Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Compact and Unforgeable Key Establishment over an ATM Network

advertisement 
Compact and Unforgeable
Key Establishment
over an ATM Network
Yuliang Zheng (Monash University, Australia)
Hideki Imai
(University of Tokyo, Japan)
© 1998 by Yuliang Zheng
1
Outline of the talk
Motivation of this research
z Introduction to signcryption
z Key materials transport using
signcryption
z
© 1998 by Yuliang Zheng
2
1
Session Key Establishment
A process for two participants to
agree upon a freshly shared key
z Dimensions
z
™security against various attacks
™authenticity v.s. identification
™unforgeability & non-repudiation
™transport v.s. exchange
™secret v.s. public key crypto
™key distrib. center v.s. cert. authority
™efficiency (msg length, # of moves, comp cost)
© 1998 by Yuliang Zheng
3
Asynchronous Transfer Mode (ATM)
--- Motivation of this Work --z
Cell switching
™Data are placed into cells of fixed-size
(53 bytes), and then
™transported over virtual circuits
z
ATM cell structure
5 bytes
header
© 1998 by Yuliang Zheng
48 bytes (384 bits)
payload (data)
4
2
Problem to be solved
z
To transport encrypted key materials
™using a single ATM cell
™with a low computational cost
™in a secure and unforgeable way
™without using a KDC
a crypto-envelope
key materials
key, ts or nonce
384-bit ATM
cell payload
© 1998 by Yuliang Zheng
5
Why using a single ATM cell ?
z
If the encrypted version of key
materials exceeds 384 bits, problems
would occur :
™splitting data
™ buffering
™re-assembling data
© 1998 by Yuliang Zheng
6
3
Why focusing on public key
cryptosystems
The problem CAN be solved using
using secret key or types of
cryptosystems
z However, with such a solution
z
™unforgeability cannot be achieved
without a TTP/tamper-proof devices
™Key management is an issue
„Distribution
„Derivation, and/or
„Secure Storage
© 1998 by Yuliang Zheng
7
Why RSA encryption
wouldn’t work
64 bits
Using RSA encryption
k
ke mod n
at least 512 bits
© 1998 by Yuliang Zheng
8
4
Why ElGamal encryption
wouldn’t work
64 bits
Using ElGamal encryption
---DL over GF(p)---
k
gx mod p
k
at least 64+512=576 bits
© 1998 by Yuliang Zheng
9
Why public key “signature +
encryption” wouldn’t work
Using signature + encryption
---RSA or ElGamal ---
64 bits
k
k
sig
ke mod n/ gx mod p
> 512 bits
© 1998 by Yuliang Zheng
10
5
Why EC-signature+encryption
wouldn’t work
64 bits
Using Schnorr sig + ElGamal enc
---DL over Elliptic Curve on GF(2160)---
k
compressed
representation !
k
r, s
x*g
at least 64+(80+160) + (160+1)=465 bits
© 1998 by Yuliang Zheng
11
Signcryption -- a new paradigm
z
Achieves the functions of
™digital signature
„unforgeability & non-repudiation
™encryption
„confidentiality
z
has a significantly smaller
comp. & comm. cost
Cost (signcryption)
© 1998 by Yuliang Zheng
<<
Cost (signature)
+
Cost (encryption)
12
6
In the paper & ink world:
Signature-then-Seal
To achieve:
authenticity
(unforgeability &
non-repudiation)
To achieve:
confidentiality
© 1998 by Yuliang Zheng
13
“Magic” Signcryption Envelope
© 1998 by Yuliang Zheng
14
7
In the digital world (Alice to Bob):
Signature-then-Encryption
z
1. Signature generation
™Alice signs a
message m using her
secret key, i.e.
creating sig on m.
m
z
2. Encryption
™Alice encrypts (m,sig)
using DES with k.
™Alice creates another
data so that Bob can
(Typically,
recover k.
Alice encrypts k using Bob’s
public key).
mod exp
mod exp
m
sig
m
sig
k
© 1998 by Yuliang Zheng
15
Why signature-then-encryption
can be a problem
z
Consider a transaction/message of
5,120 bits (=640 chars, ≈ 8 lines)
that requires
™high level security, or
™to be transmitted in 2010
z
Very large moduli, say of 5120 bits,
have to be used
© 1998 by Yuliang Zheng
16
8
Why signature-then-encryption
can be a problem (cnt’d)
z
If RSA with a 5120-bit composite is
used
™Comp. cost:
2+2=4 exponentiations mod a (very large !)
5120-bit integer
™Comm. overhead:
10,240 bits (twice as large as the original
10,240 bits
message !)
5,120 bits
5,120 bits
message
sig
5,120 bits
k eb
© 1998 by Yuliang Zheng
17
Why signature-then-encryption
can be a problem (cnt’d)
z
If Schnorr sig & ElGamal enc with a
5120-bit prime are used
™Comp. cost:
3+2.17=5.17 (3+3=6) exponentiations
mod a (very large !) 5120-bit integer
™Comm. overhead:
>=5,560 bits
>= 5560 bits
5,120 bits
message
© 1998 by Yuliang Zheng
>=440
bits
sig
5,120 bits
gx
18
9
Signcryption -public & secret parameters
z
Public to all
™p : a large prime
™q : a large prime
factor of p-1
™g : 0<g<p & with
order q mod p
™hash: 1-way hash
™KH: keyed 1-way hash
™(E,D) :
z
Alice’s keys
™ x a : secret key
™ ya : public key
(note :
ya = g x a mod p
z
)
Bob’s keys
™ x b : secret key
™ yb : public key
(note :
private-key encryption &
decryption algorithms
yb = g xb mod p
)
© 1998 by Yuliang Zheng
19
Signcryption -- an example (SCS1)
m
z
(c,r,s)
Signcrypt by Alice
x
™ k = hash ( y b mod p )
where x ∈R {1,K , q − 1}
k1
™k
k2
™ r = KH k2 ( m )
™ s=
x
mod q
r + xa
c = Ek1 ( m )
™ output
© 1998 by Yuliang Zheng
(c,r,s)
(c,r,s)
z
m
Unsigncrypt by Bob
r s⋅ x
™ k = hash (( y a ⋅ g ) mod p )
b
™k
k1
k2
™ m = Dk (c )
1
™ output
m
if r = KH k2 ( m )
⎧
⎨" invalid" if r ≠ KH ( m )
k2
⎩
20
10
Signcryption -- another example
m
z
(c,r,s)
(c,r,s)
Signcrypt by Alice
x
™ k = hash ( y b mod p )
where x ∈R {1,K , q − 1}
k1
™k
k2
z
m
Unsigncrypt by Bob
r
™ k = hash (( g s ⋅ ya ) x mod p )
b
™k
k1
k2
™ r = KH k2 ( m )
™ m = Dk (c )
1
™ s = ( x − r ⋅ xa )mod q
™ output
m
if r = KH k2 ( m )
⎧
⎨" invalid" if r ≠ KH ( m )
k2
⎩
c = Ek1 ( m )
™ output
(c,r,s)
© 1998 by Yuliang Zheng
21
Signcryption v.s. Signature-thenEncryption
EXP=1+1.17
EXP=2+2
EXP=3+2.17
m
m
m
sig
sig
k
eb
sig
gx
(a) Signcryption (b) Signature-then-Encryption (c) Signature-then-Encryption
based on RSA
based on DL
based on DL
© 1998 by Yuliang Zheng
22
11
Cost of Signature-then-Encryption
v.s. Cost of Signcryption
A simplistic comparison:
Sc he m e s
C ost C om p C ost C om m O ve r he a d
(N o. of e xp )
(b its)
R S A b a se d
sig -the n-e nc
2 +2
|n a | + |n b |
D L b a se d
Sc hnor r sig +
ElG a m a l e nc
3 + 2 .1 7
(3 + 3 )
|ha sh| + |q | + |p |
D L b a se d
Sig nc r yp tion
1 + 1 .1 7
(1 + 2 )
|K H | + |q |
© 1998 by Yuliang Zheng
23
Signcryption v.s.
Schnorr Sig + ElGamal Enc (cnt’d)
|p |
512
768
1024
1536
2048
3072
4096
5120
8192
10240
|q |
144
152
160
176
192
224
256
288
320
320
© 1998 by Yuliang Zheng
|K H |
72
80
80
88
96
112
128
144
160
160
sa vin g in
sa ving in
c o m p c o st c o m m o ve r he a d
58 %
7 0 .3 %
58 %
7 6 .8 %
58 %
8 1 .0 %
58 %
8 5 .3 %
58 %
8 7 .7 %
58 %
9 0 .1 %
58 %
9 1 .0 %
58 %
9 2 .0 %
58 %
9 4 .0 %
58 %
9 6 .0 %
24
12
Signcryption v.s. RSA
|p |= |n a |
=|n b |
512
768
1024
1536
2048
3072
4096
5120
8192
10240
|q |
144
152
160
176
192
224
256
288
320
320
|K H |
72
80
80
88
96
112
128
144
160
160
sa ving in
c om p c ost
0 %
1 4 .2 %
3 2 .3 %
5 0 .3 %
5 9 .4 %
6 8 .4 %
7 2 .9 %
7 5 .6 %
8 3 .1 %
8 6 .5 %
sa ving in
c om m ove r he a d
7 8 .9 %
8 4 .9 %
8 8 .3 %
9 1 .4 %
9 3 .0 %
9 4 .0 %
9 5 .0 %
9 6 .0 %
9 7 .0 %
9 8 .0 %
© 1998 by Yuliang Zheng
25
Applications of Signcryption
z
Bring to society huge savings in
comp. & comm. if used widely in
™secure & authenticated message
delivery / storage
™electronic commerce
„secure & authenticated transactions
™secure & authenticated multicast (incl.
video conference, CSCW etc)
™fast, compact, secure, unforgeable &
non-repudiated key transport
© 1998 by Yuliang Zheng
26
13
Direct transport of key
materials in a Short Packet
| p| ≥ 512, | q| ≥ 160, | KH ⋅ (⋅)| ≥ 80
( k 1 , k 2 ) = hash( yb x mod p)
c
TQ
r
s
key
with x ∈R [1,K , q − 1]
| k 1 | ≥ 64, | k 2 | ≥ 64
c = E k1 ( key , TQ)
|TQ| + |key| bits
80 bits
160 bits
r = KH k2 ( key , TQ, other )
s=
x
mod q
r + xa
© 1998 by Yuliang Zheng
27
Direct transport of key
materials in a single ATM cell
ATM Cell
5 bytes
header
48 bytes (384 bits)
payload (data)
| p| ≥ 512, | q| ≥ 160, | KH ⋅ (⋅)| ≥ 80
( k 1 , k 2 ) = hash( yb x mod p)
with x ∈R [1,K , q − 1]
| k 1 | ≥ 64, | k 2 | ≥ 64
c = E k1 ( key , TQ)
r = KH k2 ( key , TQ, other )
c
144 bits
© 1998 by Yuliang Zheng
r
s
80 bits
160 bits
s=
x
mod q
r + xa
28
14
Indirect transport of key
materials in a Short Packet
| p| ≥ 512, | q| ≥ 160, | KH ⋅ (⋅)| ≥ 80
( k 1 , k 2 ) = hash( yb x mod p)
c
r
s
TQ
with x ∈R [1,K , q − 1]
| k 1 | ≥ 64, | k 2 | ≥ 64
c = E k1 (TQ)
|TQ| bits 80 bits
160 bits
r = KH k2 (TQ, other )
s=
x
mod q
r + xa
© 1998 by Yuliang Zheng
29
Indirect transport of key
materials in a single ATM cell
ATM Cell
5 bytes
48 bytes (384 bits)
header
payload (data)
| p| ≥ 512, | q| ≥ 160, | KH ⋅ (⋅)| ≥ 80
( k 1 , k 2 ) = hash( yb x mod p)
with x ∈R [1,K , q − 1]
| k 1 | ≥ 64, | k 2 | ≥ 64
c = E k1 (TQ)
r = KH k2 (TQ, other )
c
occupied
© 1998 by Yuliang Zheng
r
s
80 bits
160 bits
s=
x
mod q
r + xa
30
15
2 Dimensions to be considered
z
Direct v.s. Indirect key transport
™Direct key material transport
„a random session key is explicitly included
in key materials
™Indirect key material transport
„a random session key is to be derived from
key materials
z
Ensuring Freshness using
™a time-stamp, or
™a nonce
© 1998 by Yuliang Zheng
31
4 Types of
Key Transport Protocols
Time-varying
Quantity
Nonce
Time stamp
(+nonce)
© 1998 by Yuliang Zheng
nonce based
direct
(3 moves)
nonce based
indirect
(3 moves)
time-stamp based
direct
(2 moves)
time-stamp based
indirect
(2 moves)
direct
indirect
Transport
Mode
32
16
Direct key transport using a
nonce (for unicast)
Alice
Bob
c = E ( key)
k1
r = KH ( key, NC , etc)
k2
b
s = x / (r + xa ) mod q
verify tag
<= NCb <=
Pick a nonce NCb
=> c, r, s =>
unsigncrypt
<= tag <=
(optional)
tag = MACkey(NCb)
© 1998 by Yuliang Zheng
33
Direct key transport using a
time-stamp (for unicast)
Alice
c = E ( key, TS )
k1
r = KH ( key, TS , etc)
k2
s = x / (r + xa ) mod q
verify tag
© 1998 by Yuliang Zheng
Bob
=> c, r, s =>
<= tag <=
(optional)
unsigncrypt, and
check the freshness
of TS
tag = MACkey(TS)
34
17
Indirect key transport using a
time-stamp (2 moves)
Alice
Bob
c = E (TS )
k1
r = KH (TS , etc)
k2
s = x / (r + xa ) mod q
key = KH k1 ,k2 ( TS )
verify tag
=> c, r, s =>
<= tag <=
(optional)
unsigncrypt, and
check the freshness
of TS
key = KH k1 ,k 2 ( TS )
tag = MACkey(TS,1)
© 1998 by Yuliang Zheng
35
How to obtain
key exchange protocols
z
Let Bob’s data or ID be involved in
the derivation of a session key
™E.g.
„key* = KHkey(NCb)
„key* = KHkey (IDb)
„key* = KHkey (NCb, IDb)
z
Let both Alice & Bob generate key &
exchange key materials (which
achieves mutual identification).
© 1998 by Yuliang Zheng
36
18
Direct key exchange using a
nonce (for unicast)
Alice
Bob
c = E ( key)
k1
r = KH ( key, NC , etc)
k2
b
s = x / (r + xa ) mod q
<= NCb <=
Pick a nonce NCb
=> c, r, s =>
unsigncrypt
c* = E
unsigncrypt
<= c*, r*, s* <=
( key*)
k *1
( key*, key, etc)
r* = KH
k *2
s* = x * /(r * + x ) mod q
b
© 1998 by Yuliang Zheng
37
ATM Forum Proposals
z
Two protocols, both based on X.509
™2-way protocol
™3-way protocol
z
Correspondence
™ATM 2-way <=> direct key exchange
using a time-stamp
ATM 3-way <=> direct key exchange
using a nonce
© 1998 by Yuliang Zheng
38
19
ATM Forum 2-Way Protocol
(based on sign-then-enc)
Alice
Bob
IDa , IDb , SecOpt ,{Ta , Ra ,{Enc Kb (ConfPara )},
⇒
Sig Ka (hash( IDa , IDb , Ta , Ra , SecOpt ,{ConfPara }))}
IDa , IDb , Ra ,{Enc Ka (ConfParb )},
⇐
Sig Kb (hash( IDa , IDb , Ra ,{ConfParb }))}
⇒
⇐
© 1998 by Yuliang Zheng
39
ATM Forum 3-Way Protocol
(based on sign-then-enc)
Alice
Bob
⇒
⇐
IDa ,{IDb }, Ra , SecNeg a ,{Cert a }
IDa , IDb , SecNegb ,{Cert b },{Ra , Rb ,{Enc Ka (ConfParb )},
Sig Kb (hash( IDa , IDb , Ra , Rb , SecNeg a , SecNegb ,{ConfParb }))}
⇒
© 1998 by Yuliang Zheng
IDa , IDb , Rb ,{Enc Kb ( ConfPara )},
Sig Ka (hash( IDa , IDb , Rb ,{ConfPara }))}
⇒
⇐
⇒
40
20
Advantages of Our Signcryption
based Protocols over ATM Forum’s
z
Significant savings in
™computational time and
™communication overhead
© 1998 by Yuliang Zheng
41
Comparison with
Beller-Yacobi protocol
Attributes
Comp. Longest Pre
Cost
Msg
comp.
protocols
(# of exp)
BellerYacobi
1 + 2.25
>= 512
bits
Yes
Our
protocols
1 + 1.17 < = 384
(1 + 2)
bits
Yes*
(1 + 4)
* Only when Alice knows whom to communicate with
© 1998 by Yuliang Zheng
42
21
About “Forward Secrecy”
z
Forward secrecy w.r.t. a participant
™compromise of the participant’s long
term secret key does NOT result in the
exposure of past session keys
™Beller-Yacobi protocol
„ YES w.r.t. Alice, NO w.r.t. Bob
™Our protocols
„ NO w.r.t. either Alice or Bob
© 1998 by Yuliang Zheng
43
About Forward Secrecy (cnt’d)
z
Forward secrecy w.r.t. Alice CAN be
obtained in our proposals
™by making a Alice’s long term secret
key xa hard to compromise
™E.g.
secret sharing,
mathematically and/or physically
© 1998 by Yuliang Zheng
44
22
Extensions
z
the proposed protocols can be
extended to “multi-cast” conference
key establishment
Bob
Alice
© 1998 by Yuliang Zheng
Cathy
David
45
Direct multicast key transport using a nonce
Alice & each Ri, I=1,…,t
NC = NC1 + …+ NCt
A lice:
NC1
<= ….. <=
NCt
Each Ri, I=1,…,t
Pick a nonce NCb
key ∈ R {0 ,1} l1 , k ∈ R {0 ,1} l2
h = K H k ( key , N C , etc )
c = E k ( key , h )
for each i = 1, .. , t
v i ∈ R [1, ... , q − 1]
( k i ,1 , k i , 2 ) = hash ( y i v i m od p )
c i = E k i ,1 ( k )
c
c1 , r1 , s1
=> …... =>
c t, r t, s t
Each Ri, I=1,…,t
finds out (c, ci, ri, si)
& unsigncrypt it
tag1
<= …. <=
tagt
(optional)
Each Ri, I=1,…,t
tagi = MACkey(NCi)
ri = K H k i , 2 ( h , etc i )
si =
vi
m od q
ri + x a
Alice & each Ri, I=1,…,t
verify tag1,..,tagt
© 1998 by Yuliang Zheng
46
23
Direct multicast key transport using a time-stamp
A lice:
for each i = 1, .. , t
v i ∈ R [1, ... , q − 1]
( k i ,1 , k i , 2 ) = hash ( y i v i m od p )
key ∈ R {0 ,1} l1 , k ∈ R {0 ,1} l2
get tim e − stam p TS
h = K H k ( key , TS , etc )
c = E k ( key , TS , h )
for each i = 1, .. , t
c
c1 , r1 , s1
=> …… =>
c t, r t, s t
Each Ri, I=1,…,t
finds out (c, ci, ri, si)
& unsigncrypt it
c i = E k i ,1 ( k )
ri = K H k i , 2 ( h , etc i )
si =
vi
m od q
ri + x a
Alice & each Ri, I=1,…,t
verify tag1,..,tagt
© 1998 by Yuliang Zheng
tag1
<= …. <=
tagt
(optional)
Each Ri, I=1,…,t
tagi = MACkey(TS,IDi)
47
Speeding-up through
Randomization
z
Ri may decide, in a probabilistic
fashion
™whether or not generating NCi
™whether or not multicasting tagi
z
Similarly, Alice and each Ri may
randomly choose a subset of tags
received for verification
© 1998 by Yuliang Zheng
48
24
Summary
addressed the problem of
“unforgeable key establishment in
small packets s.a. ATM cells”
z solved the problem using
signcryption
z Potential applications:
z
™high speed networks
™smart card based security solutions
™mobile communications, ……
© 1998 by Yuliang Zheng
49
25
Related documents
A Method Toward Common Traits and Beyond Shaw
A Method Toward Common Traits and Beyond Shaw
July 9, 2007 - Cengage Learning
July 9, 2007 - Cengage Learning
I am Chen-Yu Zheng.I don’t ... chance to come out.I can ...
I am Chen-Yu Zheng.I don’t ... chance to come out.I can ...
Zheng He Webquest Using the research links on the MPMS Media
Zheng He Webquest Using the research links on the MPMS Media
Shaw-Hwa Lo
Shaw-Hwa Lo
My Best Friend
My Best Friend
Download
advertisement