Privacy in Encrypted Content Distribution Using Private ...
-
Upload
technical-dude -
Category
Documents
-
view
405 -
download
1
Transcript of Privacy in Encrypted Content Distribution Using Private ...
![Page 1: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/1.jpg)
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption
Adam BarthDan BonehBrent Waters
![Page 2: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/2.jpg)
Private Broadcast Encryption
• Make data available to select principals– Encrypt the data to those principals
• Often important to hide the set of principals– BCC recipients in encrypted email– Customer list (hide from competitors)– Promotion committee can read evaluations
• Private broadcast encryption– Recipient privacy against active attackers
![Page 3: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/3.jpg)
Related Work
• Key privacy in public-key setting [BBDP01]– IK-CCA: Ciphertext does not leak public key
• Attacker viewing ciphertext encrypted under one of two public keys cannot guess which key was used
– Cramer-Shoup is IK-CCA (with common prime)– Important building block for recipient privacy
• Previous broadcast encryption systems– Increasing collusion resistance– Reducing ciphertext overhead– We focus on hiding recipient set
![Page 4: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/4.jpg)
Our Results
• Generic construction (standard model)– Achieves CCA recipient privacy– Uses generic IK-CCA public-key system– Decryption time is linear in number of recipients
• Efficient construction (random oracle)– Achieves CCA recipient privacy– Assumes CDH is hard– Decryption in O(1) cryptographic operations
![Page 5: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/5.jpg)
Broadcast Systems in Practice
• Microsoft Outlook– Encrypted email as a broadcast system– Outlook completely reveals BCC recipients
• issuerAndSerialNumber
– BCC recipients’ names can appear in the clear– Could send separate message for email
• Windows Encrypted File System
• Pretty Good Privacy (PGP)– GnuPG as an example implementation
![Page 6: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/6.jpg)
Pretty Good Privacy?
• Message encrypted with symmetric key, K
• K encrypted for each recipient
• To speed decryption, components labeled with KeyIDs– Hash of public key
• User identities completely revealed
{ }K
A:B:C:
{K}pk(A)
{K}pk(B)
{K}pk(C)
![Page 7: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/7.jpg)
Recipient Privacy in PGP
• PGP labels encryptions using a KeyIDC:\gpg>gpg --verbose -d message.txtgpg: armor header: Version: GnuPG v1.2.2 (MingW32)gpg: public key is 3CF61C7Bgpg: public key is 028EAE1C
• KeyIDs easily translated into names and email addresses using a public key server
• GPG includes option to withhold KeyIDs– Vulnerable to passive recipient privacy attack
![Page 8: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/8.jpg)
Security Model
![Page 9: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/9.jpg)
Private Broadcast Encryption
• I Setup()– Generates global parameters I
• (pk, sk) Keygen(I)– Generates public-private key pairs
• C Encrypt(S, M)– Encrypts plaintext M for recipient set S
• M Decrypt(sk, C)– Decrypts ciphertext C with private key sk
![Page 10: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/10.jpg)
CPA Recipient Privacy Defined
Global Parameter
S0 and S1
S0 and S1 subsets of {1, …, n} such that |S0| = |S1|
Adversary Challenger
All public keys
Secret keys for S0 S1
b R {0,1}
M encrypted for Sb as C*
Guess b’Adversary wins if b’ = b
Some schemes vulnerable with large overlap, whereas others are
vulnerable with small overlap
![Page 11: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/11.jpg)
Simple CPA Recipient Privacy
• Remove labels• Use key-private scheme• Reorder components
• O(n) decrypt time• CPA recipient privacy• But, active attack…
– Even with IK-CCA
A:B:C:
{K}pk(A)
{K}pk(B)
{K}pk(C)
B:A:C:
XXX
{ }K
{K}pk(B)
{K}pk(A)
{K}pk(C)
![Page 12: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/12.jpg)
{ }K
Active Attack on Simple Scheme
• Attacker a recipient– Learns K
• Replaces message with something alluring
• Forwards malicious message to Alice
• Waits for response
• Receives response only if Alice was a recipient
{K}pk(B)
{K}pk(A)
{K}pk(C)
![Page 13: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/13.jpg)
CCA Recipient Privacy Defined
Global Parameter
S0 and S1
S0 and S1 subsets of {1, …, n} such that |S0| = |S1|
Adversary Challenger
All public keys
Secret keys for S0 S1
b R {0,1}
M encrypted for Sb as C*
Guess b’Adversary wins if b’ = b
Decrypt query on (u, C)
Decrypt query on (u, C) (C C*)
![Page 14: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/14.jpg)
Constructions
![Page 15: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/15.jpg)
Primitives Used in Constructions
• Strong correctness– Decrypting with wrong key results in
• Strong signatures– Attacker cannot create a new signature– Even on a previously signed message– Example: RSA full-domain hash
• CCA key private (IK-CCA) cryptosystem– Ciphertext does not leak public key
![Page 16: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/16.jpg)
Generic CCA Construction
• Start with CPA scheme• Generate a fresh signing
key pair (vk, sk)• Include verification key,
vk, in each component• Sign the ciphertext
• Thm: CCA recipient private
• O(n) decryption time
{ , K}pk(B)
{ , K}pk(A)
{ , K}pk(C)
{ }K
vkvkvk
![Page 17: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/17.jpg)
Added Primitives for Efficiency
• A group G where CDH is hard– Extend public keys with ga, private keys with a
• Model hash function as a random oracle– Use extraction property to break CDH– Use DH self-corrector [Shoup97]
![Page 18: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/18.jpg)
Ciphertext Component Labels
• Speed decryption with private labels• To make labels for every component:
– Pick a single fresh exponent r– Include gr in the ciphertext– Label component for (pk, ga) with H(gar)
• Each recipient computes own label with gr and a– Attacker can not associate H(gar) with ga
• Still need to tie labels to verification key…– Include gar in ciphertext components
![Page 19: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/19.jpg)
Efficient CCA Construction
• Thm: CCA recipient private (in RO model)• O(1) cryptographic operations for decryption
{vk, , K}pk(B)
{vk, , K}pk(A)
{vk, , K}pk(C)
{M}K
H(gbr):H(gar):H(gcr):
gbr
gar
gcr
, gr
![Page 20: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/20.jpg)
Conclusions
• Many widely-deployed content distribution systems lack recipient privacy– Email and encrypted file systems
• Introduced private broadcast encryption– Recipient privacy against an active attacker– Performance similar to non-private schemes
• Open problem: private broadcast encryption with shorter ciphertext
![Page 21: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/21.jpg)
Questions?
![Page 22: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/22.jpg)
Broadcast Semantics of Email
Mail User Agent(MUA)
Mail Transfer Agent(MTA) Recipient MTA
Recipient MTARecipientRecipient
Recipient
![Page 23: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/23.jpg)
BCC privacy in S/MIME
• S/MIME label is the RecipientInfo field.• Label consists of the issuer and serial
number of the recipient’s certificate• Self-signed certificate:
– Full name and email address in the clear444:d=9 hl=2 l= 3 prim: OBJECT :commonName449:d=9 hl=2 l= 11 prim: PRINTABLESTRING :Henry Kyser462:d=7 hl=2 l= 32 cons: SET 464:d=8 hl=2 l= 30 cons: SEQUENCE 466:d=9 hl=2 l= 9 prim: OBJECT :emailAddress477:d=9 hl=2 l= 17 prim: IA5STRING :[email protected]
• VeriSign certificate: identity at verisign.com
![Page 24: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/24.jpg)
BCC Privacy by User Agent
Completely Exposes Partially Reveals Protects Identity
Apple Mail.app 2.622
Outlook 2003
Outlook Express 6
Thunderbird 1.02
Outlook Web Access
EudoraGPG 2.0
GPGshell 3.42
Hushmail KMail 1.8
PGP Desktop 9.0
Turnpike 6.04
S/M
IME
-bas
edP
GP
-bas
ed
![Page 25: Privacy in Encrypted Content Distribution Using Private ...](https://reader035.fdocuments.net/reader035/viewer/2022062319/556722bdd8b42a221e8b50b8/html5/thumbnails/25.jpg)
Sending Separate Encryptions
• Sending separate encryptions provides BCC privacy• Advantages of separate encryptions
– Can be deployed immediately and unilaterally– Conceals the number (and existence of) BCC recipients
• Disadvantages of separate encryptions– Difficult to implement for MUA plug-ins such as EudoraGPG– Increases MTA workload and network traffic