Outline One-Time Signatures One-Time Signatures Lamport's

Outline One-Time Signatures One-Time Signatures Lamport's

Advanced Security Outline § One-Time Signatures Constructions • Lamport’s signature and Key Management • Improved signature constructions • Merkle-Winternitz Signature § Efficient Authenticators (amortize signature) Class 16 • One-way chains (self-authenticating values) • Chained hashes • Merkle Hash Trees § Applications • Efficient short-lived certificates, S/Key • Untrusted external storage • Stream signatures (Gennaro, Rohatgi) § Zhou & Haas’s key distribution One-Time Signatures One-Time Signatures § Use one -way functions without trapdoor § Challenge: digital signatures expensive § Efficient for signature generation and for generation and verification verification § Caveat: can only use one time § Goal: amortize digital signature § Example: 1-bit one-time signature • P0, P1 are public values (public key) • S0, S1 are private values (private key) S0 P0 S0 S0’ P S1 P1 S1 S1’ Lamport’s One-Time Signature Improved Construction I § Uses 1-bit signature construction to sign multiple bits § Uses 1-bit signature construction to sign multiple bits Sign 0 S0 S0’ S0’’ S0* Private values S0 S0’ S0’’ S0* c0 c0’ c0* P0 P0’ P0’’ P0* … … … Public values P0 P0’ P0’’ P0* p0 p0’ p0* P1 P1’ P1’’ P1* Bit 0 Bit 1 Bit 2 Bit n Bit 0 Bit 1 Bit log(n) Sign 1 S1 S1’ S1’’ S1* Private values Sign message Checksum bits: encode Bit 0 Bit 1 Bit 2 Bit n # of signature bits = 0 1 Improved Construction II Merkle-Winternitz Construction § Intuition: encode sum of checksum chain § Lamport signature has high overhead Signature S0 S1 S2 S3 § Goal: reduce size of public and private key Bits 0,1 § Approach: use one-way hash chains Signature S0’ S1’ S2’ S3’ § S1 = F( S0 ) Bits 2,3 Signature Sig(0) Sig(1) Sig(2) Sig(3) S0’’ S1’’ S2’’ S3’’ P Bits 4,5 Signature S0 S1 S2 S3 P chain Checksum C3 C2 C1 C0 Checksum Bits 0,1 chain C3 C2 C1 C0 Checksum C3’ C2’ C1’ C0’ P = F( S3 || C0 ) Bits 2,3 Efficient Authenticators Recall One-Way Hash Chains? § Versatile cryptographic primitive § One-way chains § Construction • Pick random r and public one-way function F § Chained hashes N • ri = F(ri+1) • Secret value: r , public value r § Merkle hash trees N 0 F F F F r3 r4 r5 r6 r7 § Properties • Use in reverse order of construction: r1 , r2 … rN • Infeasible to derive ri from rj (j<i) Efficiently authenticate r knowing r (j<i): • i-j i j verify rj = F (ri) • Robust to missing values One-Way Chain Application Chained Hashes § More general construction than one-way § S/Key one-time password system hash chains § Goal § Useful for authenticating a sequence of • Use a different password at every login • Server cannot derive password for next login data values D 0 , D1 , …, DN § Solution: one -way chain § H* authenticates entire chain • Pick random password PL • Prepare sequence of passwords P = F(P ) i i+1 D0 DN-2 DN-1 • Use passwords P0 , P1 , …, PL-1 , PL … • Server can easily authenticate user H H D H* 0 HN-2 N-1 N F F F F p3 p4 p5 p6 p7 H( DN-1 || HN-1 ) H(DN) 2 Merkle Hash Trees Merkle Hash Trees II § Verifier knows T § Authenticate a sequence of data values 0 § How can verifier authenticate leaf Di ? D0 , D1 , …, DN § Solution: recompute T0 using Di § Construct binary tree over data values § Example authenticate D2 , send D3 T3 T2 § Verify T0 = H( H( T3 || H( D2 || D3 )) || T2 ) T0 T0 T1 T2 T1 T2 T3 T4 T5 T6 T3 T4 T5 T6 D0 D1 D2 D3 D4 D5 D6 D7 D0 D1 D2 D3 D4 D5 D6 D7 Untrusted External Storage Stream Signatures § Problem: how can we store memory of a § Gennaro & Rohatgi, Crypto ‘97 secure coprocessor in untrusted storage? § Problem § Solution: construct Merkle hash tree over all memory pages • Sender sends a sequence of packets to receiver • Receiver wants to immediately authenticate Secure each packet Mallory’s Storage Coprocessor • Efficient authentication of packets • On-line case (real-time data), off-line case (stored data) Small persistent storage Off-line Case On-line Case § Use a one-time signature to authenticate packets § Sender know entire stream before sending • Sender has regular signature (SK,PK) • Sender signs public key of one-time signature § Use chained hashes, precompute Hi S (pk0) § Digitally sign the first packet S(H ) SK * • Sign packet Pi and one-time public key pki with pki-1 § Each packet authenticates the next packet P0 P1 P0 PN-2 PN-1 … pk1 pk2 H H P H* 0 HN-2 N-1 N Ssk0(P0 || pk1) Ssk1(P1 || pk2) 3 Stream Signature Discussion Alternative Stream Signature § Add hashes to later packets § Computation and communication cost § Periodically send a signature packet § Robustness to DoS attack (packet injection) Packet 1 Packet 2 Packet 3 § Robustness to packet loss • Loss of a single packet prevents Hash(P1) Hash(P2) authentication of subsequent packets • How could we improve the loss robustness? Signature Packet Hash(P3) Signature Improving Robustness Securing Ad Hoc Networks Packet 1 Packet 2 Packet 3 § Zhou & Haas, IEEE Network Magazine ’99 § Security goals Hash(P1) Hash(P2) Hash(P1) • Availability • Confidentiality Signature Packet • Integrity Hash(P3) • Authentication Hash(P2) § Secure Routing Signature § Key management Attacker Assumptions Secure Routing § Attacker can physically compromise § Authenticate all routing messages, to nodes prevent external attackers § “Mobile Adversary” § Proposes to use multiple paths to • Adversary can compromise any node tolerate internal attackers • Temporarily compromises node, then moves Drawback: internal attackers could easily on to next node • fake multiple paths • Every node may be compromised at one time § Attacker compromises at most t nodes at any one moment 4 Key Management Service Distributed CA Model § Consider public-key infrastructure (PKI) § Private CA key is shared among set of nodes • Everybody trusts certification authority (CA) • Signing needs coalition of t+1 correct nodes • CA authenticates and signs public keys of • Secret sharing prevents t malicious nodes from other nodes reconstructing CA private key § PKI drawbacks § Requirements for key management service • Revocation requires on-line PKI • Robustness: service available to answer requests correctly • Single point of failure, CA replication • Confidentiality: adversary never learns CA private increases vulnerability to node compromise key § Solution: distributed CA Threshold Cryptography Proactive Security § Share secret S among n nodes, require t+1 § Use share refreshing against mobile nodes for reconstruction adversaries • (n, t+1) secret sharing scheme § If (s , s , …, s ) is a sharing of k, and § Share private key K among n nodes, require 1 2 n t+1 nodes for signing (s’1, s’2, …, s’n) is a sharing of k’, • (n, t+1) threshold signature scheme then (s1 + s’1, s2 + s’2, …, sn + s’n) is a correct • Node i gets share ki sharing of k + k’ • For signing, nodes send partial signature to Trick, set k’ = 0, so new sharing also combiner § • Combiner collects 2t+1 partial signatures represents k Share Refreshing Discussion § How can share refreshing tolerate faulty nodes? How can we tolerate compromised combiner? s’ + s s s s § n 1,n 2,n 3,n n,n • Who decides to be a combiner? § How can we bootstrap this system? Shares • How can we introduce a new node? of 0 + § Why should node sign a message? s’2 s1,2 s2,2 s3,2 sn,2 • How does node authenticate message? + § Is signature combination expensive if we have t s’1 s1,1 s2,1 s3,1 sn,1 faulty nodes? s1 s2 s3 sn 5.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    5 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us