11 Identification & ZKIP. Introduction Passwords Challenge-Response ZKIP 22.
-
Upload
lesley-nichols -
Category
Documents
-
view
218 -
download
0
Transcript of 11 Identification & ZKIP. Introduction Passwords Challenge-Response ZKIP 22.
1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine)
2. In store credit card purchases3. Prepaid calling card : Asking a service by
telephone card or membership cards4. Remote login: Remote access to host under
Client /Server environment5. Access to restricted areas, etc.
3
Method Examples Reliability
Security Cost
What youRemember
(know)
PasswordTelephone #
Reg. #M/L
M(theft)L(imperso- nation)
Cheap
What you have
Registered SealMagnetic Card
IC CardM L(theft)
M(imperso-nation)
Reason-Able
What you Are
Bio-metric(Fingerprint,
Eye, DNA, face,Voice, etc.)
H H(theft)H(imperso- nation)
Reasonable
Expensive
4
Password-based scheme (weak authentication) ◦ crypt passwd under UNIX◦ one-time password
Challenge-Response scheme (strong authentication)◦ Symmetric cryptosystem◦ MAC(keyed-hash) function◦ Asymmetric cryptosystem
Cryptographic Protocols◦ Fiat-Shamir identification protocol◦ Schnorr identification protocol, etc
6
Replay fixed pwds◦ Observe pwd as it is typed in◦ Eavesdrop the data in cleartext◦ Not suitable over open communication networks
Exhaustive pwd search◦ Let E(c) be the entropy of 8-char pwds from choices◦ E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6
Pwd guessing and dictionary attacks◦ A large dictionary contains 250,000 words◦ Dictionary attack: order lists and compared to entries in the
encrypted dictionary ◦ Combine numerical and alphabetical characters.
8
9
truncate to 8ASCII chars; 0-pad if necessary
userpasswd DES*
Repack 76 bitsinto 11 7-bitcharacters
encrypted passwd
/etc/passwd
user salt
I1= 0…0next input Ii
2 i 25
output, Oi
O25
56
64
64
12
12
salt : 12-bit random from system clock when select passwd.DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations,
Assumption◦Secret Key : known to only P and V◦Random Challenge : P and V have perfect
random number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions
◦MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)
10
Using Symmetric Cryptosystem
11
P Vrandom challenge,x
x
y=eK(x)y
y’=eK(x)y=y’ ?
K
Vulnerable to parallel session attack (man-in-the-middle). Need to change x to be ID(V)||r
Using Asymmetric Cryptosystem P can prove to have secret information in
either way :(1) P decrypts a challenge encrypted under P’s public
key.(2) P digitally signs a challenge.
12
P Vrandom challenge,x
x
y=e[sK,x]y
y’= d[pk ,x]y = y’ ?
PK
GMR (Goldwasser, Micali, Rackoff) 1. “The knowledge complexity of interactive-proof
systems”, Proc. of 17th ACM Sym. on Theory of Computation, pp.291-304, 1985
2. “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp.186-208, 1989 (revised version)
ZKIP (Zero Knowledge Interactive Proof) : between P and V◦ Completeness : Only true P can prove V.◦ Soundness : False P’ can’t prove V.◦ 0-Knowledge : No knowledge transfer to V.
13
16
1P/1V
Interactive
Non-interactive
ZK
GMR Model * P:infinite, V: poly
BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly)
0-KMinimum Know.Oracle ZKIP
WH
PerfectComputationalStatistical
MembershipKnowledgeComputational power
Property
Object
Model
MP
MV
*AM-game : GMR model and V has random coin.
17
1P/1V
Interactive
Non-interactive
ZK
GMR Model * P:infinite, V: poly
BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly)
0-KMinimum Know.Oracle ZKIP
WH
PerfectComputationalStatistical
MembershipKnowledgeComputational power
Property
Object
Model
MP
MV
*AM-game : GMR model and V has random coin.
(Preparation)
(TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization.
(P)
(i) private key: choose random value S, s.t. gcd(S,n)=1. (1 < S < n) (ii) public key : P computes I=S2 mod n, and publishes (I,n)
as public
Goal P has to convince V that he knows his private key S and its
corresponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.
18
1. P chooses random value r (1<r<n) and computes x=r2mod n. then sends x to V.2. V requests from P one of the following request at random (a) r or (b) rS mod n3. P sends the requested information to V.4. V verifies that he received the right answer by checking
whether (a) r2 = x mod n or (b) (rS)2 = xI mod n5. If verification fails, V concludes that P does not know S, and
thus he is not the claimed party.6. This protocol is repeated t (usually 20 or 30) times, and if in
all of them the verification succeeds, V concludes that P is the claimed party.
19
20
V Ppublic : I,n n=pq, I=S2 mod n
2.ei={0,1}
x
ei
Repeat t-times 3. If ei=0, send y=r
If ei=1, send y=rS
y
4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n?
* commitment-witness-challenge-response-verification and repeat
(1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n.
(2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance.
(3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t. (t=20 or 30)
(4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information : he learns that I is a quadratic residue
21
Based on DLP under Trusted Authority (TA) TA decides public parameters
◦ p : large prime (1024 bit)◦ q : large prime divisor of p-1 (160 bit)◦ α Zp
* has order q
◦ t : security parameter s.t. q > 2t ◦ Public parameters : p, q, α, t
Prover choose ◦ private key : a ( 1 ≤ a ≤ q-1) ◦ public key v = α–a mod p
Honest Verifier (choose r at random by the scheme) ZKIP
22
23
1 1 mod qkpk
tr 21
?(*) mod pvry
private key : a, public key: v
1. Select random k V P
Public par. : p,q,α,t
r
3. y = k + ar mod qy
2. Verify P’s public key generate random challenge
4. Verify
, cert(P)
mod (*) pvv kararkrarkry
(TA) ◦ p=88667, q=1031, t=10, α=70322 has order q in Zp
*
(P) ◦ private key a = 755 ◦ public key v = α-a mod p = 703221031-755 mod 88667 = 13136
P: random k = 543, αk mod p = 70322543 mod 88667 = 84109, commit V: random challenge r =1000 P: y= k + ar mod q = 543 + 755x1000 mod 1031=
851 V: on receiving y, verify that 84109 = 70322851
131361000 mod 88667. If equals, accept
24