Download presentation

Presentation is loading. Please wait.

Published byMarcos Fessenden Modified about 1 year ago

1
Advanced Security Constructions and Key Management Class 16

2
Outline One-Time Signatures Lamport’s signature Improved signature constructions Merkle-Winternitz Signature Efficient Authenticators (amortize signature) One-way chains (self-authenticating values) Chained hashes Merkle Hash Trees Applications Efficient short-lived certificates, S/Key Untrusted external storage Stream signatures (Gennaro, Rohatgi) Zhou & Haas’s key distribution

3
One-Time Signatures Challenge: digital signatures expensive for generation and verification Goal: amortize digital signature

4
One-Time Signatures Use one-way functions without trapdoor Efficient for signature generation and verification Caveat: can only use one time Example: 1-bit one-time signature P0, P1 are public values (public key) S0, S1 are private values (private key) S1P1 S0P0 S1 S0 P S0’ S1’

5
Lamport’s One-Time Signature Uses 1-bit signature construction to sign multiple bits S1 P1 S0 P0 Bit 0Bit 1Bit 2Bit n S1’ P1’ S0’ P0’ S1’’ P1’’ S0’’ P0’’ S1* P1* S0* P0* Private values Public values … Sign 0 Sign 1

6
Improved Construction I Uses 1-bit signature construction to sign multiple bits S0 P0 Bit 0Bit 1Bit 2Bit n S0’ P0’ S0’’ P0’’ S0* P0* … c0 p0 c0’ p0’ c0* p0* … Bit 0Bit 1Bit log(n) Sign messageChecksum bits: encode # of signature bits = 0

7
Improved Construction II Lamport signature has high overhead Goal: reduce size of public and private key Approach: use one-way hash chains S1 = F( S0 ) S2PS3S0S1 Signature chain C1C0C3C2 Checksum chain P = F( S3 || C0 ) Sig(0)Sig(1)Sig(2)Sig(3)

8
Merkle-Winternitz Construction Intuition: encode sum of checksum chain S2’’PS3’’S0’’S1’’ C1C0C3C2 S2’S3’S0’S1’ S2S3S0S1 C1’C0’C3’C2’ Signature Bits 0,1 Checksum Bits 0,1 Checksum Bits 2,3 Signature Bits 2,3 Signature Bits 4,5

9
Efficient Authenticators One-way chains Chained hashes Merkle hash trees

10
Recall One-Way Hash Chains? Versatile cryptographic primitive Construction Pick random r N and public one-way function F r i = F(r i+1 ) Secret value: r N, public value r 0 Properties Use in reverse order of construction: r 1, r 2 … r N Infeasible to derive r i from r j (j*
*

11
One-Way Chain Application S/Key one-time password system Goal Use a different password at every login Server cannot derive password for next login Solution: one-way chain Pick random password P L Prepare sequence of passwords P i = F(P i+1 ) Use passwords P 0, P 1, …, P L-1, P L Server can easily authenticate user p6p6 p7p7 p4p4 p3p3 FFF p5p5 F

12
Chained Hashes More general construction than one-way hash chains Useful for authenticating a sequence of data values D 0, D 1, …, D N H * authenticates entire chain DNDN D N-1 H N-1 H(D N ) D N-2 H N-2 H( D N-1 || H N-1 ) D0D0 H0H0 … H*H*

13
Merkle Hash Trees Authenticate a sequence of data values D 0, D 1, …, D N Construct binary tree over data values T0T0 D0D0 D2D2 D3D3 D1D1 D4D4 D6D6 D7D7 D5D5 T1T1 T2T2 T3T3 T4T4 T5T5 T6T6

14
Merkle Hash Trees II Verifier knows T 0 How can verifier authenticate leaf D i ? Solution: recompute T 0 using D i Example authenticate D 2, send D 3 T 3 T 2 Verify T 0 = H( H( T 3 || H( D 2 || D 3 )) || T 2 ) T0T0 D0D0 D2D2 D3D3 D1D1 D4D4 D6D6 D7D7 D5D5 T1T1 T2T2 T3T3 T4T4 T5T5 T6T6

15
Untrusted External Storage Problem: how can we store memory of a secure coprocessor in untrusted storage? Solution: construct Merkle hash tree over all memory pages Secure Coprocessor Small persistent storage Mallory’s Storage

16
Stream Signatures Gennaro & Rohatgi, Crypto ‘97 Problem Sender sends a sequence of packets to receiver Receiver wants to immediately authenticate each packet Efficient authentication of packets On-line case (real-time data), off-line case (stored data)

17
Off-line Case Sender know entire stream before sending Use chained hashes, precompute H i Digitally sign the first packet (H * ) Each packet authenticates the next packet PNPN P N-1 H N-1 P N-2 H N-2 P0P0 H0H0 … H*H*

18
On-line Case Use a one-time signature to authenticate packets Sender has regular signature (SK,PK) Sender signs public key of one-time signature SK (pk0) Sign packet P i and one-time public key pk i with pk i-1 P0P0 pk 1 sk 0 (P 0 || pk 1 ) P1P1 pk 2 sk 1 (P 1 || pk 2 )

19
Stream Signature Discussion Computation and communication cost Robustness to DoS attack (packet injection) Robustness to packet loss Loss of a single packet prevents authentication of subsequent packets How could we improve the loss robustness?

20
Alternative Stream Signature Packet 1Packet 2 Hash(P1) Packet 3 Hash(P2) Hash(P3) Signature Signature Packet Add hashes to later packets Periodically send a signature packet

21
Improving Robustness Packet 1Packet 2 Hash(P1) Packet 3 Hash(P2) Hash(P3) Signature Signature Packet Hash(P1) Hash(P2)

22
Securing Ad Hoc Networks Zhou & Haas, IEEE Network Magazine ’99 Security goals Availability Confidentiality Integrity Authentication Secure Routing Key management

23
Attacker Assumptions Attacker can physically compromise nodes “Mobile Adversary” Adversary can compromise any node Temporarily compromises node, then moves on to next node Every node may be compromised at one time Attacker compromises at most t nodes at any one moment

24
Secure Routing Authenticate all routing messages, to prevent external attackers Proposes to use multiple paths to tolerate internal attackers Drawback: internal attackers could easily fake multiple paths

25
Key Management Service Consider public-key infrastructure (PKI) Everybody trusts certification authority (CA) CA authenticates and signs public keys of other nodes PKI drawbacks Revocation requires on-line PKI Single point of failure, CA replication increases vulnerability to node compromise Solution: distributed CA

26
Distributed CA Model Private CA key is shared among set of nodes Signing needs coalition of t+1 correct nodes Secret sharing prevents t malicious nodes from reconstructing CA private key Requirements for key management service Robustness: service available to answer requests correctly Confidentiality: adversary never learns CA private key

27
Threshold Cryptography Share secret S among n nodes, require t+1 nodes for reconstruction (n, t+1) secret sharing scheme Share private key K among n nodes, require t+1 nodes for signing (n, t+1) threshold signature scheme Node i gets share k i For signing, nodes send partial signature to combiner Combiner collects 2t+1 partial signatures

28
Proactive Security Use share refreshing against mobile adversaries If (s 1, s 2, …, s n ) is a sharing of k, and (s’ 1, s’ 2, …, s’ n ) is a sharing of k’, then (s 1 + s’ 1, s 2 + s’ 2, …, s n + s’ n ) is a correct sharing of k + k’ Trick, set k’ = 0, so new sharing also represents k

29
Share Refreshing s1s1 s2s2 s3s3 snsn s 1,1 s 1,2 s 1,n s 2,1 s 2,2 s 2,n s 3,1 s 3,2 s 3,n s n,1 s n,2 s n,n s’ 1 + s’ 2 + s’ n + Shares of 0

30
Discussion How can share refreshing tolerate faulty nodes? How can we tolerate compromised combiner? Who decides to be a combiner? How can we bootstrap this system? How can we introduce a new node? Why should node sign a message? How does node authenticate message? Is signature combination expensive if we have t faulty nodes?

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google