Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications

Similar documents
CPSC 467b: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Practice Assignment 2 Discussion 24/02/ /02/2018

CPSC 467b: Cryptography and Computer Security

Question: Total Points: Score:

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Dr George Danezis University College London, UK

ECash and Anonymous Credentials

CPSC 467: Cryptography and Computer Security

A Strong Identity Based Key-Insulated Cryptosystem

George Danezis Microsoft Research, Cambridge, UK

CPSC 467: Cryptography and Computer Security

Cryptanalysis of Threshold-Multisignature Schemes

An Anonymous Authentication Scheme for Trusted Computing Platform

On Security of Two Nonrepudiable Threshold Multi-proxy Multi-signature Schemes with Shared Verification

Threshold Undeniable RSA Signature Scheme

Ring Group Signatures

INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING

CPSC 467: Cryptography and Computer Security

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Security Protocols and Application Final Exam

The odd couple: MQV and HMQV

Introduction to Cryptography Lecture 13

Public-Key Cryptosystems CHAPTER 4

Introduction to Cryptography. Lecture 8

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

1 Number Theory Basics

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Cryptography and Security Final Exam

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

NSL Verification and Attacks Agents Playing Both Roles

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

Lecture Notes, Week 10

A Fully-Functional group signature scheme over only known-order group

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Authentication. Chapter Message Authentication

A Small Subgroup Attack on Arazi s Key Agreement Protocol

Group Undeniable Signatures

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

CPSC 467: Cryptography and Computer Security

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

A NOVEL APPROACH FOR SECURE MULTI-PARTY SECRET SHARING SCHEME VIA QUANTUM CRYPTOGRAPHY

Secret Sharing CPT, Version 3

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Notes on Zero Knowledge

5199/IOC5063 Theory of Cryptology, 2014 Fall

A DAA Scheme Requiring Less TPM Resources

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Some Security Comparisons of GOST R and ECDSA Signature Schemes

ASYMMETRIC ENCRYPTION

Convertible Group Undeniable Signatures

Multi-key Hierarchical Identity-Based Signatures

A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS

Entity Authentication

Blind Collective Signature Protocol

Accumulators and U-Prove Revocation

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Oblivious Evaluation of Multivariate Polynomials. and Applications

Asymmetric Encryption

Group Diffie Hellman Protocols and ProVerif

Exam Security January 19, :30 11:30

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Non-Interactive Zero-Knowledge Proofs of Non-Membership

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 10: Zero-Knowledge Proofs

Public Key Authentication with One (Online) Single Addition

Anonymous Credential Schemes with Encrypted Attributes

Quantum Cryptography

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

1 Secure two-party computation

Group Undeniable Signatures

Session-Key Generation using Human Passwords Only

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant

A New Proxy Signature Scheme for a Specified Group of Verifiers

Cryptography and Security Final Exam

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

Universal Accumulators with Efficient Nonmembership Proofs

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Cryptography and Security Midterm Exam

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Introduction to Modern Cryptography. Benny Chor

Constructing Provably-Secure Identity-Based Signature Schemes

Quantum Wireless Sensor Networks

CPSC 467b: Cryptography and Computer Security

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Dynamic Universal Accumulators for DDH Groups and Their Application to Attribute-Based Anonymous Credential Systems

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Security Analysis of Some Batch Verifying Signatures from Pairings

Extending Dolev-Yao with Assertions

A Security Model for Anonymous Credential Systems

Transcription:

Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications Xi-Jun Lin and Lin Sun November 8, 03 Abstract: The Internet of Things (IoT) will be formed by smart objects and services interacting autonomously and in real-time. Recently, Alcaide et al. proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. Key words: Anonymous credential system; Fully decentralized protocol; Threshold cryptography; Zero-knowledge proof of knowledge; Smart community Introduction The Internet of Things (IoT) will be formed by smart objects and services interacting autonomously and in real-time. Recently, Alcaide et al. [] proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In Alcaide et al. s protocol, two roles are defined for participant nodes: Users and Data Collectors. Users are the nodes originating the data. They can anonymously and unlinkably authenticate themselves in front of data collectors proving possession of a valid Anonymous Access Credential (AAC) encoding a particular set of attributes. Data collectors are entities responsible for the collection of data from authorized users. Therefore, before collecting the data, the data collector must verify that the user holds a valid AAC encoding a particular set of attributes. The main characteristics of their protocol are: The protocol does not rely on any central organization. The users of the system jointly generate and distribute a private key that is used in a (t, n)-threshold fashion. This allows up to t nodes to be compromised without the key being compromised. X.J.Lin is with the Department of Computer Sciences and Technology, Ocean University of China. Qingdao 00, P.R.China. email: linxj77@3.com L. Sun is with the College of Liberal Arts, Qingdao University. Qingdao 07, P.R.China. email: sunlin9@.com

Users of the system can obtain an AAC encoding a set of certified attributes and use such an AAC to anonymously and unlinkably authenticate themselves to data collector entities. Data collectors can anonymously authenticate users by means of attribute-based boolean formulas, which can be defined and modified by the data collector itself at any time. Without loss of generality, their protocol is described assuming that users are authenticated based on only two attributes (x, x ), which can be derived from a standard certificate x signed by some trusted external entity (i.e., a certification authority). In the protocol, once verified, the attributes (x, x ) will be encoded into an AAC so that the user can prove possession of those attributes without disclosing their actual value. Any linear boolean formula (or a conjunction of formulas) can be used to anonymously authenticate users as legitimate participants. Such a formula can be represented as the function Φ R (x, x ). As mentioned before, users can prove that the attributes x and x, encoded in a AAC, satisfy Φ R (x, x ) = without revealing the actual attribute values. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. Alcaide et al. s Protocol Their protocol consists of three phases: Set-Up (where all parameters are generated), User Registration (users obtain AAC) and Credential Proving (users prove possession of a valid AAC to a data collector).. Set-Up In this phase, a community of n users, {U i : i =,, n}, known as founders, comes together to generate all protocol parameters. As a result of this phase, each founder U i holds two tuples: a public tuple: P ub i = (N, ε, V, V, V 3, e, g, s, c, g, g, g 3, q, h, h, h 3, h 4, h 5, h ) equal for all founders. a private tuple: P riv i = (p i, p i, ϕ i (N), d i, v i, v i, v 3i ) different for each founder U i. (N, ε, V, V, V 3, d, v, v, v 3 ) are generated by the founders in a joint and decentralized manner, where d = ε, v = V, v = V, v 3 = V3 (mod ϕ(n)) and N = 4p p + p + p + such that (p, p ) are Sophie Germain primes. q is a prime picked by a

super node such that N (q ). (e, g, c, h,, h ) are picked by the super node randomly and broadcasted to the founders. s = g d, g = g v, g = g v, g 3 = g3 v (mod N) are also broadcasted by the super node so that every founder holds them. P riv i = (p i, p i, ϕ i (N), d i, v i, v i, v 3i ) are shares that the founder U i holds of the secret values (p, p, ϕ(n), d, v, v, v 3 ) respectively. At the end of this phase, the founders have computed the necessary cryptographic material to create AACs for valid data holders later on. The detail of this phase which has nothing to do with our attack is omitted here.. User Registration In this phase, a new user U new, holding a valid certificate x, obtains the necessary material from (t + ) founders to construct its own Anonymous Access Credential AAC new, a token that encodes U new s attributes (x, x ) Z e and allows U new to anonymously and unlinkably prove to the data collector to be a legitimate participant. Before U new can participate in the system, it needs to obtain the protocol public parameters. In order to do that, U new simply requests the tuple P ub i from some founder U i and makes P ub new = P ub i. The process that U new must follow to construct AAC new is described as follows. U new picks x 3 R Z e such that gcd(x 3, ε) = and x R Z N, and then computes a = g x 3 3 xe (mod N). Then, it picks b c (mod N) randomly, and then sends ( x, a, b) to the founders. After receiving ( x, a, b), each founder U i verifies x and extracts the attributes (x, x ) from x. Then, it computes a = g x gx a (mod N) and m = (a + b) (mod N). Furthermore, it signs m with its private tuple P riv i and sends σ i (m) to U new. After receiving (t + ) partial signatures σ i (m) from the founders, U new generates the signature v = σ(m). Then, it computes a = g x gx a (mod N) and m = (a + b) (mod N), and then checks whether the equation v ε = m (mod N) holds. If the equation holds, U new obtains its own Anonymous Access Credential AAC new = (x, x, x 3, x, v). AAC new must be kept secretly at all times, only randomized versions of it will be used in the Credential Proving phase. It should be noted that U new must show its certificate to the founders..3 Credential Proving When a user U interacts with a data collector R, U must anonymously and unlinkably prove to R that it holds the appropriate attributes to satisfy the boolean formula Φ R that R uses to authenticate legitimate participants. As the process that U must follow to accomplish such a proof is the key part of the anonymous credential system. Each of the sub-processes is given as follows.. Session values and commitments: every time that U wants to authenticate to the data collector R, U must generate and commit a set of session values, which are secret random values used during a particular authentication operation. This process is given as follows. 3

(a) U picks y R Z e, and then computes ˆv = s y v (mod N) ˆm = g y m (mod N) â = g y a (mod N) ˆb = g y b (mod N) Then, it picks w, w, w 3 Z N and computes m = h ˆm hw (mod q) ā = hâ3 hw 4 (mod q) b = hˆb5 h w 3 (mod q) c = mā b (mod q) (In the original paper, ā = hâ hw 3 (mod q). According to the Appendix A.- Theorem [], we correct this typo by replacing it with ā = hâ3 hw 4 (mod q).) (b) U sends and commits the session values (â, m, b, c) to R.. Zero-Knowledge Proofs of Knowledge (ZKPoKs): once U has committed some set of values, U and R engage in a series of four ZKPoKs: In order to authenticate U, every operation that R performs at the end of each ZKPoK must succeed. Whatever data R collects from U must follow these authentication subprocess. ZKPoK: The objective of this ZKPoK is to prove that the private attributes (x, x ) that U holds in its AAC satisfy the boolean formula Φ R (x, x ). Note that Φ R can be any linear boolean formula; however, for simplicity reasons, as an example, the authors use: Φ R (x, x ) = αx + β = x : (α, β) Z α, β being chosen by data collector R. Consequently, U must prove, in a zero-knowledge manner, possession of AAC encoding attributes (x, x ) such that αx + β = x. This ZKPoK is given as follows. U picks r y, r, r 3 R Z e and r R Z N, then computes and sends t = g r y(g g α )r g r 3 3 re (mod N) to R. R picks and responds γ R Z t to U. U computes s y = γy + r y (mod e) s = γx + r (mod e) s 3 = γx 3 + r 3 (mod e) s = g (γy+r y)dive (g g α)(γx +r )dive g (γx 3+r 3 )dive 3 x γ r (mod N) It sends (s y, s, s 3, s ) to R. R checks whether the equation (âg β )γ t = g s y(g g α s )s g 3 3 se (mod N) holds. 4

ZKPoK: The goal of this ZKPoK is to prove that all session value commitments generated by U are valid. For that matter, U must prove, in a zero-knowledge manner, knowledge of the secret tuple (y, â, ˆb, ˆm). This ZKPoK is given as follows. U picks r ˆb, r, r, r 3 R Z q. Then, it computes and sends t = (h h 5 ) rˆbh r hr 4 hr 3 (mod q) to R. R picks and responds γ R Z q to U. U computes s ˆb = γˆb + r ˆb s = γw + r s = γw + r s 3 = γw 3 + r 3 It sends (s ˆb, s, s, s 3 ) to R. (In the original paper, (s y, s, s 3, s ) is sent to R, we correct this typo by replacing it with (s ˆb, s, s, s 3 ).) R checks whether the equation ( c(h h 3 ) â ) γ t = (h h 5 ) sˆbh s holds. hs 4 hs 3 (mod q) ZKPoK3: The objective of this ZKPoK is to prove that the signature v encoded in U s AAC is valid. In order to do that, U proves, in a zero-knowledge manner, knowledge of the ε-th root of the h -part, which is equivalent to proving that ˆv is the ε-th root of ˆm. This ZKPoK given below must be executed L times. U picks r, r R Z N. Then, it computes and sends t = h r ε hr R. (mod q) to R picks and responds γ R {0, } to U. U preforms as follows. If γ = 0, let s = r and s = r. If γ =, it computes s (mod N). = r ˆv (mod N) and s = r w (r ˆv ) ε U sends (s, s ) to R. R performs as follows. If γ = 0, it checks whether the equation t = h s ε hs (mod q) holds. If γ =, it checks whether the equation t = m s ε hs (mod q) holds. ZKPoK4: The goal of this ZKPoK is to prove that U knows the session value y involved in ZKPoK - 3. For that matter, U must prove, in a zero-knowledge manner, knowledge of the discrete logarithm with base g of the h 5 -part. This ZKPoK given below must be executed L times. U picks r, r R Z N. Then, it computes and sends t = h gr (mod q) to R. (In the original paper, g is used to compute t, we correct this typo by replacing it with g.) R picks and responds γ R {0, } to U. U preforms as follows. If γ = 0, let s = r and s = r. If γ =, it computes s = r y and s = r w 3c g s. U sends (s, s ) to R. 5

R performs as follows. If γ = 0, it checks whether the equation t = h gs 5 h s (mod q) holds. (In the original paper, g is used in the equation, we correct this typo by replacing it with g.) If γ =, it checks whether the equation t = ( b c ) gs h s (mod q) holds. Note that, if and only if the authentication of user U succeeds (i.e., all ZKPoK - 4 are successful), the data collector R collects data from U. 3 Cryptanalysis In this section, we present an attack to point out that an adversary A can cheat the data collector by impersonating a legitimate user. In our attack, A needs not compromise user nodes. It should be noted that if and only if A processes all ZKPoK-4 with a data collector R successfully, A can cheat R into collecting data from it. Suppose that the public parameters are (N, ε, V, V, V 3, e, g, s, c, g, g, g 3, q, h, h, h 3, h 4, h 5, h ), and R s data collection policy is the equation Φ R (x, x ) = αx + β = x : (α, β) Z. In the Credential Proving phase, the adversary A interacts with R anonymously and unlinkably as follows.. Session values and commitments: A picks y R Z e, ˆv, a R Z N and w, w, w 3 R Z N. Then, it computes â = g β ae (mod N) m = h ˆm hw (mod q), where ˆm = ˆv ε (mod N) b = hˆb 5 h w 3 (mod q), where ˆb = g y c (mod N) c = (h h 3 )â(h h 5 ) w (mod q) A sends and commits the session values (â, m, b, c) to R.. Zero-Knowledge Proofs of Knowledge(ZKPoKs): once A has committed its session values, A and R engage in ZKPoK-4 as follows. ZKPoK: A picks s y, s, s 3 R Z e, and computes t = g s y(g g α )s g s 3 3 (mod N). Then, it sends t to R. After receiving γ from R, A computes s = a γ (mod N), and then sends (s y, s, s 3, s ) to R. Correctness: Since â = g β ae (mod N), t = g s y(g g α s )s g 3 3 (mod N) and s = a γ (mod N), we have that (âg β )γ t = ((g β = a eγ t Hence, ZKPoK is preformed successfully. ae )g β )γ t = a eγ g s y(g g α )s g s 3 3 = g s y(g g α )s g s 3 3 s e (mod N)

ZKPoK: A picks s, s, s 3 R Z, and computes t = h s hs 4 hs 3 (mod q). Then, it sends t to R. After receiving γ from R, A computes s ˆb = wγ, and then sends (s ˆb, s, s, s 3 ) to R. Correctness: Since c = (h h 3 )â(h h 5 ) w (mod q), t = h s s ˆb = wγ, we have that hs 4 hs 3 ( c(h h 3 ) â ) γ t = ((h h 3 )â(h h 5 ) w (h h 3 ) â ) γ t = (h h 5 ) wγ t Hence, ZKPoK is preformed successfully. = (h h 5 ) wγ h s hs 4 hs 3 = (h h 5 ) sˆbh s hs 4 hs 3 (mod q) (mod q) and ZKPoK3: A picks r, r R Z N and computes t = h r ε hr (mod q). Then, it sends t to R. After receiving γ {0, } from R, A performs as follows. (a) if γ = 0, let s = r and s = r. (b) if γ =, let s = r ˆv (mod N) and s = r w (r ˆv ) ε (mod N) A sends (s, s ) to R. Correctness: Since t = h r ε (mod N), we have that (a) if γ = 0, t = h r ε hr (b) if γ =, we have that hr (mod q) and m = h ˆm hw (mod q), where ˆm = ˆv ε = ε hs hs (mod q) m s ε s h = (h ˆm hw ε s )s h = (h ˆm hw )(r ˆv ) ε h r w (r ˆv ) ε = (h ˆm )(r ˆv ) ε h r = (hˆvε )(r ˆv ) ε h r = h r ε hr = t (mod q) Hence, ZKPoK3 is preformed successfully. ZKPoK4: A picks r, r R Z N and computes t = h gr (mod q). Then, it sends t to R. After receiving γ {0, } from R, A performs as follows. (a) if γ = 0, let s = r and s = r. (b) if γ =, let s = r y and s = r w 3c g s A sends (s, s ) to R. Correctness: Since t = h gr (mod N), we have that (a) if γ = 0, t = h gr (b) if γ =, we have that (mod q) and b = hˆb 5 h w 3 (mod q), where ˆb = g y c = hgs 5 h s (mod q) 7

( b c ) gs h s = ((hˆb 5 h w 3 = ((hˆb 5 h w 3 )c ) gs = hˆbc g s h s )c ) gs h r w 3c g s = h (gy c)c g s = h gy g s = h gy+(r y) = h gr = t (mod q) Hence, ZKPoK4 is preformed successfully. Since all ZKPoK-4 are successful, R authenticates the adversary A as a legitimate user, and then collects data from it. Hence, the protocol is broken. Another main flaw of Alcaide et al. s protocol is given below. In User Registration phase, since the new user U new sends its certificate x in plaintext to the founders, x can be captured by A. Then, A sends ( x, a, b) to the founders by impersonating U new, where a and b are computed by A itself. Since the founders are user nodes, it is reasonable to assume that they are stateless. Hence, they do not know whether x belongs to a user who has already received its AAC. So A can obtain (t + ) partial signatures from the founders, then it can construct a valid AAC. That is, once a user s certificate is sent in plaintext in User Registration phase, the adversary A can obtain this certificate and forge a valid AAC by impersonating this user. With this AAC, A can cheat the data collectors in Credentail Proving phase. 4 Conclusion Recently, Alcaide et al. proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. References [] A.Alcaide, E.Palomar, J.Montero-Castillo and A.Ribagorda. Anonymous authentication for privacy-preserving IoT target-driven applications. Computers & Security. 37 (03). pp:-3. 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback