Compact and Unforgeable Key Establishment over an ATM Network

Transcription

1 Compct nd Unforgeble Key Estblishment over n ATM Networ Yuling Zheng (Monsh University, Austrli) Hidei Imi (University of Toyo, Jpn) 1 Outline of the tl Motivtion of this reserch Introduction to signcryption Key mterils trnsport using signcryption 1

2 Session Key Estblishment A process for two prticipnts to gree upon freshly shred ey Dimensions security ginst vrious ttcs uthenticity v.s. identifiction unforgebility & non-repudition trnsport v.s. echnge secret v.s. public ey crypto ey distrib. center v.s. cert. uthority efficiency (msg length, # of moves, comp cost) 3 Asynchronous Trnsfer Mode (ATM) --- Motivtion of this Wor --- Cell switching Dt re plced into cells of fied-size (53 bytes), nd then trnsported over virtul circuits ATM cell structure 5 bytes 48 bytes (384 bits) heder pylod (dt) 4

3 Problem to be solved To trnsport encrypted ey mterils using single ATM cell with low computtionl cost in secure nd unforgeble wy without using KDC crypto-envelope ey mterils ey, ts or nonce 384-bit ATM cell pylod 5 Why using single ATM cell? If the encrypted version of ey mterils eceeds 384 bits, problems would occur : splitting dt buffering re-ssembling dt 6 3

4 Why focusing on public ey cryptosystems The problem CAN be solved using using secret ey or types of cryptosystems However, with such solution unforgebility cnnot be chieved without TTP/tmper-proof devices Key mngement is n issue Distribution Derivtion, nd/or Secure Storge 7 Why RSA encryption wouldn t wor 64 bits Using RSA encryption e mod n t lest 51 bits 8 4

5 Why ElGml encryption wouldn t wor 64 bits Using ElGml encryption ---DL over GF(p)--- g mod p t lest 64+51=576 bits 9 Why public ey signture + encryption wouldn t wor 64 bits Using signture + encryption ---RSA or ElGml --- sig e mod n/ g mod p > 51 bits 10 5

6 Why EC-signture+encryption wouldn t wor 64 bits Using Schnorr sig + ElGml enc ---DL over Elliptic Curve on GF( 160 )--- compressed representtion! r, s * g t lest 64+(80+160) + (160+1)=465 bits 11 Signcryption -- new prdigm Achieves the functions of digitl signture unforgebility & non-repudition encryption confidentility hs significntly smller comp. & comm. cost Cost (signcryption) << Cost (signture) + Cost (encryption) 1 6

7 In the pper & in world: Signture-then-Sel To chieve: uthenticity (unforgebility & non-repudition) To chieve: confidentility 13 Mgic Signcryption Envelope 14 7

8 In the digitl world (Alice to Bob): Signture-then-Encryption 1. Signture genertion Alice signs messge m using her secret ey, i.e. creting sig on m. m mod ep. Encryption Alice encrypts (m,sig) using DES with. Alice cretes nother dt so tht Bob cn recover. (Typiclly, Alice encrypts using Bob s public ey). mod ep m sig m sig 15 Why signture-then-encryption cn be problem Consider trnsction/messge of 5,10 bits (=640 chrs, 8 lines) tht requires high level security, or to be trnsmitted in 010 Very lrge moduli, sy of 510 bits, hve to be used 16 8

9 Why signture-then-encryption cn be problem (cnt d) If RSA with 510-bit composite is used Comp. cost: +=4 eponentitions mod (very lrge!) 510-bit integer Comm. overhed: 10,40 bits (twice s lrge s the originl messge!) 10,40 bits 5,10 bits 5,10 bits 5,10 bits messge sig e b 17 Why signture-then-encryption cn be problem (cnt d) If Schnorr sig & ElGml enc with 510-bit prime re used Comp. cost: 3+.17=5.17 (3+3=6) eponentitions mod (very lrge!) 510-bit integer Comm. overhed: >= 5560 bits 5,10 bits >=440 bits >=5,560 bits 5,10 bits messge sig g 18 9

10 Signcryption -- public & secret prmeters Public to ll p : lrge prime q : lrge prime fctor of p-1 g : 0<g<p & with order q mod p hsh: 1-wy hsh KH: eyed 1-wy hsh (E,D) : privte-ey encryption & decryption lgorithms Alice s eys : secret ey y : public ey (note : y = g mod p Bob s eys b : secret ey y b : public ey (note : y = g b mod p b ) ) 19 Signcryption -- n emple (SCS1) m (c,r,s) (c,r,s) m Signcrypt by Alice = hsh ( y b mod p ) where R {, 1K, q 1} 1 = ( ) r KH m s = mod q r + c = E ( m ) 1 output (c,r,s) Unsigncrypt by Bob r s b = hsh (( y g ) mod p) 1 m = D ( c ) 1 output m if r = KH ( m) "invlid" if r KH ( m) 0 10

11 Signcryption -- nother emple m (c,r,s) (c,r,s) m Signcrypt by Alice = hsh ( y b mod p ) where R {, 1K, q 1} 1 = ( ) r KH m s= ( r )mod q c = E ( m ) 1 output (c,r,s) Unsigncrypt by Bob r b = hsh(( g s y ) mod p) 1 m = D ( c ) 1 output m if r = KH ( m) "invlid" if r KH ( m) 1 Signcryption v.s. Signture-then- Encryption EXP= EXP=+ EXP=3+.17 m m m sig sig e b sig g () Signcryption bsed on DL (b) Signture-then-Encryption bsed on RSA (c) Signture-then-Encryption bsed on DL 11

12 Cost of Signture-then-Encryption v.s. Cost of Signcryption A simplistic comprison: Cost Comp Cost Schemes (No. of ep) Comm Overhed (bits) RSA bsed sig-then-enc + n + n b DL bsed Schnorr sig + ElGml enc DL bsed Signcryption (3 + 3) (1 + ) hsh + q + p KH + q 3 Signcryption v.s. Schnorr Sig + ElGml Enc (cnt d) p q KH sving in comp cost sving in comm overhed % 70.3 % % 76.8 % % 81.0 % % 85.3 % % 87.7 % % 90.1 % % 91.0 % % 9.0 % % 94.0 % % 96.0 % 4 1

13 Signcryption v.s. RSA p = n = n b q KH sving in comp cost sving in comm overhed % 78.9 % % 84.9 % % 88.3 % % 91.4 % % 93.0 % % 94.0 % % 95.0 % % 96.0 % % 97.0 % % 98.0 % 5 Applictions of Signcryption Bring to society huge svings in comp. & comm. if used widely in secure & uthenticted messge delivery / storge electronic commerce secure & uthenticted trnsctions secure & uthenticted multicst (incl. video conference, CSCW etc) fst, compct, secure, unforgeble & non-repudited ey trnsport 6 13

14 Direct trnsport of ey mterils in Short Pcet p 51, q 160, KH () 80 c r s TQ ey TQ + ey bits 80 bits 160 bits (, ) = hsh( y mod p) 1 with [, 1K, q 1] 64, 64 c = E ( ey, TQ) 1 R 1 r = KH ( ey, TQ, other) s = r + mod q b 7 Direct trnsport of ey mterils in single ATM cell ATM Cell 5 bytes 48 bytes (384 bits) heder pylod (dt) c r s 144 bits 80 bits 160 bits p 51, q 160, KH () 80 (, ) = hsh( y mod p) 1 with [, 1K, q 1] 64, 64 c = E ( ey, TQ) 1 R 1 r = KH ( ey, TQ, other) s = r + mod q b 8 14

15 Indirect trnsport of ey mterils in Short Pcet p 51, q 160, KH () 80 c r s TQ TQ bits 80 bits 160 bits (, ) = hsh( y mod p) 1 with R [, 1K, q 1] 64, 64 1 c = E ( TQ) 1 r = KH ( TQ, other) s = r + mod q b 9 Indirect trnsport of ey mterils in single ATM cell ATM Cell 5 bytes 48 bytes (384 bits) heder pylod (dt) p 51, q 160, KH () 80 (, ) = hsh( y mod p) 1 with R [, 1K, q 1] 64, 64 1 b occupied c r s 80 bits 160 bits c = E ( TQ) 1 r = KH ( TQ, other) s = r + mod q 30 15

16 Dimensions to be considered Direct v.s. Indirect ey trnsport Direct ey mteril trnsport rndom session ey is eplicitly included in ey mterils Indirect ey mteril trnsport rndom session ey is to be derived from ey mterils Ensuring Freshness using time-stmp, or nonce 31 4 Types of Key Trnsport Protocols Time-vrying Quntity Nonce nonce bsed direct (3 moves) nonce bsed indirect (3 moves) Time stmp (+nonce) time-stmp bsed direct ( moves) direct time-stmp bsed indirect ( moves) indirect Trnsport Mode 3 16

17 Direct ey trnsport using nonce (for unicst) Alice c = E ( ey) 1 r = KH ( ey, NC, etc) b s= /( r+ )modq Bob <= NC b <= Pic nonce NC b => c, r, s => unsigncrypt verify tg <= tg <= (optionl) tg = MAC ey (NC b ) 33 Direct ey trnsport using time-stmp (for unicst) Alice Bob c= E ( ey, TS) 1 r = KH ( ey, TS, etc) s= /( r+ )modq => c, r, s => unsigncrypt, nd chec the freshness of TS verify tg <= tg <= (optionl) tg = MAC ey (TS) 34 17

18 Indirect ey trnsport using time-stmp ( moves) Alice Bob c = E ( TS) 1 r = KH ( TS, etc) s= /( r+ )modq => c, r, s => unsigncrypt, nd chec the freshness of TS ey = KH TS 1, ( ) <= tg <= ey = KH TS 1, ( ) verify tg (optionl) tg = MAC ey (TS,1) 35 How to obtin ey echnge protocols Let Bob s dt or ID be involved in the derivtion of session ey E.g. ey* = KH ey (NC b ) ey* = KH ey (ID b ) ey* = KH ey (NC b,id b ) Let both Alice & Bob generte ey & echnge ey mterils (which chieves mutul identifiction)

19 Direct ey echnge using nonce (for unicst) Alice <= NC b <= Bob Pic nonce NC b c = E ( ey) 1 r = KH ( ey, NC, etc) b s= /( r+ )modq => c, r, s => unsigncrypt unsigncrypt <= c*, r*, s* <= c* = E ey * ( *) 1 r* = KH ey ey etc * ( *,, ) s* = */( r* + )modq b 37 ATM Forum Proposls Two protocols, both bsed on X.509 -wy protocol 3-wy protocol Correspondence ATM -wy <=> direct ey echnge using time-stmp ATM 3-wy <=> direct ey echnge using nonce 38 19

20 ATM Forum -Wy Protocol (bsed on sign-then-enc) Alice ID, ID, SecOpt,{ T, R,{ Enc ( ConfPr )}, b Kb Sig ( hsh( ID, ID, T, R, SecOpt,{ ConfPr }))} K b Bob ID, ID, R,{ Enc ( ConfPr )}, b K b Sig ( hsh( ID, ID, R,{ ConfPr }))} Kb b b 39 ATM Forum 3-Wy Protocol (bsed on sign-then-enc) Alice Bob ID,{ IDb}, R, SecNeg,{ Cert} ID, ID, SecNeg,{ Cert },{ R, R,{ Enc ( ConfPr )}, b b b b K b Sig ( hsh( ID, ID, R, R, SecNeg, SecNeg,{ ConfPr }))} Kb b b b b ID, ID, R,{ Enc ( ConfPr )}, b b Kb Sig ( hsh( ID, ID, R,{ ConfPr }))} K b b 40 0

21 Advntges of Our Signcryption bsed Protocols over ATM Forum s Significnt svings in computtionl time nd communiction overhed 41 Comprison with Beller-Ycobi protocol Attributes protocols Beller- Ycobi Comp. Cost (# of ep) (1 + 4) Longest Msg >= 51 bits Pre comp. Yes Our protocols (1 + ) < = 384 bits Yes* * Only when Alice nows whom to communicte with 4 1

22 About Forwrd Secrecy Forwrd secrecy w.r.t. prticipnt compromise of the prticipnt s long term secret ey does NOT result in the eposure of pst session eys Beller-Ycobi protocol YES w.r.t. Alice, NO w.r.t. Bob Our protocols NO w.r.t. either Alice or Bob 43 About Forwrd Secrecy (cnt d) Forwrd secrecy w.r.t. Alice CAN be obtined in our proposls by ming Alice s long term secret ey hrd to compromise E.g. secret shring, mthemticlly nd/or physiclly 44

23 Etensions the proposed protocols cn be etended to multi-cst conference ey estblishment Bob Alice Cthy Dvid 45 Direct multicst ey trnsport using nonce Alice & ech R i, I=1,,t NC = NC NC t Alice: l1 l ey R { 01, }, R { 01, } h = KH ( ey, NC, etc) c = E ( ey, h) for ech i = 1,.., t vi R [ 1,..., q 1] vi ( i, 1, i, ) = hsh( yi mod p) ci = E ( ) i, 1 ri = KH ( h, etc i i), v i si = mod q r + i Alice & ech R i, I=1,,t verify tg 1,.., tg t NC 1 <=.. <= NC t c c 1, r 1, s 1 =>... => c t,r t,s t tg 1 <=. <= tg t (optionl) Ech R i, I=1,,t Pic nonce NC b Ech R i, I=1,,t finds out (c, c i,r i,s i ) & unsigncrypt it Ech R i, I=1,,t tg i =MAC ey (NC i ) 46 3

24 Direct multicst ey trnsport using time-stmp Alice: for ech i = 1,.., t vi R [,..., 1 q 1] vi ( i, 1, i, ) = hsh( yi mod p) l1 l ey R { 01, }, R { 01, } get time stmp TS h = KH ( ey, TS, etc) c = E ( ey, TS, h) for ech i = 1,.., t ci = E ( ) i, 1 ri = KH ( h, etc i i), v i si = mod q r + i c c 1, r 1, s 1 => => c t,r t,s t Ech R i, I=1,,t finds out (c, c i,r i,s i ) & unsigncrypt it Alice & ech R i, I=1,,t verify tg 1,.., tg t tg 1 <=. <= tg t (optionl) Ech R i, I=1,,t tg i =MAC ey (TS,ID i ) 47 Speeding-up through Rndomiztion R i my decide, in probbilistic fshion whether or not generting NC i whether or not multicsting tg i Similrly, Alice nd ech R i my rndomly choose subset of tgs received for verifiction 48 4

25 Summry ddressed the problem of unforgeble ey estblishment in smll pcets s.. ATM cells solved the problem using signcryption Potentil pplictions: high speed networs smrt crd bsed security solutions mobile communictions, 49 5