Khair Eddin Sabri and Ridha Khedri

Similar documents
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Solutions to In-Class Problems Week 4, Mon.

Lecture 9 - Message Authentication Codes

Cryptography and Network Security Chapter 9

INTRODUCTORY SET THEORY

White Paper: Multi-Factor Authentication Platform

Software Tool for Implementing RSA Algorithm

Lecture 16 : Relations and Functions DRAFT

Full and Complete Binary Trees

Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Secure Authentication of Distributed Networks by Single Sign-On Mechanism

Lecture 2: Complexity Theory Review and Interactive Proofs

CS 758: Cryptography / Network Security

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Capture Resilient ElGamal Signature Protocols

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

CIS 5371 Cryptography. 8. Encryption --

Outline 2.1 Graph Isomorphism 2.2 Automorphisms and Symmetry 2.3 Subgraphs, part 1

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Notes on Network Security Prof. Hemant K. Soni

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Advanced Cryptography

Linear Maps. Isaiah Lankham, Bruno Nachtergaele, Anne Schilling (February 5, 2007)

A Factoring and Discrete Logarithm based Cryptosystem

Lecture 13 - Basic Number Theory.

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Mathematics Review for MS Finance Students

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

VoteID 2011 Internet Voting System with Cast as Intended Verification

A CONSTRUCTION OF THE UNIVERSAL COVER AS A FIBER BUNDLE

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Public Key (asymmetric) Cryptography

ON SOME CLASSES OF REGULAR ORDER SEMIGROUPS

Paillier Threshold Encryption Toolbox

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Cryptography and Network Security

FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION

Solutions to Problem Set 1

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Q: Why security protocols?

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Introduction to Cryptography CS 355

Computing exponents modulo a number: Repeated squaring

Third Party Auditing For Secure Data Storage in Cloud through Trusted Third Party Auditor Using RC5

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

Implementation of Elliptic Curve Digital Signature Algorithm

IRREDUCIBLE OPERATOR SEMIGROUPS SUCH THAT AB AND BA ARE PROPORTIONAL. 1. Introduction

Abstract Algebra Cheat Sheet

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Lukasz Pater CMMS Administrator and Developer

3-6 Toward Realizing Privacy-Preserving IP-Traceback

RSA Encryption. Tom Davis October 10, 2003

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

Why data encryption is not data masking. Grid Tools Ltd

Two Factor Zero Knowledge Proof Authentication System

Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Lecture 25: Pairing-Based Cryptography

ZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo

Software Modeling and Verification

Discrete Mathematics. Hans Cuypers. October 11, 2007

A New Generic Digital Signature Algorithm

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

IMPLEMENTATION OF ELECTRONIC FUND TRANSFER USING NEW SYMMETRIC KEY ALGORITHM BASED ON SIMPLE LOGARITHM

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Data Security in Cloud Using Elliptic Curve Crytography

Cryptography: Authentication, Blind Signatures, and Digital Cash

FIBRATION SEQUENCES AND PULLBACK SQUARES. Contents. 2. Connectivity and fiber sequences. 3

The Mathematics of the RSA Public-Key Cryptosystem

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Table of Contents. Bibliografische Informationen digitalisiert durch

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Introduction. Digital Signature

Introduction to Theory of Computation

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

Class notes Program Analysis course given by Prof. Mooly Sagiv Computer Science Department, Tel Aviv University second lecture 8/3/2007

CSCE 465 Computer & Network Security

Hill s Cipher: Linear Algebra in Cryptography

Authentication requirement Authentication function MAC Hash function Security of

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Formal Verification and Linear-time Model Checking

Strengthen RFID Tags Security Using New Data Structure

FIBER PRODUCTS AND ZARISKI SHEAVES

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Overview/Questions. What is Cryptography? The Caesar Shift Cipher. CS101 Lecture 21: Overview of Cryptography

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Chapter 7: Products and quotients

One-Way Encryption and Message Authentication

Improving data integrity on cloud storage services

FUNCTIONAL ANALYSIS LECTURE NOTES: QUOTIENT SPACES

Why Cryptosystems Fail. By Ahmed HajYasien

HMRC Secure Electronic Transfer (SET)

Transcription:

Khair Eddin Sabri and Ridha Foundations & Practice of Security Symposium (Oct. 2012) CRYPTO

Presentation Outline 1 Introduction 2 3 4 Order Semiring 5 keystructure 6 7 8 Technique 9 Verification of secrecy properties 10 Conclusion and Future Work CRYPTO

Introduction Data Store Data Agent 1 Server Agent 3 Agent 2 Data Store Agent 1 Encrypted Data Agent 3 Agent 2 CRYPTO

Introduction Encrypted-data stores require Encryption of information Distribution of keys to users Cipher? Either, a common cipher is used by all agents Or, each agent uses in a quasi-permanent way a set of already agreed-on ciphers CRYPTO

Introduction What governs key-assignments? for key assignments are adopted Object-based scheme: focuses on objects and the required conditions to decrypt each one of them Key-based scheme: ÐÝOur focus Objects are partially ordered (i.e., ď is transitive, reflexive, and antisymmetric) c i ď c j : security level c j is more sensitive than the security level c i ùñ User at c j can also have an access to an information classified c i CRYPTO

Introduction Key-based scheme: K1 Dean K2 K3 K4 Student Prof. Key k 1 can be used to derive the keys k 2, k 3 and k 4 However, no practical way to derive a key associated to a node n from those associated to its descendants Chair CRYPTO

Several s exist in the literature to handle key assignment: rakltaylor1983, AtallahBlantonFazio2009, KuoShenChenLai1999, Sandhu1987s Problem: Lack of formal means to proof their correctness / secrecy Several of them have been found to be flawed or very weak in preserving secrecy Crampton et al. advocate the adoption of a generic model for key assignment schemes For evaluating proposals for key assignment schemes CRYPTO

What do we propose? A generic model for the specification and analysis of cryptographic-key assignment schemes An analysis of two representative schemes: key assignment rakltaylor1983r scheme A scheme based on the remainder theorem rchenchung2002s A generalized and extended scheme to assign more than one key to a security class The automation of the analysis of systems that use key assignment schemes (Prover9) CRYPTO

The key-structure within a set of structures: Envelope Structure Message Structure Cipher Structure Secret Structure A B Structure B is a building block of structure A Fundamenta Informaticae, 112(4):305 335, 2011. CRYPTO

Order Let C be a set. A partial order (or order) on C is a binary relation ă on C such that, for all x, y, z P C, 1 x ă x, Reflexive 2 x ă y ^ y ă x ùñ x y, Antisym. 3 x ă y ^ y ă z ùñ x ă z Trans. A set equipped with a partial order is called an ordered set, partially ordered set, or poset A pre-ordered set (or quasi-ordered set): satisfies only (1) and (3), but not (2) For a pre-ordered set pp, ăq, its dual pp, ăq is def defined as for all x, y, we have x ă y ðñ y ă x Order Semiring CRYPTO

Semiring Definition (Semiring) Let S H be a set and ` and binary operations on S, named addition and multiplication. Then `S, `, is called a semiring if `S, ` is a commutative semigroup, `S, is a semigroup, and distributes over ` on both the left and right. `S, ` is an idempotent semigroup `S, `, an additively idempotent semiring `S, is a commutative semigroup `S, `, a commutative semiring `S, `, is an additively idempotent semiring there exists a natural ordering relation Order Semiring CRYPTO

keystructure A key in its most common form can be perceived as a parameter given to a cipher A key can be a string as in the Vigenère cipher or it can be a pair of numbers as in an RSA cipher Keys can be combined RSA cipher) An inverse is usually defined on keys (generalization of the Our representation of RSA uses one key pe, d, nq Public key pe, nq and private key pd, nq CRYPTO

keystructure Definition () Let K def pk, `k, k, 0 k q be an algebraic structure that is an additively idempotent commutative semiring with a multiplicatively absorbing zero 0 k. We call K a key-structure. The operators `k and k are both used to combine keys k operator (two argts are used simultaneously) operator (only one argt is used to enc./decr. one `k plain/cipher unit) CRYPTO

keystructure Table: Vigenère Table a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z b c d e f g h i j k l m n o p q r s t u v w x y z a c d e f g h i j k l m n o p q r s t u v w x y z a b d e f g h i j k l m n o p q r s t u v w x y z a b c e f g h i j k l m n o p q r s t u v w x y z a b c d f g h i j k l m n o p q r s t u v w x y z a b c d e g h i j k l m n o p q r s t u v w x y z a b c d e f h i j k l m n o p q r s t u v w x y z a b c d e f g i j k l m n o p q r s t u v w x y z a b c d e f g h j k l m n o p q r s t u v w x y z a b c d e f g h i k l m n o p q r s t u v w x y z a b c d e f g h i j l m n o p q r s t u v w x y z a b c d e f g h i j k m n o p q r s t u v w x y z a b c d e f g h i j k l n o p q r s t u v w x y z a b c d e f g h i j k l m o p q r s t u v w x y z a b c d e f g h i j k l m n p q r s t u v w x y z a b c d e f g h i j k l m n o q r s t u v w x y z a b c d e f g h i j k l m n o p r s t u v w x y z a b c d e f g h i j k l m n o p q s t u v w x y z a b c d e f g h i j k l m n o p q r t u v w x y z a b c d e f g h i j k l m n o p q r s u v w x y z a b c d e f g h i j k l m n o p q r s t v w x y z a b c d e f g h i j k l m n o p q r s t u w x y z a b c d e f g h i j k l m n o p q r s t u v x y z a b c d e f g h i j k l m n o p q r s t u v w y z a b c d e f g h i j k l m n o p q r s t u v w x z a b c d e f g h i j k l m n o p q r s t u v w x y CRYPTO

Definition (Key assignment scheme) We call a key-assignment scheme the system pk, C, ă, aq, where: K is a key-structure, pc, ăq is a poset, and a : K Ñ C is a surjective (onto) function. C and a are respectively identified as the set of security classes, and the assignment function. The poset pc, ăq is said to be the poset of the scheme S. CRYPTO

Usually, keys are assigned to users (and users are assigned to security classes) For x and y users, x ă u y ô the security class of x is lower than the security class of y The structure pu, ă u q is a poset Findings: There is an order isomorphism between pc, ăq and pu, ă u q It is the map s : U ÝÑ C such that x ă u y ô spxq ă spyq Assumption: @pc c P C : s pcq H q A class can be assigned several keys CRYPTO

On dom(a), we define a relation ă d a : K Ñ C k 1 ă d k 2 : part of the information that can be revealed by using k 1 can be also revealed by using k 2 pdompaq, ă d q is a pre-order (quasi-order) as it not necessarily antisymmetric CRYPTO

The structure K is an additively idempotent commutative semiring It has a natural order relation ď inherent to it x ď y ðñ x `k y y k 1 ď k 2 : the key k 1 is a sub-key of the key k 2 We have also Ď defined as: a Ď b def ðñ Dpc c P K : a ď b k c q The relation Ď is a pre-order (ñ can be used as ă) CRYPTO

Proposition (HofnerMoller2006) Let K pk, `k, k, 0 k, 1 k q be a key structure with an identity 1 k. Let k 1, k 2 P K be keys. We have: 1 k 1 ď k k 2 ùñ k 1 Ď k 2 2 k 1 k k 2 Ď k 2 3 k 1 Ď k 2 ùñ k 1 `k k 3 Ď k 2 `k k 3 4 k 1 Ď k 2 ùñ k 1 k k 3 Ď k 2 k k 3 5 k Ď 1 k CRYPTO

Definition Let S def pk, C, ă, aq be a key-assignment scheme. Given a key-derivation relation ă d defined on dompaq, the scheme S is said to be cluster-secure with regard to ă d iff @pk i, k j k i, k j P dompaq ^ pk i k j q ^ papk i q ă apk j qq : pk j ă d k i q q. a(k ) i a(k ) j CRYPTO

What can we do with this theory? Evaluate proposals for key assignment schemes : It assigns to each user a key k i k i κ t i pmod mq κ is a private number m is a public number that is the product of two large prime numbers t i is a public number formed from a multiplication of prime numbers CRYPTO

Key-derivation: Fact: k t j {t i i pκ t i q t j {t ipmod mq κ t jpmod mq kj Consequence: A key k j can be derived from k i iff t j is divisible by t i Example: Let m 11 ˆ 17 187 and κ 13 User 1: Public number t 1 5 ˆ 7 35 The key becomes 13 35 pmod 187q 21 User 2: Public number t 2 7 (It divides 35) The key becomes 13 7 pmod 187q 106 The key 106 can be used to derive the key 21 p106 5 pmod 187q 21q CRYPTO

Once κ is fixed, the exponent t i determines the key log k i log κ t i t i is the product of a set of distinct prime numbers Generalization: Keys are sets of products of distinct elements from IN p Products of prime number can be considered as subsets of IN p t i 2 ˆ 3 ˆ 7 can be represented as tt2, 3, 7uu CRYPTO

P def tp 1 ˆ ˆ p n all p i are prime and differentu A bijective function rep: rep : P Ñ PpPpIN p qq reppp 1 ˆ p 2 ˆ ˆ p n q def ttp 1, p 2,, p n uu. FF def pppppin p qq, `k, k, 0, 1q k `k : PpPpIN k p qq ˆ PpPpIN p qq Ñ PpPpIN p qq A B def ta Y b : a P A, b P Bu. k : PpPpIN `k p qq ˆ PpPpIN p qq Ñ PpPpIN p qq A B def A Y B, `k FF is a key structure with an identity CRYPTO

The system pff, C, ă, aq presents a generalization of the A key in our case is not a single key but a set of keys e.g., tκ 2ˆ3, κ 5ˆ7 u In the, pc, ăq has to be a tree In our framework, pc, ăq can be a forest We may need this generalization, if a user is involved in more than one scheme needs to combine several keys to build a useful one Key-derivation is nothing but, the relator Ď We get for free several identities CRYPTO

The key in our case is not a single key but a set of keys e.g., {κ 2 3, κ 5 7 }.Inthe ALGEBRAIC MODEL, FOR THE (C, ) ANALYSIS has to be akey tree, while in our framework ASSIGNMENT it can be a forest. Therefore, for dealing with more than a tree structure and for handling more than one key per user, the is a special case of the one we propose. We may need this generalization if a user is involved in more than one scheme. Example: κ κ 2 κ 3 κ 2 3 κ 2 3 7 κ 3 11 { } {{2}} c2 c3 {{3}} {{2, 3}} {{2, 3, 7}} {{3, 11}} (a) (b) Fig. 1. An example of the scheme and its equivalent scheme c1 c4 c5 c6 Example 1. Figure 1 shows an example of the scheme and its representation using our mathematical structure. In the system (FF,C,,a), FF is defined as above, C = {c 1,c 2,c 3,c 4,c 5,c 6} such that c 4 c 2, c 5 c 2, c 5 c 3, c 6 c 3, c 2 c 1, c 3 c 1, and the function a is defined as a = {(,c 1), ({{2}},c 2), ({{3}},c 3), ({{2, 3}},c 4), ({{2, 3, 7}},c 5), ({{3, 11}},c 6)}. For instance, the key κ 2 3 is derived from κ 2.Indeed, pff, C, ă, aq C tc 1, c 2, c 3, c 4, c 5, c 6 u such that c 4 ă c 2, c 5 ă c 2, c 5 ă c 3, c 6 ă c 3, c 2 ă c 1, c 3 ă c 1 PLUS the properties of an order κ 2 3 d κ 2 A key is determined by its exponent & k 1 is derived from k 2 log ki iff k 1 k 2, and log κ = ti rep(2 3) rep(2) Definition of the function rep, and Definition of (c c P(IN p) : {{2, 3}} {{2}} k c ) Definition of x y for x and y elements of an idempotent commutative semiring (c c P(IN p) : {{2, 3}} + k {{2}} k c = {{2}} k c ) Definition of + k on the structure FF (c c P(IN Speaker: p) : {{2, Ridha 3}} {{2}} k c = {{2}} k c ) CRYPTO a tph, c 1 q, ptt2uu, c 2 q, ptt3uu, c 3 q, ptt2, 3uu, c 4 q, ptt2, 3, 7uu, c 5 q, ptt3, 11uu, c 6 qu

The key κ 2ˆ3 is derived from κ 2. κ 2ˆ3 ă d κ 2 ðñ x A key is determined by its exponent & k1 is derived from k2 iff k1 Ď k2, and log k i log κ t i y repp2 ˆ 3q Ď repp2q ðñ x Definition of the function rep, and Definition of Ď y Dpc c P PpINpq : tt2, 3uu ď tt2uu c q k ðñ x Definition of x ď y for x and y elements of an idempotent commutative semiring y Dpc c P PpINpq : tt2, 3uu tt2uu c tt2uu c q `k k k ðñ x Definition of on the structure FF y `k Dpc c P PpINpq : tt2, 3uu Y tt2uu c tt2uu c q k k ðù x c tt3uu P PpINpq, and the definition of k on the structure FF y Dpc c P PpINpq : tt2, 3uu Y tt2, 3uu tt2, 3uu q ðñ x Idempotence of Y, c P PpINpq, and Dpc : true q true y true The above scheme is cluster-secure: pc i ă c j ùñ papc i q Ď apc j qqq CRYPTO

Technique [ChenChung2002] Similar treatment as for ď is Ď a Ď b def ðñ Dpc c P PpPpF qq : a Ď b k c q def k 1 ă d k 2 ðñ k 2 Ď k 1 (It is the dual to that of ) CRYPTO

Verification of secrecy properties We can easy verify properties such as the ability of a user to get an information intended for a higher class the ability of using several keys to reveal an information that can be revealed by using another key The proof of the above properties involve the axioms of the key-structure We use Prover9 to verify each property In the paper, you find an example illustrating the above points CRYPTO

Conclusion and Future Work We presented a generic model for key assignment schemes (based on the key-structure) This model does not depend on a specific crypto-system The proofs for security properties are performed in an algebraic calculational way (easily automated) Future work: investigate other key assignment schemes to assess their strengths and weaknesses CRYPTO

CRYPTO

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information