What is the problem with end-to-end encrypted communication?
Transcript of What is the problem with end-to-end encrypted communication?
![Page 1: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/1.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTIONRedirect end-to-end encrypted traffic
![Page 2: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/2.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
2IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 3: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/3.jpg)
SECURE SYSTEMS ENGINEERING GMBH 3IT SECURITY IS NOT BINARY
Bachelor in maths @ Freie Universität Berlin
Master in computer science @ Freie Universität Berlin
Master thesis on Proxy Re-Encryption and its uses for electronic mail boxes
Security Expert @ SSE
Who am I?
WHO AM I?
✓ Doppelkopf enthusiast✓ Into crypto, sports and games
TEETJE STARK
![Page 4: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/4.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
4IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 5: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/5.jpg)
SECURE SYSTEMS ENGINEERING GMBH
MESSAGES DOCUMENTS INTELLECTUAL PROPERTY
COMPANY SECRETS INTERNAL STRUCTURE OF THE COMPANY
STRATEGIES PERSONAL DATA …
REASONS TO USE END-TO-END-ENCRYPTION (E2EE)
5IT SECURITY IS NOT BINARY
Confidentiality Integrity Authenticity Non-repudiationAnnoy
the NSA ;-)
![Page 6: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/6.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
6
STEP 1: I GO TO WORK
IT SECURITY IS NOT BINARY
![Page 7: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/7.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
7
STEP 2: I COMMUNICATE WITH A CLIENT VIA END-TO-END ENCRYPTION
IT SECURITY IS NOT BINARY
me my client
![Page 8: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/8.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
8
STEP 3: I GO ON VACATION
IT SECURITY IS NOT BINARY
![Page 9: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/9.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
9IT SECURITY IS NOT BINARY
STEP 4: MY CLIENT WANTS TO TALK, BUT THE REPLACEMENT DOESN‘T HAVE THE KEY
me my client
?
my replacement
![Page 10: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/10.jpg)
SECURE SYSTEMS ENGINEERING GMBH
SOLUTIONS
10
JUST DON‘T ENCRYPT
IT SECURITY IS NOT BINARY
![Page 11: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/11.jpg)
SECURE SYSTEMS ENGINEERING GMBH
SOLUTIONS
11
SHARE ALL THE KEYS
IT SECURITY IS NOT BINARY
![Page 12: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/12.jpg)
SECURE SYSTEMS ENGINEERING GMBH
SOLUTIONS
12
IGNORE UNTIL I‘M BACK
IT SECURITY IS NOT BINARY
![Page 13: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/13.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
13IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 14: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/14.jpg)
SECURE SYSTEMS ENGINEERING GMBH
… „FORWARDING“ (RE-ENCRYPTION) OF E2EE CIPHERTEXTS BY A SEMI-TRUSTED PROXY (E.G. MAIL SERVER)
PROXY RE-ENCRYPTION
14IT SECURITY IS NOT BINARY
SECUREEFFICIENTASYNCHRONUS
PROXY RE-ENCRYPTION IS A CRYPTOGRAPHIC PRIMITIVE THAT ALLOWS …
![Page 15: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/15.jpg)
SECURE SYSTEMS ENGINEERING GMBH
Mailserver
USUAL SETUP
15IT SECURITY IS NOT BINARY
Alice Bob
![Page 16: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/16.jpg)
SECURE SYSTEMS ENGINEERING GMBH
Mailserver
USUAL SETUP
16IT SECURITY IS NOT BINARY
Alice Bob
Charlie
Allow Re-Encryption to Charlie
![Page 17: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/17.jpg)
SECURE SYSTEMS ENGINEERING GMBH
USUAL SETUP
17IT SECURITY IS NOT BINARY
Alice Bob
Proxy
Re-Encryption
Charlie
![Page 18: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/18.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTION
18IT SECURITY IS NOT BINARY
Proxy never sees the plaintext
Only with permission of Bob can the proxy re-encrypt mails
Charlie cannot read Bobs mails without the proxies help
If either Bob or the Proxy are honest, only the messagesintended to be forwarded will be forwarded
• Time-boxed
• Could be based on additional attributesthat are not encrypted(better: attribute-based encryption)
In a company the semi-trusted mail server is a reasonable assumption
![Page 19: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/19.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
19IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 20: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/20.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
20IT SECURITY IS NOT BINARY
vs.CPA-SECURE CCA-SECURE
vs.UNIDIRECTIONAL BIDIRECTIONAL
vs.SINGLE-USE MULTI-USE
vs.WITHOUT MASTER SECRET SECURITY WITH MASTER SECRET SECURITY
![Page 21: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/21.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
21IT SECURITY IS NOT BINARY
re-encryptionkey can only
be used in one direction
re-encryptionkey can beused in bothdirections
vs.UNIDIRECTIONAL BIDIRECTIONAL
![Page 22: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/22.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
22IT SECURITY IS NOT BINARY
re-encryptioncan only bedone once
re-encryptioncan be donemultiple times
vs.SINGLE-USE MULTI-USE
![Page 23: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/23.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
23IT SECURITY IS NOT BINARY
vs.CPA-SECURE CCA-SECURE
vs.UNIDIRECTIONAL BIDIRECTIONAL
vs.SINGLE-USE MULTI-USE
vs.WITHOUT MASTER SECRET SECURITY WITH MASTER SECRET SECURITY
![Page 24: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/24.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
24IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 25: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/25.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTION
25IT SECURITY IS NOT BINARY
What is the most useful attribute?
Unidirectionality
How is it (usually) achieved?
Bilinear maps
What are bilinear maps?
Bilinear maps are maps e: 𝐺1 × 𝐺2 → 𝐺3, usually G ≔ 𝐺1 = 𝐺2, with 𝐺𝑖 cyclic groups of prime order 𝑝, which are:
▪ Bilinear: ∀ 𝑔, ℎ ∈ 𝐺, 𝑎, 𝑏 ∈ ℤ𝑝: 𝑒 𝑔𝑎, ℎ𝑏 = 𝑒 𝑔, ℎ 𝑎𝑏
▪ Non-degenerate: ∃𝑔, ℎ ∈ 𝐺: 𝑒 𝑔, ℎ ≠ 𝟏𝐺3
![Page 26: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/26.jpg)
SECURE SYSTEMS ENGINEERING GMBH
EXAMPLE ENCRYPTION
26
CCA-Secure UnidirectionalProxy Re-Encryption in theAdaptive Corruption Modelwithout Random Oracles 𝟏
1https://eprint.iacr.org/2010/265.pdf
26SECURE SYSTEMS ENGINEERING GMBH IT SECURITY IS NOT BINARY
Weng et al.
![Page 27: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/27.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTION
27IT SECURITY IS NOT BINARY
𝐹 is a pseudo-random function, 𝐻 is a collision-resistant* hash function
Second-level encryptionCreate a ciphertext that
can be forwarded
𝐸𝑛𝑐2 𝑝𝑘𝑖 = 𝑔𝑥𝑖 , 𝑚 :
𝑟 ՚$ℤ𝑝∗
𝐶1 = 𝑔1𝑟
𝐶2 = 𝑝𝑘𝑖𝑟
𝐾 = 𝑍𝑟
𝐶3 = 𝐹 𝐾, 𝐶1 𝑙1 ∥ 𝐹 𝐾, 𝐶1𝑙2 ⊕𝑚
t՚$ℤ𝑝∗
ℎ = 𝐻 𝐶1, 𝐶3
𝐶4 = 𝑢ℎ𝑣𝑡𝑤𝑟
Return 𝐶𝑇𝑖 = 𝑡, 𝐶1, 𝐶2, 𝐶3, 𝐶4
First-level encryptionCreate a ciphertext thatcan not be forwarded
𝐸𝑛𝑐1 𝑝𝑘𝑖 = 𝑔𝑥𝑖 ,𝑚 :
𝑟 ՚$ℤ𝑝∗
𝐶1 = 𝑔1𝑟
𝐶2′ = 𝑒 𝑝𝑘𝑖 , 𝑔
𝑟
𝐾 = 𝑍𝑟
𝐶3 = 𝐹 𝐾, 𝐶1 𝑙1 ∥ 𝐹 𝐾, 𝐶1𝑙2 ⊕𝑚
𝑡՚$ℤ𝑝∗
ℎ = 𝐻 𝐶1, 𝐶3
𝐶4 = 𝑢ℎ𝑣𝑡𝑤𝑟
Return 𝐶𝑇𝑖′ = 𝑡, 𝐶1, 𝐶2
′ , 𝐶3, 𝐶4
Re-Encryption functionTransform second-level ciphertext
to first-level ciphertext
𝑅𝑒𝐸𝑛𝑐 𝑟𝑘𝑖→𝑗 = 𝑔𝑥𝑗/𝑥𝑖 , 𝐶𝑇𝑖 :∗
𝑡, 𝐶1, 𝐶2, 𝐶3, 𝐶4 ՚ 𝐶𝑇𝑖
𝐶2′ = 𝑒 𝐶2, 𝑟𝑘𝑖→𝑗
Return 𝐶𝑇𝑖′ = 𝑡, 𝐶1, 𝐶2
′ , 𝐶3, 𝐶4
▪ Note that 𝑟𝑘𝑖→𝑗 = 𝑔𝑥𝑗/𝑥𝑖 is the
re-encryption key, which can beconstructed from public key𝑝𝑘𝑗 = 𝑔𝑥𝑗 of 𝐽 and private key 𝑥𝑖 of 𝐼
▪ It cannot be generated from 𝑔𝑥𝑖 and 𝑥𝑗,
i.e. 𝑟𝑘𝑗→𝑖 = 𝑔𝑥𝑖/𝑥𝑗 ≠ 𝑟𝑘𝑖→𝑗 = 𝑔𝑥𝑗/𝑥𝑖
→ Thus the scheme is unidirectional
∗ Leaving out all required validity checks
![Page 28: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/28.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
28IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 29: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/29.jpg)
SECURE SYSTEMS ENGINEERING GMBH
DRAWBACKS OF PROXY RE-ENCRYPTION
29
https://crypto.stanford.edu/pbc/times.html (C library) has timing on some pairings ranging from roughly the time of one 1024-bit RSA decryption to 60 times as much time. Note that encryption or decryption with Proxy Re-Encryption may need multiple pairings.
IT SECURITY IS NOT BINARY
1
Mainly based on bilinear maps
▪ Security assumption is often some weirdand scheme-specific adaptation of thebilinear version of the decisional Diffie-Hellman problem
▪ Bilinear maps are slow1
![Page 30: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/30.jpg)
SECURE SYSTEMS ENGINEERING GMBH
Mainly based on bilinear maps
▪ Security assumption is often some weirdand scheme-specific adaptation of thebilinear version of the decisional Diffie-Hellman problem
▪ Bilinear maps are slow1
DRAWBACKS OF PROXY RE-ENCRYPTION
30
https://crypto.stanford.edu/pbc/times.html (C library) has timing on some pairings ranging from roughly the time of one 1024-bit RSA decryption to 60 times as much time. Note that encryption or decryption with Proxy Re-Encryption may need multiple pairings.
IT SECURITY IS NOT BINARY
1
𝑔, 𝑔 Τ1 𝑎, 𝑔𝑎 , 𝑔 𝑎2 , 𝑔𝑏, 𝑒 𝑔, 𝑔 𝑐
Can someone distinguish between:
𝑔, 𝑔 Τ1 𝑎, 𝑔𝑎 , 𝑔 𝑎2 , 𝑔𝑏, 𝑒 𝑔, 𝑔 Τ𝑏 𝑎2
and:
where 𝑎, 𝑏, 𝑐 ՚$ℤ𝑝∗ (3-weak decisional bilinear Diffie-Hellman inversion)?
![Page 31: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/31.jpg)
SECURE SYSTEMS ENGINEERING GMBH
DRAWBACKS OF PROXY RE-ENCRYPTION
31
https://crypto.stanford.edu/pbc/times.html (C library) has timing on some pairings ranging from roughly the time of one 1024-bit RSA decryption to 60 times as much time. Note that encryption or decryption with Proxy Re-Encryption may need multiple pairings.
IT SECURITY IS NOT BINARY
1
Mainly based on bilinear maps
▪ Security assumption is often some weirdand scheme-specific adaptation of thebilinear version of the decisional Diffie-Hellman problem
▪ Bilinear maps are slow1
Proxy
Still requires a certain level of trust in the proxy
![Page 32: What is the problem with end-to-end encrypted communication?](https://reader036.fdocuments.in/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/32.jpg)
SECURE SYSTEMS ENGINEERING GMBH IT SECURITY IS NOT BINARY
THANK YOU!
IT SECURITY IS NOT BINARY
IF YOU HAVE QUESTIONS, JUST ASK
MY HOLIDAY REPLACEMENT … ;-)