A provably secure secret handshake with dynamic controlled matching
description
Transcript of A provably secure secret handshake with dynamic controlled matching
![Page 1: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/1.jpg)
1
A provably secure secret handshake with dynamic controlled matching
Alessandro Sorniotti, Refik Molva
Computers and Security, Volume 29, Issue 5, July 2010 , pp 619-627
![Page 2: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/2.jpg)
2
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
![Page 3: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/3.jpg)
3
Introduction
Secret Handshake 2003, proposed by Balfang et al. 2個使用者同時確認彼此是否為同單位的成員 Certification authority
有能力證明與驗證使用者身份。 發行 property credential與 matching reference,讓使用者能夠證明自己與驗證對方。
環境: untraceable and anonymous
![Page 4: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/4.jpg)
4
Introduction
Matchmaking 1985, presented by Baldwin and Gramlich. 解決 HS的問題,但不同的地方是
使用者可以與其他單位的人進行通訊 與 HS主要的不同點
Matchmaking user可以設定自己的 credential與 matching reference
![Page 5: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/5.jpg)
5
Introduction
本文提出 Secret handshake scheme with dynamic controlled
matching 使用者向 CA要求發行 credential與 reference,而有能力證明與驗證。
![Page 6: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/6.jpg)
6
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
![Page 7: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/7.jpg)
7
Preliminaries U: a set of users P: a set of properties (G1, +) and (G2, *): two groups of order q for some larg
e prime q. e: G1 × G1 → G2 is a bilinear map
Bilinear: P, Q∈G1 and a, b∈Zq*, e(aP, bQ) = e(P, Q)ab
Non-degenerate: e(P, P)≠1 is a generator of G2. Computable: an efficient algorithm exists to compute e(P, Q)
for all P, Q∈G1. H: P → G1 is a one-way hash function.
![Page 8: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/8.jpg)
8
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
![Page 9: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/9.jpg)
9
SecureMatching
Prover-verifier protocol 證明者必須說服驗證者我是該單位的成員。 Prover: 利用 credential來說服 verifier Verifier: 利用 reference來驗證 prover
![Page 10: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/10.jpg)
10
SecureMatching
Setup: P ∈R G1: a random generator of G1.
r, s, t, v ∈R Zq*: random values.
R = rP, S = sP, T = tP, V = vrP System public parameters = {q, P, R, S, T, V, e, G1,
G2, H} System secret parameters = {r, s, t, v}
![Page 11: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/11.jpg)
11
SecureMatching
Join User u∈U Secret value xu∈R Zq
*
Xu = xus-1rP
![Page 12: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/12.jpg)
12
SecureMatching
Certify 當 CA接收到使用者 u的要求才開始執行 使用者 u隸屬於單位 p∈P CA先確認 (u, p)是否合法,確認無誤,發行 cre
dential credp = vH(p)給使用者 u
使用者 u驗證 : e(credp, R) = e(H(p), V) 驗證式成立,接受憑證;否則,放棄憑證。
![Page 13: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/13.jpg)
13
SecureMatching
Grant 當 CA接收到使用者 u的要求才開始執行 使用者 u想與單位 p∈P進行通訊 CA先確認 p是否為 u的允許通訊單位 確認無誤,發行 matching reference
matchu,p = t-1r(credp + xuP)給使用者 u
使用者 u驗證 : e(matchu,p, T) = e(H(p), V)e(Xu, S) 驗證式成立,接受 reference;否則,放棄 refere
nce。
![Page 14: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/14.jpg)
14
SecureMatching
Matching A: prover, A有 credpA來證明隸屬於單位 pA
B: verifier, B拿 matchB,pB來驗證 Protocol
1. B→A: B產生 n∈R Zq
*, 送 N1 = nP, N2 = nR給 A
2. A→B: A檢查 e(N1, P) = e(N2, R)
確認正確, A產生 r1, r2∈R Zq*,
送 disguisedCredpA = <r1credpA, r2N2, r1r2S, r1r2T>給 B
1
,
pA A
B pB pB B
cred vH p
match t r cred x P
![Page 15: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/15.jpg)
15
SecureMatching
Matching Protocol
3. B檢查
如果 K = 1,代表 B確定 A是單位 pA的人(i.e. pA跟 pB是相同單位 )
1
1 2 2 1 2
1 2 ,
, ,
,
n
pA B
B pB
e rcred r N e r r S XK
e r r T match
1
,
pA A
B pB pB B
cred vH p
match t r cred x P
![Page 16: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/16.jpg)
16
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
![Page 17: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/17.jpg)
17
Secret Handshake
如何從 SM到 SHS Session key的交換 在 SM協定中,雙方成立後, key才有效
![Page 18: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/18.jpg)
18
Secret Handshake
Secret Handshake
Alice Bob
credp1credp1XA
XA credp2credp2 matchB,p1
matchB,p1 XBXB
r1Ar1A
matchA,p2
matchA,p2
nAnAr3A
r3Ar2Ar2A r1B
r1B nBnBr3B
r3Br2Br2B
1
,
1 2 2 1 2 1 2
1
, , ,
p
u p p u
p p
u u
cred vH p
match t r cred x P
disguisedCred rcred r N rr S rr T
X x s rP
nAP, nAR
nBP, nBRr1B(credp2 + r3BP)r2B(nAR), r1Br2BS, r1Br2BT
r1A(credp1 + r3AP)r2A(nBR), r1Ar2AS, r1Ar2AT
![Page 19: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/19.jpg)
19
Secret Handshake
Secret Handshake Alice與 Bob檢查方程式 K
Alice算出 KA = e(P, P)r1B r2B r3B r
Bob 算出 KB = e(P, P)r1A r2A r3A r
K’ = (KA)r1A r2A r3A K’’ = (KB)r1B r2B r3B
如果 K’ = K’’,則雙方成功交換 session key
1
1 2 2 1 2
1 2 ,
, ,
,
n
pA B
B pB
e rcred r N e r r S XK
e r r T match
![Page 20: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/20.jpg)
20
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
![Page 21: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/21.jpg)
21
Security analysis
Attack types Linking
攻擊者有能力得知相同兩人進行不同次的協定 Untraceability
Knowing 惡意 verifier不用正確的 reference,即可驗證 prover的單位
Detector resistance Forging
惡意 prover不用正確的 credential,即可說服 verifier Impersonation resistance
![Page 22: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/22.jpg)
22
Security analysis
Security of SecureMatching and secret handshake Untraceability Detector resistance Impersonation resistance
BDDH assumption 給定 (P, aP, bP, cP, xP),決定 x = abc
![Page 23: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/23.jpg)
23
Security analysis
Untraceability 給攻擊者 2份 disguised credential,攻擊者有能力證明這 2份是相同單位的 credential
Detector resistance 攻擊者不用正確的 reference,成功的與合法 pro
ver進行協定 Impersonation resistance
攻擊者偽造出一份假的 credential,有能力說服合法 verifier
![Page 24: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/24.jpg)
24
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
![Page 25: A provably secure secret handshake with dynamic controlled matching](https://reader035.fdocuments.net/reader035/viewer/2022062305/568150e0550346895dbeff60/html5/thumbnails/25.jpg)
25
Conclusion
利用 SecureMatching來達成 secret handshake User的 loading