Design and Security Analysis of Marked Blind Signature Attività formativa Studente Claudia Snels...

Design and Security Analysis of Marked Blind Signature

Attività formativa

StudenteClaudia Snels

ProfessoreGiuseppe Bianchi

Presentation outline

• Introduction – Blind signatures– New Marked Blind Signature (MBS)

• Security analysis – General methods– Security Analysis of MBS

• Ongoing work on MBS• Applications• Conclusions

Introduction: Blind signatures

Chaum’s Blind RSA Signature

Be P mod n

(Be P)d = B Pd mod n

User unblinds the received message and obtains a valid signature for P

B Blinding TermP Message to be signed

(d,n) Server’s private key(e,n) Server’s public key

Client Server

Server doesn’t know what he has signed BLINDSIGNATURE

Introduction: New Marked Blind Signatures

Marked Blind Signature

• Goal: add random “mark” R inside signature

• R unknown/unforgeable by both server/client

• Application• “stamp” the act of signing• Anticipated certificate verification

– Wrap proof of possession of a certificate private key inside the signature!

– SPARTA pseudonym/authorization approach from Netlab (more later)

Approach: use homomorphic property of RSA encryption Homomorphic computation of R=XY

R=XY inserted by client (full-domain hashed with P)Blinding with same factor B

Marked Blind SignatureSimpler (but flawed) version easier

to understandX = client random;B = blinding factor

Server side blind insertion of R=XYAdditive insertion to avoid forgery and easy attacks(blindly) Signed credential

Flaw: traceability!Server associate to real user the following value

2 1

1

| |e e e

e

B H R P R H R P Rx xY

xY B R R

1 2

2 1

; |

|

e

e e e e

dd e

Y

x B X x B H X Y P

x xY B H R P R


Marked Blind SignatureActual (correct) version

Discrete Logarithm modulus n (server RSA)DL-strong base g

(Double) Homomorphic computation of R=XY+Z - X,Z: client random - Y: server random - under the condition XY+Z<n

Elimination of B now harmless

1 2

2 1

; |

|

Y

n

Xe e Y Z

dd R

g

x B X x B H g g P Z

x xY B H g P R


Signature verification• Authorization Credential:

– Signed pseudonym

• After server signature, client computes R as

• Verification:– Client verifies certificate

P• usual challenge

handshake– Client presents P, R, cred– Server checks:

|d

Rcred H g P R

|e Rcred R H g P

|e RR cred H g P

Security analysis: General methods

How to develop a security analysis

Security protocol

Message exchange Cryptographic primitives

Logic correctness

Explicitness of information exchanged

Semantic Analysis Automatic Theorem Provers(Isabelle)

Message Exchange

Cryptography is supposed to work well Black Box


How to develop a security analysis

Cryptographic primitives

Simple signatures scheme like RSA, Diffie-Hellmann

Massive usage of basic number theory theorems

More complicated schemes like Chaum’s Blind Signature, elliptic curve signature

A jungle of papers about: zero knowledge proof, Random Oracles

WHY?


Security analysis: our choiceProblem: Simple Ideas but with “uncommon” requirements

(e.g. untraceability) are VERY difficult to proof

Two strategies

Design very complicated protocol which can satisfy a large number of hypothesis. Under such strict hypotheses a rigorous mathetical proof is possible

Problem: unapplicability of such protocols in software tools

Maintain a simple idea! Try an attack based security analysis, and build a rigorous proof when possible

OUR CHOICE

Security analysis of mbs

Main features of a blind signature scheme

• Unforgeability of R: R should be a random created by both peers but not forgeable in order to prevent traceability or reusage of the same marker

• Unforgeability of mbs: client should not be able to generate (forge) a valid signature

• Untraceability: Server should not be able to trace Client


Unforgeability of R

1xa

the strategy of the attack is to choose a suitable x (for Client) or y (for Server) such that

mod n or 1ya mod n. In the first case we have R=s, so its value is decided by Client.

Values having this property are the Euler totient function and the Carmichael function, but this values are known only to Bob who possesses the factorization of n=pq.So we can conclude:• Server can choose a suitable y but this is not an advantage

for him• Client can’t choose a suitable x, or in another way this is as

difficult as factorising RSA modulo nR is UNFORGEABLE

We remind that R xy s


Unforgeability of mbsWe refer to the one more forgery, in the sense that if Client owns a signing oracle she can’t obtain one more mbs than the number of queries she makes to the oracle.

How Alice can try to forge mbs?

HOMOMORPHIC PROPERTY OF RSA

1 1 moddsign m n

2 2 moddsign m n 1 2 1 2 1 2 1 2( ) mod

dd dsign mm sign sign m m mm n

With Marked Blind Signature is this possible?


Unforgeability of mbs

1 1 1 1| modd

mbs H A m R n

2 2 2 2| modd

mbs H A m R n

Try to find a R and a message m such that

1 1 2 2 1 2 2 2 1 1 1 2| | | | |H A m R H A m H A m R H A m R H A m R R

Hard computation due to • multiple hash terms• presence of R inside and outside the Hash

Under Random Oracle Hypothesis, our signature is as unforgeable as Chaum’s blind signature


UntraceabilityWe focus on the possibility for the server to build a marker univocally linkable to one client (remember the flaw of the first scheme presented). In our case we can eliminate the blinding term B and produce the following ratios

2

1

|H A m sx

x y xy

2 1

1

|H A m Rx x y

x y xy

While good candidates for markers are

R |H A m R |H A m R

R

Not directly obtainable by Server

Always blinded


Untraceability |H A m R

R

In order to obtain we must have

R

xy

We have demonstrated that R

xy

is not obtainable as long as Server doesn’t know B

So next question is: how to obtain B?During handshake

2

1

.e

e

B H s x

B x x

2 equations3 variables

Blindness during handshake


Formal proof of validity and blindness

Definition. A signature scheme is called blind if Server’s view V and the triple (mbs,R,m) are statistically indipendent, that is during verification phase Server cannot recognise Client.Theorem. The triple (mbs,R,m) is a valid signature for message m and the

mbs protocol is a blind scheme.

Proof. Validity if the hash is collision free

1 1| | |d d d

T H A m R B B H A m R B B H A m xy s

1 1| |dde e e e eB B H A m B xy B s B B H A m s B xy

11 2 modB x y x mbs n


Formal proof of validity and blindness

Blindness. we show that given any view V and any valid triple (mbs,R,m) there exist a unique pair of blinding factors B and R. Because Client chooses both blinding terms at random (in fact we have previously underlined the unforgeability of R), the blindness of the signature scheme follows.If the signature (mbs,R) has been generated during an execution of the protocol with view V consisting of y, x1, x2, (x1y + x2), then the following equations must hold

1 21

dx y x

mbs B

R xy s

One parameter solution

1B mbs

R xy s

x,s random R unforgeable

Unique solution


Harn’s attack

Harn’s attack is a Server attack based on:• Blind signature• Collection of signatures and handshake termsLet m be a generic message to be blindly signed,

the attack is developed in two steps1. Server collects for each client the received term

Bem and Bmd

2. When Server receives the signature md he divides every Bmd term and tries if the B obtained gives a correct match for Bem. With a positive match he can trace user


Resistance of mbs against Harn’s attack

Let .m H R

1) If

and dmthe signature received by Server during

verification and suppose that we have two registered users

1m m Server operates the strategy previously described and he succeds to identificate Client 1

2) If 2m m Server operates the strategy previously described but he first tries to identificate Client 2 as Client 1

We write 2 1d dm cm ?

1 1 12

2

d

d

Bm BB

m c 1

1 1 1

ee eBc m B m

c

Server uncorrectly identify Client 2 as Client 1

Ongoing work on mbs

Open problems: distribution of R

If we want the signature to be valid we must have R<n

But x y and s are random

It is necessary to choose suitable distributions and ranges such that R looks like a uniformly distributed random variable

Naive approachTry x and y uniform inS uniform in

1,2

n

1,2

n

Problem: BAD distribution

Ongoing work on MBS

Attack on distribution of RThe distribution of R has a very different concentration for high or low values of y. So if Server gives a Client a low y he knows that with very high probability R will assume a certain range of values and viceversa.

Server can classify and consequently trace classes of users

y=14

ny

2

ny

Ongoing work on MBS

Guidelines for distribution choices

• Y protects server from client’s attack on R so its distribution range should not be small

• Client is already protected by s so x can be small

• S can smooth the distribution of R (convolution) so it should have a large range

Ongoing work on MBS

Some insights about distributions

If x and y are uniform in the same range

Logarithm like distribution

If x and y uniform in 1,

4

n

And s uniform in

1,34

n

Almost uniform

Applications

Sample MBS application:pseudonym’s blind

authorizationPKI-like

Pseudonym assignement Infrastructure

PKI-like Pseudonym assignement Infrastructure

P Server

Blind signature

auth

Alice

Applications

Pseudonym HijackingPseudonym assignement Infrastructure

Pseudonym assignement Infrastructure

P

Server

authAlice

P

Evil

Evil is authorised as Alice, because he has stolen her pseudonym

MBS as a tool to show possession of the pseudonym private key

Applications

MBS for pseudonym authorization

d

n

dRd

n

dZXYee

n

Y

RPgHBYxx

ZPggHBxXBx

g

p

p

p

p

|

|;

12

21

Inclusion of pseudonym private key to permit verification at registration time

Conclusions

Conclusions

• Proven security of Marked Blind Signature

• Design of a simple scheme that can be easily integrated in an AAA with pseudoyms

• New insights about distributions of random numbers introduced in signatures and related server attacks

Design and Security Analysis of Marked Blind Signature Attività formativa Studente Claudia Snels...

Documents

Transcript of Design and Security Analysis of Marked Blind Signature Attività formativa Studente Claudia Snels...