No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete
Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2
Secure Authentication 1 = Accept 0 = Reject Prover Verifier Adversary Cris%na Onete 19/03/2014 3
PKES: Correctness Cris%na Onete 19/03/2014 4
PKES: Impersonation Cris%na Onete 19/03/2014 5
Privacy Notions Who is the adversary? Ø A MIM-adversary (passive or active) Ø A legitimate verifier (honest-but-curious, malicious) Ø A third party (in or outside the system) Private in what way? Ø Identity remains hidden Ø Authentication sessions are unlinkable Ø I can deny having authenticated Ø Can t even tell that authentication took place How private? Ø Nothing can be said about the identity (strong) Ø Can tell something, but not something useful Cris%na Onete 19/03/2014 6
Contents Ø Privacy in Authentication Authentication protocols Privacy notions Identity Hiding and Untraceability Ø Privacy in Distance-Bounding Protocols From Authentication to Distance Bounding MIM Privacy in Distance-Bounding From MIM privacy to full anonymity Deniability Ø Conclusion & some next steps
Part I: Privacy in Authentication
Secure Authentication 1 = Accept 0 = Reject Ø Secure authentication Correctness: legitimate prover always authenticates Impersonation: MIM adversary is always rejected Cris%na Onete 19/03/2014 9
Privacy Notions ID Hiding Ø Identity hiding: Prover s identity remains hidden With respect to a MIM adversary With respect to the verifier (honest-but-curious or malicious) Cris%na Onete 19/03/2014 10
Privacy Notions Untraceability DrawProver Corrupt Ø Untraceability: cannot link sessions vs. MIM adversary: with or without corruptions vs. Insider, in possession of the verifier s state Cris%na Onete 19/03/2014 11
Privacy Notions Untraceability Corrupt Ø Classes in terms of Corruptions Narrow/wide: know/ don t know authentication result Weak: no corruptions; Forward: corruption follows corruption; Strong: no restrictions Cris%na Onete 19/03/2014 12
Privacy Notions Deniability τ??? State τ* Ø Deniability: can deny authentication took place No difference: real vs simulated transcript Always with respect to third party Cris%na Onete 19/03/2014 13
What to use and where Always give each party only minimal information Minimal Pre-Snowden Post-Snowden ID-Hiding Untraceability Deniability MIM Verifier Ø Verifiers connected to central server or not Collect information on provers, tracking them Must forward information, and may even sell it Minimize data leaks; introduce deniability. Cris%na Onete 29/01/2014 14
ID-Hiding Authentication Retrieve g N v Enc(Certificate P ) Certificate V Compute K= g N pnv Retrieve g N p Hides identity Sessions linked R V PRF K (R V ) Check PRF K (R V ) Cris%na Onete 07/02/2014 15
MIM-Untraceable Authentication [Vau07] K Pick random N P N V Pick random N V Compute PRF K (N P N V ) N P, PRF K (N P N V ) Verify PRF K (N P N V ) Corruption: learn K and trace it all back Forward privacy requires key updates or PK primitives Cris%na Onete 07/02/2014 16
MIM-Untraceable Authentication Ø Wide-strong private authentication [PH12] kp, yp r 1 P Random r 1 Random r 2 r 2 P Compute DH tuple d = [[r 1 y P] x P] x ; e = r 1 [r 1 r 2 P] x s= dk + e hides dk, fresh Check: d -1 (sp r 2 r 1 r 1 P) == kp? Cris%na Onete 19/03/2014 29/01/2014 17
Part II: Privacy in Distance-Bounding
Relay Attacks Far-away Prover helps Adversary N V N V N V Leech N P PRF K (N P N V ) Ghost Works for Bluetooth, smartcards, Keeloq, PKES (cars) Cris%na Onete 07/02/2014 19
Distance-Bounding Protocols Ø Distance-bounding idea: proximity = trust if comm. speed & complexity are constant distance time c, Use r must timer! be bits minimal processing t max t max c t r check r check t t max Cris%na Onete 29/01/2014 20
Distance-Bounding Protocols Ø Distance-bounding idea: use timer! if comm. speed & complexity are constant t max t max c c t r r check r check t t max Do proximity test N times for reliability Cris%na Onete 29/01/2014 21
Distance-Bounding Protocol Ø Basic structure round slow fast Cris%na Onete 07/02/2014 22
Distance-Bounding Properties Ø Mafia Fraud Resistance No relays! Ø Terrorist Fraud Resistance Help is one-time Ø Distance Fraud Resistance t max Cris%na Onete 07/02/2014 23
Distance-Bounding Attacks Ø Mafia Fraud Resistance Marie-Claire has unique e-key to gym locker Marie-Claire is at party with Leech Ghost is at gym, wants to get into the locker Ø Terrorist Fraud Resistance Marie-Claire and Adv. are friends Marie-Claire wants to let Adv. to use her locker But Adv. shouldn t enter again without permission Ø Distance Fraud Resistance Marie-Claire runs a red light, wants to prove she was at the gym, but she is far away Cris%na Onete 07/02/2014 24
MIM-Untraceable Authentication Ø Wide-strong private authentication kp, yp Random r 1 r 1 P r 2 P Random r 2 Compute d = [[r 1 y P] x P] x ; e = r 1 [r 1 r 2 P] x s= dk + e Check: d -1 (sp r 2 r 1 r 1 P) == kp? Cris%na Onete 19/03/2014 29/01/2014 25
Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; DH tuple r 0 r 1 = xcoord {r 1 r 3 P} 2n n times c i r i ci s = k+er 1 +r 2 +d e = c r s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 26
Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; n times r 0 r 1 = xcoord {r 1 r 3 P} 2n c i r i ci e = c r Mafia fraud s = k+er 1 +r 2 +d s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 27
Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; n times r 0 r 1 = xcoord {r 1 r 3 P} 2n c i r i ci e = c r Dist. fraud s = k+er 1 +r 2 +d s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 28
Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; n times r 0 r 1 = xcoord {r 1 r 3 P} 2n c i r i ci e = c r MIM-untraceability Impersonation s = k+er 1 +r 2 +d s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 29
Anonymity in Distance Bounding Ø [HPO13]: response depends on K (known to Verifier) s = k+er 1 +r 2 +d Ø [GOR14]: create ring structure for legitimate users S = rq+er 1 +R 2 +D Q = x j (rq j ) Register x i, Q i Board Q j = i=1;i j n x i P Cris%na Onete 29/01/2014 30
Anonymity in Distance Bounding Ø [HPO13]: response depends on K (known to Verifier) s = k+er 1 +r 2 +d Ø [GOR14]: create ring structure for legitimate users S = rq+er 1 +R 2 +D Q = x j (rq j ) Board Q, Q 1, Q 2, Q n Cris%na Onete 29/01/2014 30
Anonymity in Distance Bounding Ø [HPO13]: response depends on K (known to Verifier) s = k+er 1 +r 2 +d Ø [GOR14]: create ring structure for legitimate users S = rq+er 1 +R 2 +D Q = x j Q j HEnc( Q i ), proof(enc well done) x i, Q i HEnc(r Q i ) Protocol as [HPO13] S = rq+er 1 +R 2 +D Choose r Cris%na Onete 29/01/2014 30
Privacy in Distance Bounding Ø Properties: Soundness: x i hidden effectively by S S = r x j Q j +er 1 +R 2 +D Prover anonymity: v HEnc hides auxiliary key Q i v A maliciously chosen r has same effect for all provers v All provers authenticate with the same credential: rq Deniability w.r.t. server v Verifier receives authentication strings S = r x j Q j +er 1 +R 2 +D v Simulator can use state V to compute rq and simulate rest Generate Enc keys, use HEnc, generate proof Cris%na Onete 29/01/2014 31
Present and Future Minimal Pre-Snowden Post-Snowden ID-Hiding Untraceability Deniability MIM Verifier OPACITY [DFG +13] [PH12] [HPO13] [GOR14] Ø Composition: secure DB + anonymous channels Ø Future: AKE + Secure channel protocols Identity hiding, full prover anonymity, and deniability Old and new protocols and their properties Cris%na Onete 19/03/2014 32
Thanks! CIDRE