Lightweight Encryption for

Transcription

1 Lightweight Encryption for Ben Adida 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group

2 Motivation To Improve/Restore the Usefulness of Lightweight Trust for Signatures [ACHR2005] Can we get reasonable encryption from similar simplified key management?

3 Lightweight Signatures Makes forging from as difficult as receiving Bob s . No explicit user key management Uses only existing infrastructure

4 Review ID-Based Crypto P K bob MP K keyserver MSK SK bob Alice Bob

5 Review ID-based Domains MP K MP K keyserver MSK keyserver MSK SK alice@ SK bob@ Alice Bob

6 DNS to distribute Review Master Public Keys MP K DNS Publish MP K MP K key server MSK [DomainKeys]

7 -Based Review Authentication SK Alice keyserver MSK incoming mail server [Gar2003] Alice

8 Review Lightweight Sigs DNS 1 PUBLISH PUBLISH 1 MP K wonderland key server SK A 2 From: Alice To: Bob Subject: Guess? I heard that... I'm serious! MPK foo 5 MPK bank alice@ 4 key server Alice Wonderland.com Network Signed: Alice 3 6 Bob Network

9 For Encryption? DNS 1 PUBLISH PUBLISH 1 MP K wonderland key server SK A 2 From: Alice To: Bob Subject: Guess? I heard that... I'm serious! MPK foo 5 MPK bank alice@ 4 key server Alice Wonderland.com Network Signed: Alice 3? 6 Bob Network

10 Threat Model Assume your incoming mail server won t actively spoof/attack you. Signatures If the MSK is compromised, simply change the MSK/MPK (DNS updates). Encryption Different story...

11 Threat #1: MSK compromise MSK wonderland SK all past encrypted s are immediately compromised. if the MSK compromise is discreet, then all future encrypted s are also compromised. (hacking into a keyserver). Alice

12 Splitting Keys MP K wonderland MP K wonderland,0 MP K wonderland,1 MP K wonderland,2 MSK wonderland,0 MSK wonderland,1 MSK wonderland,2 SK Alice,0 SK Alice,1 SK Alice,2 Alice SK Alice

13 Threat #2: Corrupt Mail Server MSK Alice SK incoming mail server a corrupt incoming mail server can decrypt and read all secret key material. a passive corrupt mail server can intercept all s. even MSK splitting doesn t help.

14 Recombining Keys key server SK Bob SK Bob Bob DNS MP K (MSK Bob, MP K Bob ) MP K Bob+ Bob generates a new MPK/MSK pair The combined SK matches the combined MPK. The combined MPK provides certification and protection. Bob The second MPK component needs no certification!

15 Single Core Solution MP K 1 MSK 1 CombineMasterKey M P Kcombined params bob@ MP K 2 MSK 2 SK 1 SK 2 bob@ CombineSecretKey SKcombined SK 1 MP K 1 VerifySecretShare

16 Building These Features on Boneh-Franklin and Waters Identity-Based Encryption

17 Review Bilinear Maps G 1, G 2, both of prime order q e : G 1 G 1 G 2 g, h generate G 1 g a e Z ab Z = e(g, h) generates G 2 G 1 G 2 h b e(g a, h b ) = e(g, h) ab e(ug, h) = e(u, h)e(g, h)

18 Review Boneh-Franklin Keys Public Parameters: G 1, G 2, q, g, H MSK = s Z q MP K = g s G 1 P K ID = H(ID) SK ID = H(ID) s

19 Splitting & Recombining Boneh-Franklin Keys [BF2000] MSK 1 = s 1 MSK 2 = s 2 MP K 1 = g s 1 MP K 2 = g s 2 SK 1 = H(ID) s 1 SK 2 = H(ID) s 2 CombineMasterKey MP K = MP K 1 MP K 2 = g s 1+s 2 CombineSecretKey SK = SK 1 SK 2 = H(ID) s 1+s 2 Effective MSK = s 1 + s 2

20 Review Waters Keys Public Parameters: G 1, G 2, q, g, h, F MSK = h s MP K = g s P K ID = F (ID) SK ID = (h s F (ID) r, g r )

21 Splitting & Recombining Waters Keys MSK 1 = h s 1 MSK 2 = h s 2 MP K 1 = g s 1 MP K 2 = g s 2 SK 1 = (h s 1 F (ID) r 1, g r 1 ) SK 2 = (h s 2 F (ID) r 2, g r 2 ) CombineMasterKey MP K = MP K 1 MP K 2 = g s 1+s 2 CombineSecretKey SK = (h s 1 F (ID) r1 h s 2 F (ID) r 2, g r1 g r 2 ) = (h s 1+s 2 F (ID) r 1+r 2, g r 1+r 2 ) Effective MSK = g s 1+s 2

22 Additional Details Malicious Share Generation: NIZK Proof of Knowledge of MSK share Malicious SK Distribution: k-out-n shares using Lagrange coefficients [GJKR99]

23 Putting it All Together CombineMasterKey 2 DNS MP K1 MP K2 1 5 Lightweight Cert. Server MP K key server #1 key server #2 (bob@, MP K Bob ) MP K SK Bob,1 3 SK Bob,2 (MSK Bob, MP K Bob ) CombineMasterKey 6 bob@ incoming mail server CombineSecretKey SK Bob Bob 7 GenerateShare 4 Encrypt From: Alice To: Bob Subject: Secret SK Bob Bob Alice

24 Alice s Point of View Finding Bob s Public Key: automatic: a lookup, a computation against MPK. No trust decision necessary. Decryption Key Management: automatic, just upgrade the mail client Key Revocation, etc...: automatic, with upgraded mail client Automation!

25 Summary Lightweight key infrastructure is not enough for encryption To protect against MSK compromise: key splitting To protect against mail server compromise: key recombination Both can be accomplished with the same trick on Boneh-Franklin and Waters keys

26 Questions?

27 Backup Slides

28 Another Solution yahoo.com incoming mail server gmail.com incoming mail server SK Alice yahoo.com SK Alice gmail.com Alice