Design and Security Analysis of Marked Blind Signature Attività formativa Studente Claudia Snels...
-
Upload
tristan-pollins -
Category
Documents
-
view
216 -
download
0
Transcript of Design and Security Analysis of Marked Blind Signature Attività formativa Studente Claudia Snels...
Design and Security Analysis of Marked Blind Signature
Attività formativa
StudenteClaudia Snels
ProfessoreGiuseppe Bianchi
Presentation outline
• Introduction – Blind signatures– New Marked Blind Signature (MBS)
• Security analysis – General methods– Security Analysis of MBS
• Ongoing work on MBS• Applications• Conclusions
Introduction: Blind signatures
Chaum’s Blind RSA Signature
Be P mod n
(Be P)d = B Pd mod n
User unblinds the received message and obtains a valid signature for P
B Blinding TermP Message to be signed
(d,n) Server’s private key(e,n) Server’s public key
Client Server
Server doesn’t know what he has signed BLINDSIGNATURE
Introduction: New Marked Blind Signatures
Marked Blind Signature
• Goal: add random “mark” R inside signature
• R unknown/unforgeable by both server/client
• Application• “stamp” the act of signing• Anticipated certificate verification
– Wrap proof of possession of a certificate private key inside the signature!
– SPARTA pseudonym/authorization approach from Netlab (more later)
Approach: use homomorphic property of RSA encryption Homomorphic computation of R=XY
R=XY inserted by client (full-domain hashed with P)Blinding with same factor B
Marked Blind SignatureSimpler (but flawed) version easier
to understandX = client random;B = blinding factor
Server side blind insertion of R=XYAdditive insertion to avoid forgery and easy attacks(blindly) Signed credential
Flaw: traceability!Server associate to real user the following value
2 1
1
| |e e e
e
B H R P R H R P Rx xY
xY B R R
1 2
2 1
; |
|
e
e e e e
dd e
Y
x B X x B H X Y P
x xY B H R P R
Introduction: New Marked Blind Signatures
Marked Blind SignatureActual (correct) version
Discrete Logarithm modulus n (server RSA)DL-strong base g
(Double) Homomorphic computation of R=XY+Z - X,Z: client random - Y: server random - under the condition XY+Z<n
Elimination of B now harmless
1 2
2 1
; |
|
Y
n
Xe e Y Z
dd R
g
x B X x B H g g P Z
x xY B H g P R
Introduction: New Marked Blind Signatures
Signature verification• Authorization Credential:
– Signed pseudonym
• After server signature, client computes R as
• Verification:– Client verifies certificate
P• usual challenge
handshake– Client presents P, R, cred– Server checks:
|d
Rcred H g P R
|e Rcred R H g P
|e RR cred H g P
Security analysis: General methods
How to develop a security analysis
Security protocol
Message exchange Cryptographic primitives
Logic correctness
Explicitness of information exchanged
Semantic Analysis Automatic Theorem Provers(Isabelle)
Message Exchange
Cryptography is supposed to work well Black Box
Security analysis: General methods
How to develop a security analysis
Cryptographic primitives
Simple signatures scheme like RSA, Diffie-Hellmann
Massive usage of basic number theory theorems
More complicated schemes like Chaum’s Blind Signature, elliptic curve signature
A jungle of papers about: zero knowledge proof, Random Oracles
WHY?
Security analysis: General methods
Security analysis: our choiceProblem: Simple Ideas but with “uncommon” requirements
(e.g. untraceability) are VERY difficult to proof
Two strategies
Design very complicated protocol which can satisfy a large number of hypothesis. Under such strict hypotheses a rigorous mathetical proof is possible
Problem: unapplicability of such protocols in software tools
Maintain a simple idea! Try an attack based security analysis, and build a rigorous proof when possible
OUR CHOICE
Security analysis of mbs
Main features of a blind signature scheme
• Unforgeability of R: R should be a random created by both peers but not forgeable in order to prevent traceability or reusage of the same marker
• Unforgeability of mbs: client should not be able to generate (forge) a valid signature
• Untraceability: Server should not be able to trace Client
Security analysis of mbs
Unforgeability of R
1xa
the strategy of the attack is to choose a suitable x (for Client) or y (for Server) such that
mod n or 1ya mod n. In the first case we have R=s, so its value is decided by Client.
Values having this property are the Euler totient function and the Carmichael function, but this values are known only to Bob who possesses the factorization of n=pq.So we can conclude:• Server can choose a suitable y but this is not an advantage
for him• Client can’t choose a suitable x, or in another way this is as
difficult as factorising RSA modulo nR is UNFORGEABLE
We remind that R xy s
Security analysis of mbs
Unforgeability of mbsWe refer to the one more forgery, in the sense that if Client owns a signing oracle she can’t obtain one more mbs than the number of queries she makes to the oracle.
How Alice can try to forge mbs?
HOMOMORPHIC PROPERTY OF RSA
1 1 moddsign m n
2 2 moddsign m n 1 2 1 2 1 2 1 2( ) mod
dd dsign mm sign sign m m mm n
With Marked Blind Signature is this possible?
Security analysis of mbs
Unforgeability of mbs
1 1 1 1| modd
mbs H A m R n
2 2 2 2| modd
mbs H A m R n
Try to find a R and a message m such that
1 1 2 2 1 2 2 2 1 1 1 2| | | | |H A m R H A m H A m R H A m R H A m R R
Hard computation due to • multiple hash terms• presence of R inside and outside the Hash
Under Random Oracle Hypothesis, our signature is as unforgeable as Chaum’s blind signature
Security analysis of mbs
UntraceabilityWe focus on the possibility for the server to build a marker univocally linkable to one client (remember the flaw of the first scheme presented). In our case we can eliminate the blinding term B and produce the following ratios
2
1
|H A m sx
x y xy
2 1
1
|H A m Rx x y
x y xy
While good candidates for markers are
R |H A m R |H A m R
R
Not directly obtainable by Server
Always blinded
Security analysis of mbs
Untraceability |H A m R
R
In order to obtain we must have
R
xy
We have demonstrated that R
xy
is not obtainable as long as Server doesn’t know B
So next question is: how to obtain B?During handshake
2
1
.e
e
B H s x
B x x
2 equations3 variables
Blindness during handshake
Security analysis of mbs
Formal proof of validity and blindness
Definition. A signature scheme is called blind if Server’s view V and the triple (mbs,R,m) are statistically indipendent, that is during verification phase Server cannot recognise Client.Theorem. The triple (mbs,R,m) is a valid signature for message m and the
mbs protocol is a blind scheme.
Proof. Validity if the hash is collision free
1 1| | |d d d
T H A m R B B H A m R B B H A m xy s
1 1| |dde e e e eB B H A m B xy B s B B H A m s B xy
11 2 modB x y x mbs n
Security analysis of mbs
Formal proof of validity and blindness
Blindness. we show that given any view V and any valid triple (mbs,R,m) there exist a unique pair of blinding factors B and R. Because Client chooses both blinding terms at random (in fact we have previously underlined the unforgeability of R), the blindness of the signature scheme follows.If the signature (mbs,R) has been generated during an execution of the protocol with view V consisting of y, x1, x2, (x1y + x2), then the following equations must hold
1 21
dx y x
mbs B
R xy s
One parameter solution
1B mbs
R xy s
x,s random R unforgeable
Unique solution
Security analysis of mbs
Harn’s attack
Harn’s attack is a Server attack based on:• Blind signature• Collection of signatures and handshake termsLet m be a generic message to be blindly signed,
the attack is developed in two steps1. Server collects for each client the received term
Bem and Bmd
2. When Server receives the signature md he divides every Bmd term and tries if the B obtained gives a correct match for Bem. With a positive match he can trace user
Security analysis of mbs
Resistance of mbs against Harn’s attack
Let .m H R
1) If
and dmthe signature received by Server during
verification and suppose that we have two registered users
1m m Server operates the strategy previously described and he succeds to identificate Client 1
2) If 2m m Server operates the strategy previously described but he first tries to identificate Client 2 as Client 1
We write 2 1d dm cm ?
1 1 12
2
d
d
Bm BB
m c 1
1 1 1
ee eBc m B m
c
Server uncorrectly identify Client 2 as Client 1
Ongoing work on mbs
Open problems: distribution of R
If we want the signature to be valid we must have R<n
But x y and s are random
It is necessary to choose suitable distributions and ranges such that R looks like a uniformly distributed random variable
Naive approachTry x and y uniform inS uniform in
1,2
n
1,2
n
Problem: BAD distribution
Ongoing work on MBS
Attack on distribution of RThe distribution of R has a very different concentration for high or low values of y. So if Server gives a Client a low y he knows that with very high probability R will assume a certain range of values and viceversa.
Server can classify and consequently trace classes of users
y=14
ny
2
ny
Ongoing work on MBS
Guidelines for distribution choices
• Y protects server from client’s attack on R so its distribution range should not be small
• Client is already protected by s so x can be small
• S can smooth the distribution of R (convolution) so it should have a large range
Ongoing work on MBS
Some insights about distributions
If x and y are uniform in the same range
Logarithm like distribution
If x and y uniform in 1,
4
n
And s uniform in
1,34
n
Almost uniform
Applications
Sample MBS application:pseudonym’s blind
authorizationPKI-like
Pseudonym assignement Infrastructure
PKI-like Pseudonym assignement Infrastructure
P Server
Blind signature
auth
Alice
Applications
Pseudonym HijackingPseudonym assignement Infrastructure
Pseudonym assignement Infrastructure
P
Server
authAlice
P
Evil
Evil is authorised as Alice, because he has stolen her pseudonym
MBS as a tool to show possession of the pseudonym private key
Applications
MBS for pseudonym authorization
d
n
dRd
n
dZXYee
n
Y
RPgHBYxx
ZPggHBxXBx
g
p
p
p
p
|
|;
12
21
Inclusion of pseudonym private key to permit verification at registration time
Conclusions
Conclusions
• Proven security of Marked Blind Signature
• Design of a simple scheme that can be easily integrated in an AAA with pseudoyms
• New insights about distributions of random numbers introduced in signatures and related server attacks