1 / 49

New Approaches for Deniable Authentication

This paper discusses new approaches for deniable authentication, including non-repudiation, forward deniability, and the use of encryption-based solutions. It also explores the challenges of achieving deniability while maintaining security and authenticity in communication.

besparza
Download Presentation

New Approaches for Deniable Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Approaches for Deniable Authentication Authors: Mario Di Raimondo, Rosario Gennaro Presented byAlexander Abrashkin, Sombuddha Poddar CSCE 715 Network Systems Security December 5, 2006

  2. Definitions - Non-repudiation - Deniability - Forward Deniability - Authentication - Deniable Authentication - CCA CSCE 715

  3. Definitions • Non-repudiationmeans that it can be verified that the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively. In other words, non-repudiation of origin proves that data has been sent, and non-repudiation of delivery proves it has been received. • Deniability – property that convinces Bob that Alice wants to authenticate msg m to him, but prevents Bob from convincing a third party she actually did. In other words, Alice will be able to deny any action she performed upon Bob and Bob won’t be able to prove it.

  4. Definitions • Forward Deniability – property that prevents Alice from changing her mind to prove the communication with Bob ever took place. In other words after communication is over, neither Bob nor Alice has evidence to convince a third party the communication ever took place. CSCE 715

  5. Non-repudiation VS Deniability CSCE 715

  6. Non-repudiation VS Deniability CSCE 715

  7. Definitions Non-repudiation Forward Deniability CSCE 715

  8. Definitions • Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. The sender being authenticated may be a person using a computer, a computer itself or a computer program. CSCE 715

  9. Definitions • Deniable Authentication allows a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. CSCE 715

  10. Definitions • CCA (Chosen-cipher text attack) is an attack model for cryptanalysis in which the cryptanalyst chooses a cipher text and causes it to be decrypted with an unknown key. Specific forms of this attack are sometimes termed "lunchtime" or "midnight" attacks, referring to a scenario in which an attacker gains access to an unattended decryption machine. A device which provides decryptions of chosen ciphertexts (either by accident or by design) is generically referred to as a "decryption oracle". CSCE 715

  11. Authentication Problem The main goals to pursue in the modern networks are: Secrecy: can my confidential information be stolen by someone? Authentication: who is the person I am speaking to? An impostor or the person I intend? • General Scenario There is a party A (Alice) that wants to send a message m so that the receiver B (Bob) is sure of: - the identity of the sender; - the integrity of the message. CSCE 715

  12. Authentication Problem Authentication has received a lot of attention by cryptographers and there is an extensive literature on this subject. The authentication methods follow the usual distinction between: private key methods: MAC functions; public key methods. CSCE 715

  13. Public Key Methods Public key scenario: A has generated a pair of keys: a public key pkA that is publicly associated to her identity; a secret key skA that is kept secret. In the public key scenario, message authentication has been for long time associated to Digital Signatures: 1 - A sends the pair (m, s) where s is the digital signature of m using the secret sign key skA; 2 - B verifies the signature using the public key pkA of A. CSCE 715

  14. Non-repudiation VS Deniability Using the public key of A anyone can verify the signature of A on the message. Non-Repudiation Property Once Alice signs a message, she is bound to it. This is a crucial property of the digital signatures in context like contracts and commercial transactions. CSCE 715

  15. Non-repudiation VS Deniability On the other hand, this raises important privacy issues: Scenario: Alice wants to say something of very private to Bob so that: - Bob believes that it comes from her, but - Bob should not be able to convince anyone that she said such a thing, or even that Alice has ever spoken to Bob. CSCE 715

  16. Deniability - Dwork, Naor and Sahai noted the issues of deniability and formalized the problem. - Their paradigm suggests to replace the signature with an interactive communication protocol between Alice and Bob on input a message m. - At the end, Bob is convinced that Alice wants to authenticate m to him, but he will not be able to convince a third party of this. - This introduces the problem of the concurrent executions. CSCE 715

  17. Encryption-based solution The proposed solution (mother of all the actual deniable methods) is to use a public-key encryption system secure againstChosen-Cipher text Attack (CCA). Consider this protocol: , m CSCE 715

  18. Deniability VS Concurrency - The previous protocol is a secure authentication protocol in a concurrent environment. - It can be proven to be deniable against an honest verifier. - Surprisingly, against a malicious verifier it cannot be proven deniable but there is no known attack. - In order to obtain a proof, a challenge-response sub-protocol is needed: 4 rounds protocol. CSCE 715

  19. What if sender changes her mind? Consider the following scenario: Alice & Bob are involved in some shady transaction, likedrug-dealing or money laundering. Alice wants to make sure that her communication to Bob cannot later link to her so she uses Deniable Authentication. Bob thinking that such communication is indeed deniable, stores all the messages in his harddisk. CSCE 715

  20. What if sender changes her mind? Later the operation is busted by the police and Alice and Bob end up in jail, and Bob’s computer is seized. Alice is offered a sweet deal in exchange for her cooperation in link- ing Bob to the crime Bob is claiming the messages in his hard disk are not coming from Alice, that he never talked to her, actually does not even know her, they are all simulations!! CSCE 715

  21. What if sender changes her mind? Alice produces some piece of secret information (her secret key for example) that indeed shows that the transcripts in Bob’s hard disk are actually authentic and not simulations. Bob ends up in jail, cursing himself for dropping out of crypto class in graduate school. CSCE 715

  22. Author’s motivations Question? Are there other approaches to deniable authentication, besides the CCA paradigm? The question is interesting for two reasons at least: security and efficiency. Main known efficient CCA encryption scheme: Cramer and Shoup - security: based on DDH, Pallier’s N-residuosity and Quadratic Residuosity assumptions; - efficiency: 3-4 times more expensive than a basic encryption or signature scheme. New approaches, besides being interesting in their own right, could permit the use of different assumptions and/or of more efficient solutions. CSCE 715

  23. Practical applications - Internet Key Exchange protocols used to set up a security association (SA) in the IPsec protocol suite. Basic SIGMA protocol of Krawczyk CSCE 715

  24. Practical applications E-voting: It’s important that both the voting authority and the voter authenticate each other; it is also mandatory to prevent either party from walking away with a non-repudiable proof of what the actual vote was (the message being authenticated). This application, in particular, shows the importance of forward deniability: if the voter (sender) is authenticating her vote to the authority, not only the latter should not be able to prove to a third party how the voter voted, but even more importantly the voter herself should not be able to do so at a later stage. CSCE 715

  25. Practical applications - E-commerce The use of deniable authentication, instead of regular signatures, can be used to communicate confidential terms of a transactions (such as price offers) without fear that such terms could be shown to a third party in an effort to obtain better terms (such as a better price offer). CSCE 715

  26. The Model Adopted for the Analysis • Introduced by Bellare, Canetti and Krawczyk for the analysis of methods of authentication. • They used this modular approach for the design and the analysis of Authenticated Key Exchange Protocols. • They use and extend the model to deal with methods for the Deniable Authentication. CSCE 715

  27. Two Schemes This approach deals with two kinds of environment: • The first scheme eliminates the need for an encryption scheme altogether They build deniable authentication protocols, using special kinds of trapdoor commitment schemes. The protocols using this approach relatively simple and efficient. • The second scheme is an improvement of CCA- paradigm In this scheme some properties of projective hash functions used in this schemes to build a new kind of deniable authentication. The scheme can be thought as the encryption of a random key which is then used to MAC the message. CSCE 715

  28. Authenticators An Authenticator is a “compiler” that takes as input protocols designed for authenticated networks and turns into “equivalent” protocols for unauthenticated networks. Definition(Authenticator) An Authenticatoris a compiler for protocol C where for any protocol , the protocol C() emulates in Unauthenticated networks. CSCE 715

  29. MT-Authenticators • Bellare et al. introduced a simple technique to build authenticators: • Starting from a simple MT-authenticator λ it is possible to construct a full qualified authenticator Cλ : λ it’s used as layer of transmission. MT Protocol It is the banal protocol that sends a message m from A to B. MT-authenticator A protocol λ is a MT-authenticator if λ emulates MT in unauthenticated networks. CSCE 715

  30. Extension for Deniability this model is extended to support the analysis of deniable authentication methods Definition (Deniable MT-Authenticator) Let λbe a MT-authenticator. λ is a deniable MT-authenticator with respect to a verifier B if there exists a simulator with access to B that is able to produce transcripts statistically indistinguishable from real transcripts Is the name of the simulator. doesn’t use the secret key of the sender and anyone could use it to produce realistic transcripts! CSCE 715

  31. Commitment-based MT-authenticators • Next authors present some families of MT-authenticators based on the notion of Multi-Trapdoor Commitment Schemes. • For each different instantiation we obtain a new protocol for the deniable authentication: • the security can be based on different computational assumptions; • the efficiency of the authentication scheme depends on the commitment’s one. CSCE 715

  32. Trapdoor Commitment Schemes (TCS) • There exists a trapdoor whose knowledge allows to open a commitment in any possible way (equivocate the commitment). • The trapdoor should be hard to compute efficiently. • The privacy of the commitment is information-theoretically guaranteed, but • the binding property can be only computational. CSCE 715

  33. Multi Trapdoor Commitment Schemes A Multi-Trapdoor Commitment Scheme consists of a family of TCS. We use two slightly different notions: • Adaptive Multi-Trapdoor Commitments (AMTC) This is a notion similar to MacKanzie et al.’s Simulation-Sound Trapdoor Commitment (SSTC); • (Static) Multi-Trapdoor Commitments (MTC) introduced by Gennaro. Two very similar primitives but with different binding properties: AMTC one is stronger than MTC. CSCE 715

  34. Security Properties • Hiding for each message pair (m,m´) the distributions of the commitments C(m) and C(m´) are statistically close; • Binding this is the multi-trapdoor version of the canonical binding property. Two slightly different versions: • AMTC Secure Binding • MTC Secure Binding CSCE 715

  35. AMTC-based MT-authenticator Each sender: • creates a pair (PK, TK) with the algorithm CKG; • chooses an Universal One-Way Hash Function (UOWHF) H. • public key: (PK,H) • secret key: TK CSCE 715

  36. AMTC-based MT-authenticatorSketch of the Proof (1) UM-adversary U → AM-adversary A : AUTHMT,A() ≈ UNAUTH λAMTC,U() • A emulates the behavior of U; the parts on the right side are the simulated counterparts of the parts on the left; CSCE 715

  37. AMTC-based MT-authenticatorSketch of the Proof (1) UM-adversary U → AM-adversary A : AUTHMT,A() ≈ UNAUTH λAMTC,U() • A emulates the behavior of U; the parts on the right side are the simulated counterparts of the parts on the left; • event β: a party on the right side (UNAUTH) is activated to receive a message that was never sent on the left side (AUTH). CSCE 715

  38. AMTC-based MT-authenticatorThe Protocol CSCE 715

  39. AMTC-based MT-authenticatorSketch of the Proof (2) • If Probability (β) is non negligible: UM-adversary U →UNAUTH Equivocator Є • E uses the oracle to equivocate the commitments without TK; • if U breaks on party A: • E collects a first opening (s0, r 0) of a commitment c; • E rewinds the simulation using a different challenge s0; • if U breaks another time on A, E collects another opening • (s0, r 0) and the oracle was never used on that scheme. CSCE 715

  40. AMTC-based MT-authenticatorDeniability with Malicious Verifier This protocol is not secure against malicious verifiers, indeed there exists an attack. Attack The receiver B, given the first message (m, c) from A, could choose the challenge s' as s'=hash(c) with a complicated hash function hash(·). To create simulator for deniability against a malicious verifier B we have to change the protocol: add a Common Reference String (CRS) containing the public • key of a Trapdoor Commitment Scheme TC; • add a round where B commits his challenge s'. CSCE 715

  41. AMTC-based MT-authenticatorDeniability with Malicious Verifier CSCE 715

  42. AMTC-based MT-authenticatorDeniability with Malicious Verifier • This modified version is still a MT-authenticator. • It can be proven deniable in the following settings: • sequential executions; • concurrent executions but with timing assumption: limiting the contemporaneous executions to a logarithmic number (the best possible in a black-box simulation). • Removing CRS The requirement of a CRS can be avoided: • A creates a new TC for each session (+ 2 rounds); • A creates by herself the TC scheme and puts the public key of TC in her pkA. CSCE 715

  43. Implementations of AMTC Schemes The introduced notion of AMTC is very similar to the known STC, but there are some differences: • a SSTC scheme involves two kinds of commitment: real and fake. • The former are indistinguishable from the latter. • a SSTC is not necessarily information-theoretic private; • the trapdoor is needed also for the creation of fake commitments. Known implementations of SSTC schemes: • general construction with one-way functions; • based on DSA assumption (that is on the hypothesis that DSA is Strongly Unforgeable against Chosen-Message Attack (sUF-CMA)); • based on the Cramer-Shoup signatures (so using the Strong-RSA Assumption). CSCE 715

  44. MTC-based MT-authenticators • The notion of MTC scheme is a bit weaker than AMTC one: more efficient implementations. • Actual implementations: • based on Strong-RSA Assumption; • based on the recently introduced Strong-DDH Assumption. • Proposed schemes of authentication: • based on MTC schemes with proof in Random Oracle Model; • based on MTC schemes and on specific randomized hash • functions named Chameleon Hash Functions with proof in the standard model; • based on MTC schemes and one-time Signatures with proof in the standard model CSCE 715

  45. DDH-based MT-authenticator • Authors present an efficient number-theoretic method to obtain deniable authentication whose security is based on the DDH Assumption. • We applied the method based on CCA encryption + MAC with the Cramer-Shoup encryption function (one of the most efficient). • Then we applied modifications stripping some unnecessary parts while maintaining the security properties. • Looking at the final result, there is no more explicit encryption of something and no more MAC function use. Furthermore, we save a modular exponentiation. • In the final paper there is a generalization of this approach that uses as building block Projective Hash Function CSCE 715

  46. DDH-based MT-authenticator CSCE 715

  47. Deniability • As the original CCA-based authenticator: • it can be proven to be deniable against an honest verifier; • against a malicious verifier it cannot be proven deniable there is no known attack; • in order to obtain a proof, a challenge-response • sub-protocol is needed: the protocol becomes a 4 rounds protocol; • in this way the protocol is deniable in the following settings: • sequential executions; • concurrent executions but with timing assumption. CSCE 715

  48. Deniability CSCE 715

  49. References • Mario Di Raimondo, Rosario Gennaro New Approaches for Deniable Authentication • Wikipedia.org • C. Dwork, M. Naor and A. Sahai, Concurrent Zero-Knowledge, proc. of 30th Symposium on Theory of Computing (STOC), ACM, pp. 409–418, 1998. • Deniable Authenticated Key Establishment for Internet Protocols, Colin Boyd, Wenbo Mao, Kenneth G. Paterson CSCE 715

More Related