Advanced Security Outline § One-Time Signatures Constructions • Lamport’s signature and Key Management • Improved signature constructions • Merkle-Winternitz Signature § Efficient Authenticators (amortize signature) Class 16 • One-way chains (self-authenticating values) • Chained hashes • Merkle Hash Trees § Applications • Efficient short-lived certificates, S/Key • Untrusted external storage • Stream signatures (Gennaro, Rohatgi) § Zhou & Haas’s key distribution One-Time Signatures One-Time Signatures § Use one -way functions without trapdoor § Challenge: digital signatures expensive § Efficient for signature generation and for generation and verification verification § Caveat: can only use one time § Goal: amortize digital signature § Example: 1-bit one-time signature • P0, P1 are public values (public key) • S0, S1 are private values (private key) S0 P0 S0 S0’ P S1 P1 S1 S1’ Lamport’s One-Time Signature Improved Construction I § Uses 1-bit signature construction to sign multiple bits § Uses 1-bit signature construction to sign multiple bits Sign 0 S0 S0’ S0’’ S0* Private values S0 S0’ S0’’ S0* c0 c0’ c0* P0 P0’ P0’’ P0* … … … Public values P0 P0’ P0’’ P0* p0 p0’ p0* P1 P1’ P1’’ P1* Bit 0 Bit 1 Bit 2 Bit n Bit 0 Bit 1 Bit log(n) Sign 1 S1 S1’ S1’’ S1* Private values Sign message Checksum bits: encode Bit 0 Bit 1 Bit 2 Bit n # of signature bits = 0 1 Improved Construction II Merkle-Winternitz Construction § Intuition: encode sum of checksum chain § Lamport signature has high overhead Signature S0 S1 S2 S3 § Goal: reduce size of public and private key Bits 0,1 § Approach: use one-way hash chains Signature S0’ S1’ S2’ S3’ § S1 = F( S0 ) Bits 2,3 Signature Sig(0) Sig(1) Sig(2) Sig(3) S0’’ S1’’ S2’’ S3’’ P Bits 4,5 Signature S0 S1 S2 S3 P chain Checksum C3 C2 C1 C0 Checksum Bits 0,1 chain C3 C2 C1 C0 Checksum C3’ C2’ C1’ C0’ P = F( S3 || C0 ) Bits 2,3 Efficient Authenticators Recall One-Way Hash Chains? § Versatile cryptographic primitive § One-way chains § Construction • Pick random r and public one-way function F § Chained hashes N • ri = F(ri+1) • Secret value: r , public value r § Merkle hash trees N 0 F F F F r3 r4 r5 r6 r7 § Properties • Use in reverse order of construction: r1 , r2 … rN • Infeasible to derive ri from rj (j<i) Efficiently authenticate r knowing r (j<i): • i-j i j verify rj = F (ri) • Robust to missing values One-Way Chain Application Chained Hashes § More general construction than one-way § S/Key one-time password system hash chains § Goal § Useful for authenticating a sequence of • Use a different password at every login • Server cannot derive password for next login data values D 0 , D1 , …, DN § Solution: one -way chain § H* authenticates entire chain • Pick random password PL • Prepare sequence of passwords P = F(P ) i i+1 D0 DN-2 DN-1 • Use passwords P0 , P1 , …, PL-1 , PL … • Server can easily authenticate user H H D H* 0 HN-2 N-1 N F F F F p3 p4 p5 p6 p7 H( DN-1 || HN-1 ) H(DN) 2 Merkle Hash Trees Merkle Hash Trees II § Verifier knows T § Authenticate a sequence of data values 0 § How can verifier authenticate leaf Di ? D0 , D1 , …, DN § Solution: recompute T0 using Di § Construct binary tree over data values § Example authenticate D2 , send D3 T3 T2 § Verify T0 = H( H( T3 || H( D2 || D3 )) || T2 ) T0 T0 T1 T2 T1 T2 T3 T4 T5 T6 T3 T4 T5 T6 D0 D1 D2 D3 D4 D5 D6 D7 D0 D1 D2 D3 D4 D5 D6 D7 Untrusted External Storage Stream Signatures § Problem: how can we store memory of a § Gennaro & Rohatgi, Crypto ‘97 secure coprocessor in untrusted storage? § Problem § Solution: construct Merkle hash tree over all memory pages • Sender sends a sequence of packets to receiver • Receiver wants to immediately authenticate Secure each packet Mallory’s Storage Coprocessor • Efficient authentication of packets • On-line case (real-time data), off-line case (stored data) Small persistent storage Off-line Case On-line Case § Use a one-time signature to authenticate packets § Sender know entire stream before sending • Sender has regular signature (SK,PK) • Sender signs public key of one-time signature § Use chained hashes, precompute Hi S (pk0) § Digitally sign the first packet S(H ) SK * • Sign packet Pi and one-time public key pki with pki-1 § Each packet authenticates the next packet P0 P1 P0 PN-2 PN-1 … pk1 pk2 H H P H* 0 HN-2 N-1 N Ssk0(P0 || pk1) Ssk1(P1 || pk2) 3 Stream Signature Discussion Alternative Stream Signature § Add hashes to later packets § Computation and communication cost § Periodically send a signature packet § Robustness to DoS attack (packet injection) Packet 1 Packet 2 Packet 3 § Robustness to packet loss • Loss of a single packet prevents Hash(P1) Hash(P2) authentication of subsequent packets • How could we improve the loss robustness? Signature Packet Hash(P3) Signature Improving Robustness Securing Ad Hoc Networks Packet 1 Packet 2 Packet 3 § Zhou & Haas, IEEE Network Magazine ’99 § Security goals Hash(P1) Hash(P2) Hash(P1) • Availability • Confidentiality Signature Packet • Integrity Hash(P3) • Authentication Hash(P2) § Secure Routing Signature § Key management Attacker Assumptions Secure Routing § Attacker can physically compromise § Authenticate all routing messages, to nodes prevent external attackers § “Mobile Adversary” § Proposes to use multiple paths to • Adversary can compromise any node tolerate internal attackers • Temporarily compromises node, then moves Drawback: internal attackers could easily on to next node • fake multiple paths • Every node may be compromised at one time § Attacker compromises at most t nodes at any one moment 4 Key Management Service Distributed CA Model § Consider public-key infrastructure (PKI) § Private CA key is shared among set of nodes • Everybody trusts certification authority (CA) • Signing needs coalition of t+1 correct nodes • CA authenticates and signs public keys of • Secret sharing prevents t malicious nodes from other nodes reconstructing CA private key § PKI drawbacks § Requirements for key management service • Revocation requires on-line PKI • Robustness: service available to answer requests correctly • Single point of failure, CA replication • Confidentiality: adversary never learns CA private increases vulnerability to node compromise key § Solution: distributed CA Threshold Cryptography Proactive Security § Share secret S among n nodes, require t+1 § Use share refreshing against mobile nodes for reconstruction adversaries • (n, t+1) secret sharing scheme § If (s , s , …, s ) is a sharing of k, and § Share private key K among n nodes, require 1 2 n t+1 nodes for signing (s’1, s’2, …, s’n) is a sharing of k’, • (n, t+1) threshold signature scheme then (s1 + s’1, s2 + s’2, …, sn + s’n) is a correct • Node i gets share ki sharing of k + k’ • For signing, nodes send partial signature to Trick, set k’ = 0, so new sharing also combiner § • Combiner collects 2t+1 partial signatures represents k Share Refreshing Discussion § How can share refreshing tolerate faulty nodes? How can we tolerate compromised combiner? s’ + s s s s § n 1,n 2,n 3,n n,n • Who decides to be a combiner? § How can we bootstrap this system? Shares • How can we introduce a new node? of 0 + § Why should node sign a message? s’2 s1,2 s2,2 s3,2 sn,2 • How does node authenticate message? + § Is signature combination expensive if we have t s’1 s1,1 s2,1 s3,1 sn,1 faulty nodes? s1 s2 s3 sn 5.