Non- browser TLS Woes Dan Boneh Joint work with M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, and V. Shma?kov Proc. ACM CCS 2012
30 second summary Lots of non- browser systems using TLS: Payment gateway SDK, Mobile ads, Web services middleware, cloud client API, Developers use TLS through a higher level library: e.g. HRpClient, curl, Weberknecht, PHP, Python Problem 1: complex and confusing interfaces to TLS layer result: lots of improper server- side cert valida?on man in the middle vulnerabili?es Problem 2: lirle tes?ng of server- side cert. valida?on Should be part of QA tes?ng
Case studies: (1) PHP / curl binding PHP TLS binding: fsockopen( ssl:// ) : no server- side cert. valida?on curl binding: cert. verifica?on controlled by boolean CURLOPT_SSL_VERIFYPEER int CURLOPT_SSL_VERIFYHOST 0: no server- side cert valida?on 1: check the existence of a common name in server cert. 2: check common name in cert. matches provided hostname (default = 2) Very common mistake: CURLOPT_SSL_VERIFYPEER = true CURLOPT_SSL_VERIFYHOST = true We found four SDKs using it for SSL
Real World Crypto Workshop, Jan. 2013. Instead: Recent Developments in Broadcast EncrypTon Dan Boneh Stanford University
Background: bilinear maps G, G 2 : finite cyclic groups of prime order q An admissible bilinear map e: G G G 2 is: Bilinear: e(g a, g b ) = e(g,g) ab a,b Z, g G Non- degenerate: g generates G 1 e(g,g) generates G 2 Efficiently computable Several examples where Dlog in G believed to be hard
Many ApplicaTons: enc., sigs., NIZK, Simplest example: BLS signatures [B- Lynn- Shacham 01] KeyGen: sk = rand. x in Z q, pk = g x G Sign(sk, m) H(m) x G verify(pk, m, sig) accept iff e(g, H(m) x ) = e(g x, H(m)) e(g, sig ) e(pk, H(m)) Thm: Existen?ally unforgeable under CDH in the RO model Beyond bilinear maps: k- linear maps [BS 03] k- linear map e: G G G G k non- degen. & efficient k hard Dlog in G Even more applica?ons. Can they be constructed?
k- linear maps: a recent breakthrough S. Garg, C. Gentry, S. Halevi ProperTes: (informal) The map x gx is randomized Representa?on of g G is O(k) bits BeRer than k- linear map: gradaton e1: G G G2 For our purposes: e2: G G2 G3 ek: G G Gk ek: G Gk Gk+1 e: Gk Gk G2k
Broadcast EncrypTon [Fiat- Naor 1993] Encrypt to arbitrary subsets S: d 1 c E(pk,S,m) S {1,,n} d 2 d 3 Security goal (informal): Full collusion resistance: secure even if all users in S c collude
Broadcast EncrypTon Public- key BE system: Setup(n) pub. key pk, master sec. key msk KeyGen( msk, j) d j (private key for user j) Enc( pk, S ) ct, k k used to encrypt msg for users S {1,, n} Dec( pk, d j, S, ct): If j S, output k Broadcast contains ( [S], ct, E SYM (k, msg) )
Broadcast EncrypTon: StaTc Security Seman?c security when users collude (sta?c adversary) challenger run Setup(n) pk, { d j j S } (ct, k 1 ) Enc( pk, S) k 0 K S {1,, n } (ct, k 0 ) or (ct, k 1 ) aracker b {0,1} Def: Adv[A] = Pr[ b is correct ] - ½ Security: poly-?me A: Adv[A] is negligible
Broadcast systems are everywhere File sharing in encrypted file systems (e.g. EFS): ACL file encrypted file system d Bob file d Ned Encrypted mail system: recipients mail mail system d Bob mail d Ned Social networks: privately send message to a group
ConstrucTons small sets Subs. Service revoca?on 0 n email DVD players ct sk pk The trivial system: O( S ) O(1) O(n) Revoca?on schemes: O(n- S ) O(log n) O(1) [ NNL,HS,GST, LSW,DPP, ] Can we have O(1) size ciphertext for all sets S?? The BGW system: O(1) O(1) O(n) [B- Gentry- Waters 05]
The BGW system Setup(n): g G, α, msk Z q, def: g k = g (αk ) pk = ( g, g 1, g 2,, g n, g n+2,, g 2n, v=g msk ) G 2n+1 hole KeyGen( msk, j) d j = (g j ) msk G Enc(pk, S): t Z q ct = ( g t, (v Π j S g n+1-j ) t ), key = e(g n,g 1 ) t
Security Thm: BGW is sta?cally secure for n users in a bilinear group where n- DDHE assump?on holds n- DDHE: for rand. g,h G, α Z q, R G 2 : p [ h, g, g α, g ( α 2),,g ( α n), g ( α n+2),,g ( α 2n ), e(g,h) ( α n+1 ) ] [ h, g, g α, g (α2),,g (αn), g (αn+2),,g (α2n ), R ]
Extensions, VariaTons, Improvements AdapTve security: [GW 10, PPSS 12, ] Adversary can adap?vely select what keys to request IdenTty- based: [SF 07, D 07, GW 10, ] Smaller pubic key size: pk = O( maximal S ) Set of all users can be {0, 1, 2, 3,, 2 256 } Chosen ciphertext secure: [BGW 05, PPSS 12, ] Trace & revoke: [BW 06]
BGW using (log n)- linear map Recall: BGW Setup(n): g G, α, msk Z q. pk: g, g α, g ( α 2),, g ( α n), g ( α n+2),,g ( α 2n ), v=g msk Suppose: e k : G G G k ; e: G k G k G 2k Set pk as: ( #users 2 k- 1 ) g, g α, g (α2 ), g (α4 ), g ( α (22k ) ), g ( α (22k+1 ) ), v=g k msk Using 2k- linear map : can build all needed elements in pk but for rand. h G cannot build e(g,,g,h) ( α (22k - 1) ) G 2k
BGW using (log n)- linear map ct sk pk Bilinear BGW: O(1) O(1) O(n) [B- Gentry- Waters 05] (log n)- linear BGW: O(log n) O(log n) O(log 2 n) Open ques?ons: Same parameters without k- linear maps?? O(1) size ct from standard lazce assump?ons (LWE)??
Summary Many open problems in broadcast encryp?on: O(log n) size ciphertext & secret keys from LWE? O(log n) size ct, sk, and pub- key w/o k- linear maps? Distributed BE with sub- linear ciphertext?