Download presentation

Presentation is loading. Please wait.

Published byTristan Pollins Modified about 1 year ago

1
Design and Security Analysis of Marked Blind Signature Attività formativa Studente Claudia Snels Professore Giuseppe Bianchi

2
Presentation outline Introduction –Blind signatures –New Marked Blind Signature (MBS) Security analysis –General methods –Security Analysis of MBS Ongoing work on MBS Applications Conclusions

3
Introduction: Blind signatures Chaum’s Blind RSA Signature B e P mod n (B e P) d = B P d mod n User unblinds the received message and obtains a valid signature for P B Blinding Term P Message to be signed (d,n) Server’s private key (e,n) Server’s public key Client Server Server doesn’t know what he has signedBLIND SIGNATURE

4
Introduction: New Marked Blind Signatures Marked Blind Signature Goal: add random “mark” R inside signature R unknown/unforgeable by both server/client Application “stamp” the act of signing Anticipated certificate verification –Wrap proof of possession of a certificate private key inside the signature! –SPARTA pseudonym/authorization approach from Netlab (more later)

5
Approach: use homomorphic property of RSA encryption Homomorphic computation of R=XY R=XY inserted by client (full-domain hashed with P) Blinding with same factor B Marked Blind Signature Simpler (but flawed) version easier to understand X = client random; B = blinding factor Server side blind insertion of R=XY Additive insertion to avoid forgery and easy attacks (blindly) Signed credential Flaw: traceability! Server associate to real user the following value

6
Introduction: New Marked Blind Signatures Marked Blind Signature Actual (correct) version Discrete Logarithm modulus n (server RSA) DL-strong base g (Double) Homomorphic computation of R=XY+Z - X,Z: client random - Y: server random - under the condition XY+Z

7
Introduction: New Marked Blind Signatures Signature verification Authorization Credential: –Signed pseudonym After server signature, client computes R as Verification: –Client verifies certificate P usual challenge handshake –Client presents P, R, cred –Server checks:

8
Security analysis: General methods How to develop a security analysis Security protocol Message exchange Cryptographic primitives Logic correctness Explicitness of information exchanged Semantic Analysis Automatic Theorem Provers (Isabelle) Message Exchange Cryptography is supposed to work well Black Box

9
Security analysis: General methods How to develop a security analysis Cryptographic primitives Simple signatures scheme like RSA, Diffie-Hellmann Massive usage of basic number theory theorems More complicated schemes like Chaum’s Blind Signature, elliptic curve signature A jungle of papers about: zero knowledge proof, Random Oracles WHY?

10
Security analysis: General methods Security analysis: our choice Problem: Simple Ideas but with “uncommon” requirements (e.g. untraceability) are VERY difficult to proof Two strategies Design very complicated protocol which can satisfy a large number of hypothesis. Under such strict hypotheses a rigorous mathetical proof is possible Problem: unapplicability of such protocols in software tools Maintain a simple idea! Try an attack based security analysis, and build a rigorous proof when possible OUR CHOICE

11
Security analysis of mbs Main features of a blind signature scheme Unforgeability of R : R should be a random created by both peers but not forgeable in order to prevent traceability or reusage of the same marker Unforgeability of mbs: client should not be able to generate (forge) a valid signature Untraceability: Server should not be able to trace Client

12
Security analysis of mbs Unforgeability of R the strategy of the attack is to choose a suitable x (for Client) or y (for Server) such that mod n ormod n. In the first case we have R=s, so its value is decided by Client. Values having this property are the Euler totient function and the Carmichael function, but this values are known only to Bob who possesses the factorization of n=pq. So we can conclude: Server can choose a suitable y but this is not an advantage for him Client can’t choose a suitable x, or in another way this is as difficult as factorising RSA modulo n R is UNFORGEABLE We remind that

13
Security analysis of mbs Unforgeability of mbs We refer to the one more forgery, in the sense that if Client owns a signing oracle she can’t obtain one more mbs than the number of queries she makes to the oracle. How Alice can try to forge mbs? H OMOMORPHIC PROPERTY OF RSA With Marked Blind Signature is this possible?

14
Security analysis of mbs Unforgeability of mbs Try to find a R and a message m such that Hard computation due to multiple hash terms presence of R inside and outside the Hash Under Random Oracle Hypothesis, our signature is as unforgeable as Chaum’s blind signature

15
Security analysis of mbs Untraceability We focus on the possibility for the server to build a marker univocally linkable to one client (remember the flaw of the first scheme presented). In our case we can eliminate the blinding term B and produce the following ratios While good candidates for markers are Not directly obtainable by Server Always blinded

16
Security analysis of mbs Untraceability In order to obtain we must have We have demonstrated that is not obtainable as long as Server doesn’t know B So next question is: how to obtain B? During handshake 2 equations 3 variables Blindness during handshake

17
Security analysis of mbs Formal proof of validity and blindness Definition. A signature scheme is called blind if Server’s view V and the triple (mbs,R,m) are statistically indipendent, that is during verification phase Server cannot recognise Client. Theorem. The triple (mbs,R,m) is a valid signature for message m and the mbs protocol is a blind scheme. Proof. Validity if the hash is collision free

18
Security analysis of mbs Formal proof of validity and blindness Blindness. we show that given any view V and any valid triple (mbs,R,m) there exist a unique pair of blinding factors B and R. Because Client chooses both blinding terms at random (in fact we have previously underlined the unforgeability of R), the blindness of the signature scheme follows. If the signature (mbs,R) has been generated during an execution of the protocol with view V consisting of y, x1, x2, (x1y + x2), then the following equations must hold One parameter solution x,s random R unforgeable Unique solution

19
Security analysis of mbs Harn’s attack Harn’s attack is a Server attack based on: Blind signature Collection of signatures and handshake terms Let m be a generic message to be blindly signed, the attack is developed in two steps 1.Server collects for each client the received term B e m and Bm d 2.When Server receives the signature m d he divides every Bm d term and tries if the B obtained gives a correct match for B e m. With a positive match he can trace user

20
Security analysis of mbs Resistance of mbs against Harn’s attack Let 1) If andthe signature received by Server during verification and suppose that we have two registered users Server operates the strategy previously described and he succeds to identificate Client 1 2) If Server operates the strategy previously described but he first tries to identificate Client 2 as Client 1 We write Server uncorrectly identify Client 2 as Client 1

21
Ongoing work on mbs Open problems: distribution of R If we want the signature to be valid we must have R

22
Ongoing work on MBS Attack on distribution of R The distribution of R has a very different concentration for high or low values of y. So if Server gives a Client a low y he knows that with very high probability R will assume a certain range of values and viceversa. Server can classify and consequently trace classes of users y=1

23
Ongoing work on MBS Guidelines for distribution choices Y protects server from client’s attack on R so its distribution range should not be small Client is already protected by s so x can be small S can smooth the distribution of R (convolution) so it should have a large range

24
Ongoing work on MBS Some insights about distributions If x and y are uniform in the same range Logarithm like distribution If x and y uniform in And s uniform in Almost uniform

25
Applications Sample MBS application: pseudonym’s blind authorization PKI-like Pseudonym assignement Infrastructure P Server Blind signature auth Alice

26
Applications Pseudonym Hijacking Pseudonym assignement Infrastructure P Server auth Alice P Evil Evil is authorised as Alice, because he has stolen her pseudonym MBS as a tool to show possession of the pseudonym private key

27
Applications MBS for pseudonym authorization Inclusion of pseudonym private key to permit verification at registration time

28
Conclusions Proven security of Marked Blind Signature Design of a simple scheme that can be easily integrated in an AAA with pseudoyms New insights about distributions of random numbers introduced in signatures and related server attacks

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google