Presentation is loading. Please wait.

Presentation is loading. Please wait.

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol.

Published byMadeleine Wells Modified over 8 years ago

Similar presentations

Presentation on theme: "10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol."— Presentation transcript:

1 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol Stanislaw Jarecki, Nitesh Saxena, Jeong Hyun Yi School of Information and Computer Science University of California, Irvine

2 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 2/22 Outline Introduction: Access control in ad hoc groups Threshold cryptography Proactive signatures URSA proactive RSA scheme Our attack: efficient key recovery Discussion: Insecurity of URSA Open issues

3 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 3/22 Access Control in Ad Hoc Groups Access control is required to  prevent unauthorized entities from joining the group  bootstrap other security services, e.g., secure routing  remove misbehaving members  in general, make group decisions However, ad hoc group has  no infrastructure  no trusted group authority  dynamic membership Challenge: How to provide secure access control in a such a decentralized and dynamic environment?

4 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 4/22 Zhou and Haas [IEEE Comm. Mag’99] (t+1,n) secret sharing of group secret; Shamir [ACM COMM.’79] Threshold signatures  any set of t+1 members can sign messages on behalf of the group  tolerate up to t corruptions in the lifetime of the system Proactive Signatures  threshold signatures with increased resilience,  lifetime is divided into intervals  secret shares are updated  tolerate up to t corruptions in every interval Distribution of Trust using Threshold Cryptography

5 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 5/22 Access Control using Proactive Signatures Step 1: Certification request Step 2: Join commit (Signed Vote) Step 3: Certificate acquisition M new New member (M new ) wants to join the group If a quorum of t+1 current members approve, M new is issued a signed certificate via proactive signing protocol If no quorum found, membership is denied Vote 1 Vote 2

6 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 6/22 Provably Secure Proactive Signatures RSA based  Frankel, et al. [FOCS’97] [Crypto’97], Rabin [Crypto’98] DSA based;  Gennaro, et al. [EC’96] [IANDC’01] Schnorr based  Gennaro, et al. [RSA Security’03] BLS based  Boldyreva [PKC’03] None applicable for access control in ad hoc groups

7 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 7/22 Recent Access Control Schemes URSA URSA: Ubiquitous and Robust Access Control  Luo, et al. [ICNP’01, ISCC’02, WCMC’02, ToN’04]  Proposes a new proactive RSA scheme Others  Based on proactive DSA; Narasimha, et al. [ICNP’03], Saxena, et al. [SASN’03]  Based on proactive BLS; Saxena, et al. [ICISC’04] Under scrutiny in this work

8 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 8/22 URSA Proactive RSA Scheme (1/3) Setup Setup  Dealer generates RSA private key d and public key (e, N)  Randomly picks polynomial f(x) of degree t  Member M j is issued a secret share: f(x) = d + a 1 x + a 2 x 2 + … + a t x t (mod N) Signature generation Signature generation (signing group G, |G|=t+1)  Polynomial interpolation:,, where partial key:  M j outputs partial signature: ss j = f(j) (mod N) Recall: RSA signature s = m d (mod N)

9 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 9/22 URSA Proactive RSA Scheme (2/3) Signature reconstruction Signature reconstruction: Since  Try all (t+1) values of α, s.t. s e = m (mod N) Note: α is revealed

10 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 10/22 Problems with URSA Proactive RSA Robustness; Narasimha, et al. [ICNP’03]  Shares are computed mod N  Regular verifiability mechanisms fail  No verifiability  No robustness Fix  Share secret d modulo a large prime q  Use special purpose zero-knowledge proofs; Boudot [EC’00] & Camenisch and Michels [Crypto’99]

11 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 11/22 Problems with URSA Proactive RSA Is this scheme (modified with the robustness fix) secure in the presence of a coalition of t corrupt members? The answer is: negative

12 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 12/22 Our Attack (example): Binary Search t=1, n=2 Players M 1, M 2, Signing group G={1,2} Adversary A corrupts M 1 Recall: d = d 1 + d 2 – αN Signing protocol reveals α  If α = 0,  d = d 1 + d 2  d ≥ d 1  o/w if α = 1,  d = d 1 + (d 2 - N)  d < d 1 During proactive updates, A can choose ss 1 s.t. With every update round, the search interval is halved Binary search recovers d in log 2 (N) rounds 0 d 1 N Recall d 1 = ss 1 l 1 (mod N)

13 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 13/22 Our Attack: (t+1)-ary Search Adversary A corrupts M 1, M 2, …,M t (w.l.o.g) Signing group G p ={1,2,…,t, p}, where p > t A learns if d ≥ D p or d < D p, where During proactive updates, A can choose ss 1, ss 2,…, ss t s.t. Every round reveals log 2 (t+1) MSBs of d (t+1)-ary search recovers d inrounds 0D p1 D p2 D pt N

14 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 14/22 Optimal Choice of New Shares Solve following set of deterministic equations for ss 1, ss 2, …, ss t

15 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 15/22 URSA Proactive Update Simplified Classic protocol; Herzberg et al. [Crypto’95]  Update the shares but keep the same group secret d  A set of at least t+1 members update the polynomials  Each M i chooses random poly. δ i (z) of degree t s.t. δ i (0) = 0  M j gives δ j (i) to M i  M i ’s new share becomes ss i (old share was ss i ‘)  ss i ’ is deleted

16 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 16/22 Adversarial Behavior in Share Update B : t members corrupted by A M b B : member who “speaks last ” Update polynomial New shares are computed as M b waits until it receives all other shares and chooses its polynomial δ b (z) s.t. This sets A’s share to be ss 1, ss 2,…,ss t

17 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 17/22 Speeding-up the Attack Attack requires r = rounds Recover last 40-bits of d by brute-force given RSA public key (e,N)  r = Apply known results on RSA partial key exposure; Boneh, et al. [AC’01], Blomer-May [Crypto’03], Thm1: log 2 (e) MSBs of d determine 512-MSBs  r = e.g., for t = 7, |N|=1024, e = 65537  r = 163 e = 3  r = 158

18 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 18/22 Speeding-up the Attack Number of proactive update rounds required for a given log N (e) value, for t=7 & |N|=1024

19 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 19/22 Attack Assumptions 1. Adversary corrupts t members of the update group Ω, one of whom “speaks last ” 2. In every round, t runs of the signing protocol are executed, the signing groups consisting of all bad and one (distinct) good player.

20 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 20/22 Insecurity of URSA For a modest threshold t=7, |N|=1024 and e=65537, the attack requires 163 proactive update rounds and a total of 1148 runs of the signing protocol The leakage is very fast  e.g. in just 34 rounds, 600 MSBs of d are revealed Other faster attacks are possible with signing group consisting of less than t bad players

21 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 21/22 Positive Result in a Related Work Jarecki and Saxena [in submission] URSA proactive RSA scheme (plus robustness fix) with additive-secret sharing is provably secure 2-4 times faster than the state-of-the-art Rabin’s proactive RSA [Crypto’98] However, not applicable for access control in ad hoc groups Open Problem: to design a provably secure proactive RSA scheme that yields an efficient access control mechanism for ad hoc groups!!

22 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 22/22 Thank You!

23 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 23/22

24 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 24/22

25 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 25/22 Speeding-up the Attack Thm2: For prime e ε [2 m, 2 m+1 ], with m ε [|N|/4,|N|/2], m MSBs of d determine d Thm3: For e ε [2 m, 2 m+1 ] and product of at most r primes, with m ε [|N|/4,|N|/2], m MSBs determine d given factorization of e  Thm4: For e ε [N 0.5, N 0.25 ], MSBs of d determine d, where α = log N (e) 

26 10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 26/22 Our Attack: (t+1)-ary search Adversary A corrupts M 1, M 2, …,M t (w.l.o.g) Signing group G p ={1,2,…,t, p}, where p ε [t+1,..2t] Recall Signing protocol reveals α (Gp)  Compute  If S p ≥ α (Gp) N, A learns d ≥ D p  o/w if S p < α (Gp) N, A learns d < D p During proactive updates, A chooses ss 1, ss 2,…, ss t such that Every round reveals log 2 (t+1) MSBs of d (t+1)-ary search recovers d in rounds 0D t+1 D t+2 D 2t N-1

Download ppt "10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol."

Similar presentations

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
URSA: Providing Ubiquitous and Robust Security Support for MANET

URSA: Providing Ubiquitous and Robust Security Support for MANET
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.

PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.
1 Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux.

1 Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Lect. 11: Public Key Cryptography. 2 Contents 1.Introduction to PKC 2.Hard problems  IFP  DLP 3.Public Key Encryptions  RSA  ElGamal 4.Digital Signatures.

Lect. 11: Public Key Cryptography. 2 Contents 1.Introduction to PKC 2.Hard problems  IFP  DLP 3.Public Key Encryptions  RSA  ElGamal 4.Digital Signatures.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine

1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 1 (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.

L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Similar presentations

Ads by Google