’s anything you hoped
this course would cover that is
• April 28: Project
not listed here, send me
presentations
requests by Friday
12 April 2005
University of Virginia CS 588
3
Finding Project Partners
• Simple way:
– Ask people in the class if they want to work with you
• Problems:
– You face rejection and ridicule if they say no
• Can you find partners without revealing your
wishes unless they are reciprocated?
– Identify people who want to work together, but don’t
reveal anything about anyone’s desires to work with
people who don’t want to work with them
12 April 2005
University of Virginia CS 588
4
Use a Universally Trusted Third Party
MatchMaker.com
Bob would like to work with:
Ron Rivest
Sandra Bullock
Alice
Alice:
Thomas Jefferson
Colleen Hacker
Bob
Alice is your best match
Bob
12 April 2005
Alice
University of Virginia CS 588
5
Use a Universally Trusted Third Party
MatchMaker.com
EKUM [EKRB [“Bob would like …”]]
EKUB [EKRM [“Alice”]]
Bob
12 April 2005
University of Virginia CS 588
6
HashMaker.com?
• Bob writes H(“I am looking for someone
who wants to play with Euler’s totient
function.”) on the board.
• No on else can tell Bob’s deepest
darkest desires (H is one-way)
• If someone else writes the same hash
on the board, Bob has found his match
• How well does this work?
12 April 2005
University of Virginia CS 588
7
Untrusted Third Party
HashMatcher.com
EH(W) [W]
Bob
12 April 2005
Use the hash of the wish as the
encryption key so some symmetric cipher:
HashMatcher can’t determine the wish
Someone with the same exact wish will
match exactly
University of Virginia CS 588
8
Untrusted Third Party
HashMatcher.com
EH(W) [W]
Bob
12 April 2005
University of Virginia CS 588
9
How can we send a message
to HashMaker without it
knowing who sent it?
To: To:
HashMaker
Router4
To:Router1
Router2
Router3
To:
From: Anonymous
From: Bob
12 April 2005
University of Virginia CS 588
10
Onion Routing
R3
Bob
R2
R4
R1
R5
Pick n random routers, Ri1…Rin
Rik gets a message Mk:
EKURik (To: Rik+1 || Mk+1)
12 April 2005
University of Virginia CS 588
HashMatcher.com
11
Onion Routing
R3
HashMatcher.com
Bob
R2
R4
R1
R5
Pick 1 random router: R2
Send R2: EKUR2 (To: HashMatcher.com || M)
12 April 2005
University of Virginia CS 588
12
Onion Routing
R3
HashMatcher.com
Bob
R2
R4
R1
R5
Pick 2 random routers: R2, R5
Send R2: EKUR2 [To: R5 || EKUR5 [To: HashMatcher.com || M]]
12 April 2005
University of Virginia CS 588
13
http://tor.eff.org
12 April 2005
University of Virginia CS 588
14
Traffic Analysis
R3
HashMatcher.com
Bob
R2
R4
R1
R5
If these are the only packets on the network,
someone observing the network know it was Bob
12 April 2005
University of Virginia CS 588
15
Preventing Traffic Analysis
R3
HashMatcher.com
Bob
R2
R4
R1
12 April 2005
R5
University of Virginia CS 588
16
Finding Partners
• If Bob wants to work with Alice, he
constructs W = “Alice + Bob” (all
students agree to list names in this way
in alphabetical order)
• Using onion rounting, sends
HashMatcher: EH(W) [W]
• Using onion rounting, queries
HashMatcher is there is a matching item
– If so, Alice wants to work with him
12 April 2005
University of Virginia CS 588
17
Problems with this Protocol
• Cathy could send W = “Alice + Bob”
• Anyone can query “x + Bob” for all x to find
out who Bob wants to work with (or who
wants to work with Bob, can’t tell which)
• If Colleen wants to work with Bob too, how
do matches reflect preferences without
revealing them?
• Challenge problem: invent a good (define
carefully what good means) humiliation-free
matching protocol
12 April 2005
University of Virginia CS 588
18
C1
MIXes
M1
C2
M2
M3
C3
M4
C4
Random, secret permutation
Security property: observer seeing all inputs and outputs
cannot determine which output message corresponds to which input
12 April 2005
University of Virginia CS 588
19
C1
MIX Net [Chaum81]
M1
C2
M2
C3
M3
C4
M4
C EKRC (C)
A
EKRA (C)
B EKRB (C)
What is input? C = EKUA [EKUB [EKUC [M]]]
What if Eve can see all traffic?
What if two are corrupt?
What if one of A, B or C is corrupt? Any good applications?
12 April 2005
University of Virginia CS 588
20
Voting Application
C1
M1
C2
M2
M3
C3
M4
Republicrat
Party
C4
Democrican
Party
Orange
Party
C = EKUR [EKUD [EKUG [“Badnarik”]]]
How well does this work?
* Note: any resemblance to real political parties is purely coincidental.
12 April 2005
University of Virginia CS 588
21
C1
Voting Application
M1
C2
M2
M3
C3
M4
Republicrat
Party
C4
Democrican
Party
Orange
Party
C = EKUR [EKUD [EKUG [“Badnarik”]]]
Each for any eavesdropper (knows public keys) to
compute C for small set of possible messages
12 April 2005
University of Virginia CS 588
22
C1
Voting Application
M1
C2
M2
M3
C3
M4
C4
Republicrat
Party
Democrican
Party
Orange
Party
C = EKUR [EKUD [EKUG [“Badnarik” || R]]]
12 April 2005
University of Virginia CS 588
23
C1
Voting Application
M1
C2
M2
M3
C3
M4
Republicrat
Party
C4
Democrican
Party
Orange
Party
C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3]
Each mux decrypts with private key and removes R
12 April 2005
University of Virginia CS 588
24
C1
Voting Application
C2
“Nader”
M1
“Nader”
M2
“Nader”
C3
M3
“Nader”
M4
C4
12 April 2005
Republicrat
Party
Democrican
Party
University of Virginia CS 588
Orange
Party
25
C1
Voting Application
C2
“Nader”
M1
“Nader”
M2
“Nader”
C3
M3
“Nader”
M4
C4
Republicrat
Party
Democrican
Party
Orange
Party
C = EKUG [“Badnarik” || R1]
Does publishing R1 help?
12 April 2005
University of Virginia CS 588
26
Publishing R1
• Voters could prove their vote is
misrecorded (or left out), but only by
revealing for whom they voted
C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3]
• Voters can prove to someone else for
whom they voted
• If Orange doesn’t like result, can still
disrupt election
12 April 2005
University of Virginia CS 588
27
C1
Auditing Muxes
C2
“Nader”
M1
“Nader”
M2
“Nader”
C3
M3
“Nader”
M4
C4
Republicrat
Party
Democrican
Party
Orange
Party
Send inputs to next 2 muxes
D mux picks n random inputs
Asks R to prove they were done correctly
How does R prove it?
12 April 2005
University of Virginia CS 588
28
Auditing Muxes
C1
C2
“Nader”
M1
“Nader”
M2
“Nader”
C3
M3
“Nader”
M4
Republicrat
Party
C4
Democrican
Party
Orange
Party
Inputi = EKUR [EKUD [EKUG [v || R1] R2] R3]
Outputj = EKUD [EKUG [v || R1] R2]
If R reveals j and R3, D can check EKUR [Outputj || R3] = Inputi
12 April 2005
University of Virginia CS 588
29
Auditing Tradeoffs
• For every audit, one input-output
mapping is revealed
• The more audits, the more likelihood of
catching cheater
• What if each mux audits ½ of the
values?
12 April 2005
University of Virginia CS 588
30
Catching Cheaters
• Probability a mux can cheats on k votes
without getting caught = ½k
• Probability a voters vote is revealed to
eavesdropper
m muxes Note: unaudited votes only be
one of n/2 possible outputs!
½m
• If muxes collude, all bets are off
12 April 2005
University of Virginia CS 588
31
Faculty Candidate talk
tomorrow:
Yih-Chun Hu (CMU, Berkeley)
Securing Network Routing
Olsson 011, 3:30PM
12 April 2005
University of Virginia CS 588
32
Download