DOCSLIB.ORG

On Asynchronous Group Key Agreements Tripartite Asynchronous Ratchet Trees

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

DEGREE PROJECT IN COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2020 On Asynchronous Group Key Agreements Tripartite Asynchronous Ratchet Trees PHILLIP GAJLAND KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE On Asynchronous Group Key Agreements Phillip Gajland A thesis submitted for the degree of Master of Science Theoretical Computer Science: Algorithms, Complexity and Cryptography Supervisor (CH): Prof. Dr. Serge Vaudenay Security and Cryptography Laboratory (LASEC) EPFL { Swiss Federal Institute of Technology Lausanne Supervisor (SE): Prof. Dr. Mats N¨aslund Division of Theoretical Computer Science (TCS) KTH - Royal Institute of Technology Examiner: Prof. Dr. Johan H˚astad Department of Mathematics KTH - Royal Institute of Technology School of Electrical Engineering and Computer Science KTH Royal Institute of Technology Stockholm / Lausanne - Spring 2020 Abstract The subject of secure messaging has gained notable attention lately in the cryptographic community. For communications between two parties, paradigms such as the double ratchet, used in the Signal protocol, provide provably strong security guarantees such as forward secrecy and post-compromise security. Variations of the Signal protocol have enjoyed widespread adoption and are embedded in several well known messaging services, including Signal, WhatsApp and Facebook Secret Conversations. However, providing equally strong guarantees that scale well in group settings remains somewhat less well studied and is often neglected in practice. This motivated the need for the IETF Messaging Layer Security (MLS) working group. The first continuous group key agreement (CGKA) protocol to be proposed was Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] and formed the basis of TreeKEM [Barnes et al., 2019], the CGKA protocol currently suggested for MLS. In this thesis we propose a new asynchronous group key agreement protocol based on a one-round Tripartite Diffie-Hellman [Joux, 2000]. Furthermore, we show that our protocol can be generalised for an n-ary asynchronous ratchet tree, assuming the existence of a one-round (n + 1)-way Diffie-Hellman key exchange, based on a n-multilinear map [Boneh and Silverberg, 2003]. We analyse ART, TreeKEM, and our proposals from a complexity theoretic perspective and show that our proposals improve the cost of update operations. Finally we present some discussion and improvements to the IETF MLS standard. Keywords: MLS, secure messaging, cryptography. Phillip Gajland (Stockholm / Lausanne - Spring 2020) On Asynchronous Group Key Agreements 1 Sammanfattning Amnet¨ om s¨akra meddelanden har p˚a senare tid skapat uppm¨arksamhet inom kryptografiska samfundet. F¨orkommunikationer mellan tv˚aparter ger paradigmer s˚asom Double Ratchet, som anv¨ands i Signal-protokollet, starka bevisbara s¨akerhetsgarantier som forward secrecy och post-compromise security. Variationer av Signal-protokollet anv¨ands mycket i praktiken och ¨arinb¨addadei flera v¨alk¨andameddelandetj¨ansters˚asomSignal, WhatsApp och Facebook Secret Conversations. D¨aremot¨arprotokoll som erbjuder lika starka garantier och som skalar v¨ali gruppsituationer n˚agotmindre studerade och ofta eftersatta i praktiken. Detta motiverade behovet av arbetsgruppen IETF Messaging Layer Security (MLS). Det f¨orstakontinuerliga gruppnyckelprotokollet (CGKA) som f¨oreslogsvar Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] och lade grunden f¨or TreeKEM [Barnes et al., 2019], det CGKA-protokoll som f¨orn¨arvarande f¨oreslagitsf¨orMLS. I detta examensarbete f¨oresl˚arvi ett nytt asynkront gruppnyckelprotokoll baserat p˚aen en-rundad Tripartite Diffie–Hellman [Joux, 2000]. Vidare visar vi att v˚artprotokoll kan generaliseras f¨orn-ary tr¨admed hj¨alpav ett en-rundat (n + 1)-v¨agDiffie-Hellman nyckelutbyte, baserat p˚aen multilinj¨armappning [Boneh and Silverberg, 2003]. Vi analyserar ART, TreeKEM och v˚araf¨orslag ur ett teoretiskt perspektiv samt visar att v˚araf¨orslag f¨orb¨attrar kostnaden f¨oruppdateringsoperationer. Slutligen presenterar vi n˚agradiskussioner och f¨orb¨attringarav IETF MLS-standarden. Nyckelord: MLS, s¨aker meddelandehantering, kryptografi. Phillip Gajland (Stockholm / Lausanne - Spring 2020) On Asynchronous Group Key Agreements 2 "Ich will! { Das Wort ist m¨achtig, Spricht's einer ernst und still; Die Sterne reißt’s vom Himmel Das eine Wort: Ich will!" - Große 3 Acknowledgements Foremost I would like to express my deepest appreciation to my supervisor, Serge Vaudenay, for hosting me at LASEC and making this thesis possible. His remarkable attention to detail and emphasis on quality research leaves me in awe. I am extremely grateful for the continued guidance that I have received from my supervisor in Sweden, Mats N¨aslund.His deep insights into such a wide range of topics in cryptography have been most valuable. I would also like to thank Johan H˚astadfor agreeing to be the examiner of this thesis and for putting me in touch with Mats. My time at the lab has been most memorable and I would like to thank all my colleagues there for the fruitful conversations. A particular mention goes to Fatih Balli, whom I had the privilege of sharing an office with, as well as Martine Corval for helping me with the various administrative hurdles. Finally, I thank my parents and family for their continued support. 4 Contents 1 Background 8 1.1 Motivation . .8 1.2 Outline . 11 1.3 Objectives of Secure Messaging . 11 1.4 Security Notions . 12 1.5 Relevant Previous Work . 13 1.6 Introductory Cryptography . 13 1.7 KEM . 15 2 Secure Messaging 17 2.1 The Signal Protocol . 17 2.2 X3DH . 17 2.3 Hash Ratchets & the Double Ratchet Algorithm . 19 3 Secure Group Messaging 24 3.1 Messaging Layer Security (MLS) . 25 3.2 Asynchronous Ratcheting Trees . 28 3.3 Tree KEM . 30 3.4 Tripartite Asynchronous Ratcheting Trees . 31 4 Discussion 38 4.1 Results and Conclusion . 38 4.2 Open Questions for the IETF MLS Standard . 39 5 List of Figures 1.1 PGP hasn't been adopted by the general public as non-technical users might find it hard to use. Inspecting public keys with gpg, the OpenPGP part of the GNU Privacy Guard (GnuPG). .9 1.2 A X.509 self-signed root certificate representing a certificate authority. 11 2.1 The three Diffie-Hellman operations making up X3DH are DH1 = DH(IKA; SPKB), DH2 = DH(EKA; IKB) and DH3 = DH(EKA; SPKB). The shared key k is computed as k = KDF(DH1jjDH2jjDH3). If the prekey bundle contains a one-time i prekey OPKB, then k is computed as k = KDF(DH1jjDH2jjDH3jjDH4), i where DH4 = DH(EKA; OPKB). ......................... 19 2.2 In a KDF chain, part of the output from a KDF is used as the input to a following KDF. The other part is used as an output key. Since each output appears random, a KDF chain provides forward secrecy. 21 2.3 Diffie-Hellman ratchet. Alice is initialised with Bob's ratchet pkB0 . Alice performs a DH computation with pkB0 and skA1 , the output is used to derive a new sending chain key. The next message sent by Alice includes her pkA1 . Bob then performs a DH computation using pkA1 and skB0 . The output is used to derive his new receiving chain key, which is the same as Alice's sending chain key. Bob then computes a new pair (pkB1 ; skB1 ) and derives a new key for his sending chain using pkA1 and skB1 ..................... 22 3.1 Using the Signal protocol for a group of 8 users would require 28 channels. 24 3.2 Users A, B and C publish their KeyPackages to a directory . 26 3.3 User A creates a group with users B and C. 27 3.4 User B sends an update. 28 3.5 ART - At each node a public key pk and a secret key sk is stored (separated by a semicolon). For intermediate nodes, the children's secret keys are used as the exponents to compute sk. f(·) maps a group element to an integer, f(·): G! Z=jGjZ, where G is an arbitrary Diffie-Hellman group. The path from C to the root is marked in red and the nodes lying on the copath of C are marked in bold................................. 29 3.6 TreeKEM - At each node a public key pk, a secret key sk and a symmetric secret is stored (separated by a semicolon). 30 6 LIST OF TABLES PKG 3.7 Tripartite ART - At each node a public key pk and a secret key sk is stored (separated by a semicolon). For intermediate nodes, one secret key along with two public keys belonging to the children are used to compute sk. The path from C to the root is marked in red and the nodes lying on the copath of C are marked in bold. 33 List of Tables 3.1 Comparison of ART, Tripartite ART and TreeKEM - listing the number of elementary cryptographic operations. Send update denotes the number of operations done by a group member initialising an update. Similarly, process update denotes the number of operations done by each group member to process an update. Transmission indicates the amount of key material that needs to be broadcasted to make an update. Storage indicates the number of public keys need to be stored along the path in order to compute the values stored at intermediate nodes. When updates are processed, on average only a constant number of keys need to be computed, the remaining keys along the path need to be cached though. As usual, (pk; sk) denotes a key pair of an arbitrary public-key cryptosystem and s denotes a symmetric secret . 37 7 Chapter 1 Background 1.1 Motivation Recently, the desire for secure messaging has gained an increase in popularity, in part due to the Snowden revelations [Macaskill and Dance, 2013]. Messaging applications have progressively been adopting end-to-end security mechanisms to ensure that messages are not accessible to servers involved in the communications, but only to the communicating end parties.
Recommended publications
  • Course 5 Lesson 2

    Course 5 Lesson 2

    This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the National Science Foundation C5L3S1 With the advent of the Internet, social networking, and open communication, a vast amount of information is readily available on the Internet for anyone to access. Despite this trend, computer users need to ensure private or personal communications remain confidential and are viewed only by the intended party. Private information such as a social security numbers, school transcripts, medical histories, tax records, banking, and legal documents should be secure when transmitted online or stored locally. One way to keep data confidential is to encrypt it. Militaries,U the governments, industries, and any organization having a desire to maintain privacy have used encryption techniques to secure information. Encryption helps to boost confidence in the security of online commerce and is necessary for secure transactions. In this lesson, you will review encryption and examine several tools used to encrypt data. You will also learn to encrypt and decrypt data. Anyone who desires to administer computer networks and work with private data must have some familiarity with basic encryption protocols and techniques. C5L3S2 You should know what will be expected of you when you complete this lesson. These expectations are presented as objectives. Objectives are short statements of expectations that tell you what you must be able to do, perform, learn, or adjust after reviewing the lesson.
  • MASTERCLASS GNUPG MASTERCLASS You Wouldn’T Want Other People Opening Your Letters and BEN EVERARD Your Data Is No Different

    MASTERCLASS GNUPG MASTERCLASS You Wouldn’T Want Other People Opening Your Letters and BEN EVERARD Your Data Is No Different

    MASTERCLASS GNUPG MASTERCLASS You wouldn’t want other people opening your letters and BEN EVERARD your data is no different. Encrypt it today! SECURE EMAIL WITH GNUPG AND ENIGMAIL Send encrypted emails from your favourite email client. our typical email is about as secure as a The first thing that you need to do is create a key to JOHN LANE postcard, which is good news if you’re a represent your identity in the OpenPGP world. You’d Ygovernment agency. But you wouldn’t use a typically create one key per identity that you have. postcard for most things sent in the post; you’d use a Most people would have one identity, being sealed envelope. Email is no different; you just need themselves as a person. However, some may find an envelope – and it’s called “Encryption”. having separate personal and professional identities Since the early 1990s, the main way to encrypt useful. It’s a personal choice, but starting with a single email has been PGP, which stands for “Pretty Good key will help while you’re learning. Privacy”. It’s a protocol for the secure encryption of Launch Seahorse and click on the large plus-sign email that has since evolved into an open standard icon that’s just below the menu. Select ‘PGP Key’ and called OpenPGP. work your way through the screens that follow to supply your name and email address and then My lovely horse generate the key. The GNU Privacy Guard (GnuPG), is a free, GPL-licensed You can, optionally, use the Advanced Key Options implementation of the OpenPGP standard (there are to add a comment that can help others identify your other implementations, both free and commercial – key and to select the cipher, its strength and set when the PGP name now refers to a commercial product the key should expire.
  • Chapter 12 Pretty Good Privacy (PGP)

    Chapter 12 Pretty Good Privacy (PGP)

    Chapter 12 Pretty Good Privacy (PGP) With the explosively growing reliance on electronic mail for every conceivable pur- pose, there grows a demand for authentication and confidentiality services. Two schemes stand out as approaches that enjoy widespread use: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME). The latter is a security en- hancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organisational use, while PGP will remain the choice for personal e-mail security for many users. In this course we will only be looking at PGP. S/MIME is discussed in detail in the recommended text. 12.1 Background PGP is a remarkable phenomenon. Largely the effort of a single person, Phil Zimmer- mann, PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. In essence what Zimmermann has done is the following: 1. Selected the best cryptographic mechanisms (algorithms) as building blocks. 2. Integrated these algorithms into a general purpose application that is independent of operating system and processor and that is based on a small set of easy to use commands. 3. Made the package and its source code freely available via the Internet, bulletin boards, and commercial networks such as America On Line (AOL). 4. Entered into an agreement with a company (Viacrypt, now Network Associates) to provide a fully compatible low cost commercial version of PGP.
  • Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard V1.2.3

    Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard V1.2.3

    Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3 Phong Q. Nguyen CNRS/Ecole´ normale sup´erieure D´epartement d’informatique 45 rue d’Ulm, 75230 Paris Cedex 05, France. [email protected] http://www.di.ens.fr/˜pnguyen Abstract. More and more software use cryptography. But how can one know if what is implemented is good cryptography? For proprietary soft- ware, one cannot say much unless one proceeds to reverse-engineering, and history tends to show that bad cryptography is much more frequent than good cryptography there. Open source software thus sounds like a good solution, but the fact that a source code can be read does not imply that it is actually read, especially by cryptography experts. In this paper, we illustrate this point by examining the case of a basic In- ternet application of cryptography: secure email. We analyze parts of thesourcecodeofthelatestversionofGNUPrivacyGuard(GnuPGor GPG), a free open source alternative to the famous PGP software, com- pliant with the OpenPGP standard, and included in most GNU/Linux distributions such as Debian, MandrakeSoft, Red Hat and SuSE. We ob- serve several cryptographic flaws in GPG v1.2.3. The most serious flaw has been present in GPG for almost four years: we show that as soon as one (GPG-generated) ElGamal signature of an arbitrary message is released, one can recover the signer’s private key in less than a second on a PC. As a consequence, ElGamal signatures and the so-called ElGamal sign+encrypt keys have recently been removed from GPG.
  • A History of End-To-End Encryption and the Death of PGP

    A History of End-To-End Encryption and the Death of PGP

    25/05/2020 A history of end-to-end encryption and the death of PGP Hey! I'm David, a security engineer at the Blockchain team of Facebook (https://facebook.com/), previously a security consultant for the Cryptography Services of NCC Group (https://www.nccgroup.com). I'm also the author of the Real World Cryptography book (https://www.manning.com/books/real-world- cryptography?a_aid=Realworldcrypto&a_bid=ad500e09). This is my blog about cryptography and security and other related topics that I Ûnd interesting. A history of end-to-end encryption and If you don't know where to start, you might want to check these popular the death of PGP articles: posted January 2020 - How did length extension attacks made it 1981 - RFC 788 - Simple Mail Transfer Protocol into SHA-2? (/article/417/how-did-length- extension-attacks-made-it-into-sha-2/) (https://tools.ietf.org/html/rfc788) (SMTP) is published, - Speed and Cryptography the standard for email is born. (/article/468/speed-and-cryptography/) - What is the BLS signature scheme? (/article/472/what-is-the-bls-signature- This is were everything starts, we now have an open peer-to-peer scheme/) protocol that everyone on the internet can use to communicate. - Zero'ing memory, compiler optimizations and memset_s (/article/419/zeroing-memory- compiler-optimizations-and-memset_s/) 1991 - The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations The US government introduces the 1991 Senate Bill 266, (/article/461/the-9-lives-of-bleichenbachers- which attempts to allow "the Government to obtain the cat-new-cache-attacks-on-tls- plain text contents of voice, data, and other implementations/) - How to Backdoor Di¸e-Hellman: quick communications when appropriately authorized by law" explanation (/article/360/how-to-backdoor- from "providers of electronic communications services di¸e-hellman-quick-explanation/) and manufacturers of electronic communications - Tamarin Prover Introduction (/article/404/tamarin-prover-introduction/) service equipment".
  • Wiretapping End-To-End Encrypted Voip Calls Real-World Attacks on ZRTP

    Wiretapping End-To-End Encrypted Voip Calls Real-World Attacks on ZRTP

    Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schürmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18 wiretapping difficulty End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) End-to-End Encryption & Authentication SIP + SRTP + ZRTP Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 wiretapping difficulty End-to-End Encryption & Authentication SIP + SRTP + ZRTP Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 wiretapping difficulty Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time
  • CS 255: Intro to Cryptography 1 Introduction 2 End-To-End

    CS 255: Intro to Cryptography 1 Introduction 2 End-To-End

    Programming Assignment 2 Winter 2021 CS 255: Intro to Cryptography Prof. Dan Boneh Due Monday, March 1st, 11:59pm 1 Introduction In this assignment, you are tasked with implementing a secure and efficient end-to-end encrypted chat client using the Double Ratchet Algorithm, a popular session setup protocol that powers real- world chat systems such as Signal and WhatsApp. As an additional challenge, assume you live in a country with government surveillance. Thereby, all messages sent are required to include the session key encrypted with a fixed public key issued by the government. In your implementation, you will make use of various cryptographic primitives we have discussed in class—notably, key exchange, public key encryption, digital signatures, and authenticated encryption. Because it is ill-advised to implement your own primitives in cryptography, you should use an established library: in this case, the Stanford Javascript Crypto Library (SJCL). We will provide starter code that contains a basic template, which you will be able to fill in to satisfy the functionality and security properties described below. 2 End-to-end Encrypted Chat Client 2.1 Implementation Details Your chat client will use the Double Ratchet Algorithm to provide end-to-end encrypted commu- nications with other clients. To evaluate your messaging client, we will check that two or more instances of your implementation it can communicate with each other properly. We feel that it is best to understand the Double Ratchet Algorithm straight from the source, so we ask that you read Sections 1, 2, and 3 of Signal’s published specification here: https://signal.
  • Gnu Privacy Guard (Gnupg) Mini Howto (Italiano)

    Gnu Privacy Guard (Gnupg) Mini Howto (Italiano)

    Gnu Privacy Guard (GnuPG) Mini Howto (italiano) Brenno J.S.A.A.F. de Winter (inglese) <[email protected]>, Michael Fischer v. Mollard (tedesco) <[email protected]>, Arjen Baart (olandese) <[email protected]>, Cristian Riga- monti (italiano) <[email protected]> Versione 0.1.4 12 maggio 2003 Questo documento spiega come usare GNU Privacy Guard (GnuPG), un sistema di crittografia Open Source e compatibile con OpenPGP. Per mantenere il programma totalmente libero, si `eevitato l’uso di RSA e di altri algoritmi brevettati. Il documento originale `escritto in tedesco da Michael Fischer v. Mollard, questa traduzione italiana, a cura di Cristian Rigamonti, `ebasata sulla traduzione inglese del testo originale. Indice 1 Concetti 2 1.1 Crittografia a chiave pubblica .................................... 2 1.2 Firme digitali ............................................. 2 1.3 Rete di fiducia ............................................ 3 1.4 Limiti alla sicurezza ......................................... 3 2 Installazione 3 2.1 Sorgenti di GnuPG .......................................... 3 2.2 Configurazione ............................................ 4 2.3 Compilazione ............................................. 4 2.4 Installazione .............................................. 5 3 Uso delle chiavi 5 3.1 Creare una chiave ........................................... 5 3.2 Esportare le chiavi .......................................... 6 3.3 Importare le chiavi .......................................... 6 3.4 Revocare una chiave ........................................
  • Security Analysis and Trust Models in Wireless Networks Lela Mirtskhulava

    Security Analysis and Trust Models in Wireless Networks Lela Mirtskhulava

    Security Analysis and Trust Models in Wireless Networks Lela Mirtskhulava [email protected] Department of Computer Sciences Faculty of Exact and Natural Sciences Iv. Javakhishvili Tbilisi State University University str., 13, Georgia In the given work, we analyse the serious weaknesses recently discovered in WPA2 (Wi-Fi Protected Access 2) in October 2017 and KRACK (Key Reinstallation Attack) attack on WPA2 announced by Computer Science Scientists. The KRACKs were introduced to abuse design flaws in cryptographic protocols to reinstall an already-in-use key. Several types of cryptographic Wi-Fi handshakes are affected by the attack. There are different forms of trust to address different types of network security problems and reduce risk in certain conditions. This paper explores the trust models applied by various cryptographic schemes: a) the web of trust employed by Pretty Good Privacy (PGP) where users using their own set of trusted public keys, b) Kerberos, a secret key distribution scheme using a trusted third party, c) certificates, which allow a set of trusted third parties to authenticate each other and, by implication, each other's users. Each of the above mentioned trust models differs in complexity, scope, scalability and general applicability. Which model of trust to apply in certain circumstances and types of wireless networks are discussed in the given paper. It describes the major security issues and their techniques of building trust model by monitoring network behavior. It is intended to use secure and faster cryptographic solution for Wi-Fi networks security by using an open source public-key NTRU cryptosystem that uses lattice-based cryptography.
  • SIGMA: the 'Sign-And-Mac' Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols

    SIGMA: the 'Sign-And-Mac' Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols

    SIGMA: the `SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols ∗ Hugo Krawczyky June 12, 2003 Abstract We present the SIGMA family of key-exchange protocols and the \SIGn-and-MAc" approach to authenticated Diffie-Hellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while supporting a variety of features and trade-offs required in practical scenarios (such as optional identity protection and reduced number of protocol rounds). As a consequence, the SIGMA protocols are very well suited for use in actual applications and for standardized key exchange. In particular, SIGMA serves as the cryptographic basis for the signature-based modes of the standardized Internet Key Exchange (IKE) protocol (versions 1 and 2). This paper describes the design rationale behind the SIGMA approach and protocols, and points out to many subtleties surrounding the design of secure key-exchange protocols in general, and identity-protecting protocols in particular. We motivate the design of SIGMA by comparing it to other protocols, most notable the STS protocol and its variants. In particular, it is shown how SIGMA solves some of the security shortcomings found in previous protocols. ∗A shortened version of this paper appears in the proceedings of CRYPTO'03. For further information related to the SIGMA protocols see http://www.ee.technion.ac.il/~hugo/sigma.html yEE Department, Technion, Haifa, Israel, and IBM T.J. Watson Research Center. Email: [email protected] 1 Contents 1 Introduction 1 2 Preliminaries: On the Security of Key-Exchange Protocols 4 2.1 Overview of the security model and requirements .
  • Obstacles to the Adoption of Secure Communication Tools

    Obstacles to the Adoption of Secure Communication Tools

    Obstacles to the Adoption of Secure Communication Tools Ruba Abu-Salma M. Angela Sasse Joseph Bonneau University College London, UK University College London, UK Stanford University & EFF, USA Anastasia Danilova Alena Naiakshina Matthew Smith University of Bonn, Germany University of Bonn, Germany University of Bonn, Germany Abstract—The computer security community has advocated Recent mobile phone-based secure communication tools widespread adoption of secure communication tools to counter have often been designed to hide security from the user com- mass surveillance. Several popular personal communication tools pletely (albeit at some security cost [1]). WhatsApp famously (e.g., WhatsApp, iMessage) have adopted end-to-end encryption, and many new tools (e.g., Signal, Telegram) have been launched deployed E2E encryption to approximately a billion users with security as a key selling point. However it remains unclear through a code update to its application for messages, voice if users understand what protection these tools offer, and if they calls and video communications [18], with only negligible value that protection. In this study, we interviewed 60 partici- changes to the user experience. Some other communication pants about their experience with different communication tools tools (e.g., Signal, Threema) have launched with security and their perceptions of the tools’ security properties. We found that the adoption of secure communication tools is hindered by as an explicit selling point, but they also hide nearly all fragmented user bases and incompatible tools. Furthermore, the cryptographic details. vast majority of participants did not understand the essential There are key differences in the security model of dif- concept of end-to-end encryption, limiting their motivation to ferent E2E-encrypted tools, in addition to a large gap in adopt secure tools.
  • A Study of Non-Abelian Public Key Cryptography

    A Study of Non-Abelian Public Key Cryptography

    International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 278 A Study of Non-Abelian Public Key Cryptography Tzu-Chun Lin Department of Applied Mathematics, Feng Chia University 100, Wenhwa Road, Taichung 40724, Taiwan, R.O.C. (Email: [email protected]) (Received Feb. 12, 2017; revised and accepted June 12, 2017) Abstract P.W. Shor pointed out that there are polynomial-time algorithms for solving the factorization and discrete log- Nonabelian group-based public key cryptography is a rel- arithmic problems based on abelian groups during the atively new and exciting research field. Rapidly increas- functions of a quantum computer. Research in new cryp- ing computing power and the futurity quantum comput- tographic methods is also imperative, as research on non- ers [52] that have since led to, the security of public key abelian group-based cryptosystems will be one of new re- cryptosystems in use today, will be questioned. Research search priorities. In fact, the pioneering work for non- in new cryptographic methods is also imperative. Re- abelian group-based public key cryptosystem was pro- search on nonabelian group-based cryptosystems will be- posed by N. R. Wagner and M. R. Magyarik [61] in 1985. come one of contemporary research priorities. Many inno- Their idea just is not suitable for practical applications. vative ideas for them have been presented for the past two For nearly two decades, numerous nonabelian groups have decades, and many corresponding problems remain to be been discussed to design efficient cryptographic systems.