Non- browser TLS Woes

Similar documents
Applied cryptography

Identity Based Encryption

Short Signatures Without Random Oracles

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Déjà Q All Over Again

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Efficient Identity-based Encryption Without Random Oracles

Fully Homomorphic Encryption from LWE

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Evaluating 2-DNF Formulas on Ciphertexts

Efficient Identity-Based Encryption Without Random Oracles

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Identity-based encryption

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Attribute-Based Encryption Optimized for Cloud Computing

Searchable encryption & Anonymous encryption

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Introduction to Cybersecurity Cryptography (Part 4)

Cryptography from Pairings

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Constrained Pseudorandom Functions and Their Applications

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Computing with Encrypted Data Lecture 26

Post-quantum security models for authenticated encryption

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Secure and Practical Identity-Based Encryption

Pairing-Based Cryptography An Introduction

From Minicrypt to Obfustopia via Private-Key Functional Encryption

Introduction to Cybersecurity Cryptography (Part 4)

G Advanced Cryptography April 10th, Lecture 11

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Fully Homomorphic Encryption over the Integers

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

i-hop Homomorphic Encryption Schemes

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Fully Key-Homomorphic Encryption and its Applications

Recent Advances in Identity-based Encryption Pairing-based Constructions

Introduction to Cryptography. Lecture 8

Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts

Lattice-based Multi-signature with Linear Homomorphism

1 Number Theory Basics

Digital Signatures. Adam O Neill based on

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Efficient Smooth Projective Hash Functions and Applications

6.892 Computing on Encrypted Data October 28, Lecture 7

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Hidden-Vector Encryption with Groups of Prime Order

Computing on Encrypted Data

BEYOND POST QUANTUM CRYPTOGRAPHY

Identity-Based Online/Offline Encryption

A New Functional Encryption for Multidimensional Range Query

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Katz, Lindell Introduction to Modern Cryptrography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Toward Hierarchical Identity-Based Encryption

Low Overhead Broadcast Encryption from Multilinear Maps

DATA PRIVACY AND SECURITY

Shai Halevi IBM August 2013

New Constructions of Revocable Identity-Based Encryption from Multilinear Maps

Cryptographic Solutions for Data Integrity in the Cloud

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

How to Use Linear Homomorphic Signature in Network Coding

Enforcing honesty of certification authorities: Tagged one-time signature schemes

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Dan Boneh. Introduction. Course Overview

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

A Fully Collusion Resistant Broadcast, Trace and Revoke System

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Leakage Resilient ElGamal Encryption

15 Public-Key Encryption

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

A Strong Identity Based Key-Insulated Cryptosystem

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Order- Revealing Encryp2on and the Hardness of Private Learning

Conditional Proxy Broadcast Re-Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Shortening the Libert-Peters-Yung Revocable Group Signature Scheme by Using the Random Oracle Methodology

On i-hop Homomorphic Encryption

Secure Certificateless Public Key Encryption without Redundancy

On Homomorphic Encryption and Secure Computation

Lightweight Symmetric-Key Hidden Vector Encryption without Pairings

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Lecture 7: Boneh-Boyen Proof & Waters IBE System

March 19: Zero-Knowledge (cont.) and Signatures

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Proxy Re-Signature Schemes without Random Oracles

Cryptology. Scribe: Fabrice Mouhartem M2IF

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Transcription:

Non- browser TLS Woes Dan Boneh Joint work with M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, and V. Shma?kov Proc. ACM CCS 2012

30 second summary Lots of non- browser systems using TLS: Payment gateway SDK, Mobile ads, Web services middleware, cloud client API, Developers use TLS through a higher level library: e.g. HRpClient, curl, Weberknecht, PHP, Python Problem 1: complex and confusing interfaces to TLS layer result: lots of improper server- side cert valida?on man in the middle vulnerabili?es Problem 2: lirle tes?ng of server- side cert. valida?on Should be part of QA tes?ng

Case studies: (1) PHP / curl binding PHP TLS binding: fsockopen( ssl:// ) : no server- side cert. valida?on curl binding: cert. verifica?on controlled by boolean CURLOPT_SSL_VERIFYPEER int CURLOPT_SSL_VERIFYHOST 0: no server- side cert valida?on 1: check the existence of a common name in server cert. 2: check common name in cert. matches provided hostname (default = 2) Very common mistake: CURLOPT_SSL_VERIFYPEER = true CURLOPT_SSL_VERIFYHOST = true We found four SDKs using it for SSL

Real World Crypto Workshop, Jan. 2013. Instead: Recent Developments in Broadcast EncrypTon Dan Boneh Stanford University

Background: bilinear maps G, G 2 : finite cyclic groups of prime order q An admissible bilinear map e: G G G 2 is: Bilinear: e(g a, g b ) = e(g,g) ab a,b Z, g G Non- degenerate: g generates G 1 e(g,g) generates G 2 Efficiently computable Several examples where Dlog in G believed to be hard

Many ApplicaTons: enc., sigs., NIZK, Simplest example: BLS signatures [B- Lynn- Shacham 01] KeyGen: sk = rand. x in Z q, pk = g x G Sign(sk, m) H(m) x G verify(pk, m, sig) accept iff e(g, H(m) x ) = e(g x, H(m)) e(g, sig ) e(pk, H(m)) Thm: Existen?ally unforgeable under CDH in the RO model Beyond bilinear maps: k- linear maps [BS 03] k- linear map e: G G G G k non- degen. & efficient k hard Dlog in G Even more applica?ons. Can they be constructed?

k- linear maps: a recent breakthrough S. Garg, C. Gentry, S. Halevi ProperTes: (informal) The map x gx is randomized Representa?on of g G is O(k) bits BeRer than k- linear map: gradaton e1: G G G2 For our purposes: e2: G G2 G3 ek: G G Gk ek: G Gk Gk+1 e: Gk Gk G2k

Broadcast EncrypTon [Fiat- Naor 1993] Encrypt to arbitrary subsets S: d 1 c E(pk,S,m) S {1,,n} d 2 d 3 Security goal (informal): Full collusion resistance: secure even if all users in S c collude

Broadcast EncrypTon Public- key BE system: Setup(n) pub. key pk, master sec. key msk KeyGen( msk, j) d j (private key for user j) Enc( pk, S ) ct, k k used to encrypt msg for users S {1,, n} Dec( pk, d j, S, ct): If j S, output k Broadcast contains ( [S], ct, E SYM (k, msg) )

Broadcast EncrypTon: StaTc Security Seman?c security when users collude (sta?c adversary) challenger run Setup(n) pk, { d j j S } (ct, k 1 ) Enc( pk, S) k 0 K S {1,, n } (ct, k 0 ) or (ct, k 1 ) aracker b {0,1} Def: Adv[A] = Pr[ b is correct ] - ½ Security: poly-?me A: Adv[A] is negligible

Broadcast systems are everywhere File sharing in encrypted file systems (e.g. EFS): ACL file encrypted file system d Bob file d Ned Encrypted mail system: recipients mail mail system d Bob mail d Ned Social networks: privately send message to a group

ConstrucTons small sets Subs. Service revoca?on 0 n email DVD players ct sk pk The trivial system: O( S ) O(1) O(n) Revoca?on schemes: O(n- S ) O(log n) O(1) [ NNL,HS,GST, LSW,DPP, ] Can we have O(1) size ciphertext for all sets S?? The BGW system: O(1) O(1) O(n) [B- Gentry- Waters 05]

The BGW system Setup(n): g G, α, msk Z q, def: g k = g (αk ) pk = ( g, g 1, g 2,, g n, g n+2,, g 2n, v=g msk ) G 2n+1 hole KeyGen( msk, j) d j = (g j ) msk G Enc(pk, S): t Z q ct = ( g t, (v Π j S g n+1-j ) t ), key = e(g n,g 1 ) t

Security Thm: BGW is sta?cally secure for n users in a bilinear group where n- DDHE assump?on holds n- DDHE: for rand. g,h G, α Z q, R G 2 : p [ h, g, g α, g ( α 2),,g ( α n), g ( α n+2),,g ( α 2n ), e(g,h) ( α n+1 ) ] [ h, g, g α, g (α2),,g (αn), g (αn+2),,g (α2n ), R ]

Extensions, VariaTons, Improvements AdapTve security: [GW 10, PPSS 12, ] Adversary can adap?vely select what keys to request IdenTty- based: [SF 07, D 07, GW 10, ] Smaller pubic key size: pk = O( maximal S ) Set of all users can be {0, 1, 2, 3,, 2 256 } Chosen ciphertext secure: [BGW 05, PPSS 12, ] Trace & revoke: [BW 06]

BGW using (log n)- linear map Recall: BGW Setup(n): g G, α, msk Z q. pk: g, g α, g ( α 2),, g ( α n), g ( α n+2),,g ( α 2n ), v=g msk Suppose: e k : G G G k ; e: G k G k G 2k Set pk as: ( #users 2 k- 1 ) g, g α, g (α2 ), g (α4 ), g ( α (22k ) ), g ( α (22k+1 ) ), v=g k msk Using 2k- linear map : can build all needed elements in pk but for rand. h G cannot build e(g,,g,h) ( α (22k - 1) ) G 2k

BGW using (log n)- linear map ct sk pk Bilinear BGW: O(1) O(1) O(n) [B- Gentry- Waters 05] (log n)- linear BGW: O(log n) O(log n) O(log 2 n) Open ques?ons: Same parameters without k- linear maps?? O(1) size ct from standard lazce assump?ons (LWE)??

Summary Many open problems in broadcast encryp?on: O(log n) size ciphertext & secret keys from LWE? O(log n) size ct, sk, and pub- key w/o k- linear maps? Distributed BE with sub- linear ciphertext?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback