Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes

Transcription

1 Batch Decryption of ncrypted Short Messages and Its Application on Concurrent SSL Handshakes Yongdong Wu and Feng Bao System and Security Department Institute for Infocomm Research 21, Heng Mui Keng Terrace, Singapore, {wydong, Abstract. A public-key cryptosystem is usually used for key management, in particular to session key management. The paper presents a method for handling a batch of concurrent keys with homomorphic publickey cryptosystems such as RSA, Paillier and lgamal. Theorematically, regardless Shacham and Boneh proved that it is impossible to provide batch RSA encryption of messages with a single certificate, the present result is positive when the messages are small. Practically, the present method is compliant to the de facto standard SSL/TLS handshake and increases the SSL system performance. 1 Introduction As a most successful application (e.g., online banking and e-commerce) of public key cryptosystem, SSL/TLS runs at the reliable layer above existing protocols so as to build a session between a server and a client; while DTLS, a datagram capable version of TLS, provides secure transmission over unreliable datagram. At the basic level, SSL/TLS/DTLS protects communications by encrypting messages with a secret key-a large random number known only to the server and client. However, it is time-consuming to share the secret key, especially for the server when there are a lot of concurrent SSL connections. For example, a typical Pentium server (running Linux and Apache) can handle about 322 HTTP connections per second at full capacity but only 24 SSL connections per second; and a Sun 450 (running Solaris and Apache) fell from 500 to 3 connections per second. Therefore, it is in desire to speed up the server s performance. Obviously, a dedicated cryptographic accelerator chip can improve the server performance. Although cryptographic accelerators are becoming inexpensive (e.g., US$1400 for XM2000 from users should certainly not be expected to purchase additional hardware. Naturally, it is preferable to design an algorithm for high volume SSL/TLS Internet servers that offload the processing and bulk ciphering to dedicated servers. Fiat [1] presented an algorithmic approach for speeding up SSL s performance on a heavily-loaded web server by batching the SSL handshake protocol. The algorithm decrypts several ciphertexts in a batch way so as to handle

2 many concurrent SSL sessions. Shacham and Boneh [2] improved the batching performance with the techniques such as CRT and simultaneous multiple exponentiation. Furthermore, they proved that it is impossible to provide batch RSA encryption with a single certificate. However, their batching methods are only valid for RSA algorithm, and are not compatible with the present SSL/TLS protocol because the server must have several certificates. Additionally, the batching methods require very small RSA public exponent e (e = 3, 5, 7, 11,..., 17) for the sake of optimal performance. Despite there are no known theoretical attacks on the cryptosystems with small exponente, it is recommended that e should be sufficiently large 1. In order to provide friendly usage according to the number of concurrent connections, Qi et al. [3] enabled to select the batch size by modelling the user connection request with Markov model. This paper proposes a general method for quickly decrypting encryption of small messages with homomorphic ciphers (i.e., a cipher which has homomorphic property) in an SSL server/client model. It enables that the clients send encrypted messages independently to the server concurrently, and the server will merge the ciphertexts into a new ciphertext. With only one decryption operation, the server can decrypt the new ciphertext into a batched message which will be split into each message. This method is suitable for SSL/TLS server to efficiently process handshake. That is to say, it enables to keep the plain text (mostly the session key) from disclosing. This paper is organized as follows. Section 2 introduces the definitions of batch decryption. Section 3 describes the general construction of batch decryption based on the additive and multiplicative homomorphic cryptosystems. Section 4 shows the example implementations based on RSA-Paillier, Okamoto- Uchiyama, RSA, and lgamal cryptosystems. Section 5 describes the batch method application in SSL handshakes and the performance analysis. A concluding mark is drawn in Section 6. 2 Batch Decryption 2.1 Definitions Definition 1: A cryptosystem S(Setup,, D) is a tuple of PPT (Probabilistic Polynomial Time) algorithms such that: Setup takes as input a security parameter 1 k. It outputs a public key P K and a private key SK. ncrypt takes as input the public key P K, and a message M; it outputs a ciphertext C. Decrypt D takes as input the private key SK and the ciphertext C; it outputs a message M. 1 Recently, Fouque et al. proposed a power analysis attack on small RSA public exponent scheme[4].

3 Definition 2: A batch cryptosystem B b (Setup,, D, Merge, Split) of batch size b over a cryptosystem S(Setup,, D) is a tuple of PPT algorithms which handle several messages simultaneously such that: Setup takes as input a security parameter 1 k. It outputs a public key P K and a private key SK. ncrypt takes as input the public key P K, messages m i, i = 1,..., b b, and an optional public key P K; it outputs ciphertexts c i, i = 1,..., b. Merge takes as input ciphertexts c i, i = 1, 2,..., b b and an optional public key P K; it outputs a batched ciphertext C. Denote as x y a Merge operation between two operands x and y. Decrypt D takes as input the private key SK and the batched ciphertext C; it outputs a batched message M. Split takes as input the batched message M and an optional public key P K; it outputs the plaintexts m i, i = 1, 2,..., b b. For simplicity, we omit P K from the PPT algorithms in the following. Fig.1 illustrates the diagram of server/client model. In the model, a client will encrypt a short message and send the ciphertext to a server. The server will merge the ciphertext to generate a batched ciphertext. With the underlying decryption algorithm, the server will obtain the batched plaintext, and split the batch plaintext to get all the short messages. m 1 m 2 c 1 c 2 merge C D M split m 1 m 2 m b c b m b Fig. 1. Diagram of batch encryption/decryption. Definition 3: Cryptosystem quivalence means that several cryptosystems have the comparative security strength. Strictly speaking, for two equivalent cryptosystems B and S, if an adversary A can break B at a non-negligible probability, A can break S at a non-negligible probability too; and vice versa. Denote as B S two equivalent cryptosystems B and S. 2.2 Attack model Since this paper aims to securely deliver short messages in a server/client model, especially in SSL/TLS handshake session, it targets for CPA (Chosen Plaintext

4 message x (i.e., called as master key in SSL protocol) is 384 which is greater than t = 128, we will select a random m with m = t, and encrypt x with key m according to a symmetric cipher such as AS, then we encrypt m with the public key cipher S( ). The server will batch the encryption of all the keys m, and decrypt m in a batch. Afterwards, the server will recover x with symmetric decryption. 5.3 Batch strategy In normal SSL, the server can start decrypt as soon as ClientKeyxchange message is received. However, in the batch decryption, the server has to wait for b ClientKeyxchange messages. When there are few SSL connection requests (i.e., the server is not busy), both server and client may waste a lot of time. Hence, it is preferable to be flexible in batch size. Concretely, the server creates a queue for the waiting requests. If the server is ready for decryption but the size of waiting queue is smaller than the maximum batch size b, the server will perform batch decryption immediately with the ciphertexts in the queue. 5.4 xperimental result Theoretically, the decryption speed with the present paper is about as k times fast as the conventional one when k ciphertexts are used for batching. For instance, Lemstra et al. [10] pointed out that RSA1024 is at risk after MD5. if we select RSA 1280 and AS 128, and the batch size b = 5, the batch decryption speed is as 5 times fast as direct decryption. In order to test the practical performance, a simulation is executed in Windows XP platform. In the experiment, one computer is used to simulate many clients by sending many requests to a server, and the server will decrypt the ciphertext with the present batch scheme with the maximum batch size. Fig.4 is our experiment result for evaluating performance gain 2. 6 Conclusion As a most successful application of public key crypto-cryptosystem, SSL protocol builds a session between the server and client. The paper enables to decrypt a batch of session keys with only one descrption operation,and hence increases the server performance. In addition to the performance improvement, batch technology also increases the barrier of the remote timing attack [11] since the independent messages from different clients make it hard to estimate the computational time. The present method can be implemented with additive cryptosysem and multiplicative crypto-system with a single certificate. However, the present scheme is not a general counterexample to [2] since it is only applicable for short messages. 2 The simulation and Figure 4 are provided by Shiqun Li, Zhiguo Wang and Fang Qi.

5 Fig. 4. Performance gain in terms of batch size, where accelerate rate is the ratio between conventional decryption time and batch decryption time. References 1. A. Fiat, Batch RSA, Crypto 89, pp , 1989, See also Journal of Cryptology, 10(2):75-88, H. Shacham, and D. Boneh, Improving SSL Handshake Performance via Batching, RSA 2001, Lecture Notes in Computer Science (LNCS), Vol. 2020, pp.28-43, Fang Qi, Weijia Jia, Feng Bao, and Yongdong Wu, Batching SSL/TLS Handshake Improved, ICICS, LNCS 3783, pp , Pierre-Alain Fouque, Sebastien Kunz-Jacques, Gwenaelle Martinet, Frederic Muller and Frederic Valette, Power Attack on Small RSA Public xponent, Workshop on Cryptographic Hardware and mbedded Systems (CHS) Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham, and Phong Q. Nguyen, Paillier s Cryptosystem Revisited, ACM CCS, pp , Tatsuaki Okamoto, and Shigenori Uchiyama, A New Public-Key Cryptosystem as Secure as Factoring, UROCRYPT, LNCS1403, pp , D. Boneh, A. Joux, and P. Nguyen, Why Textbook lgamal and RSA ncryption are Insecure. AsiaCrypt, LNCS 1976, pp , D.Boneh, C. Gentry, B. Lynn, and H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, UROCRYPT, LNCS 2656, pp , Feng Bao, Robert Deng, Peirong Feng, Yan Guo, and Hongjun Wu, Secure and Private Distribution of Online Video and several Related cryptographic Issues, the 6th Australasia Conference on Information Security and Privacy (ACISP 2001), LNCS 2119, pp , A. K. Lemstra, and.r. Verheul, Selecting Cryptographic Key Sizes, J. Cryptology, 14(4): , David Brumley, and Dan Boneh, Remote Timing Attacks are Practical, the 12th Usenix Security Symposium, pp.1-13, 2003.