Embed Size (px)
Citation preview
Chapter 4: Intermediate Protocols
Dulal C. Kar
Timestamping Services
• Tampering timestamps in a digital document is trivial
• We need a protocol for digital timestamping with the following desirable properties– Data itself (not the medium) must be timestamped– Must be impossible to change a single bit of the
document without being caught– Must be impossible to timestamp a document with a
date and time from the present one (no back-dating possible)
Timestamping: Arbitrated Solution
• Trent: a trusted timestamping service• Protocol:
– Alice sends a copy of the document to Trent– Trent records the date and time and retains a
copy of the document
• Problems– No privacy– Database would have to a huge one– Potential errors in transmission or storage
Timestamping: Improved Arbitrated Solution
• Using one-way hash functions and digital signatures
• Protocol– Alice produces a one-way hash of the document and
transmits the hash to Trent– Trent appends the date and time onto the hash and
digitally signs the result– Trent sends the signed hash with timestamp back to
Alice
• Only problem– Alice and Trent can still collude to produce any
timestamp they want
Timestamping: Linking Protocol
• To solve the problem– Link Alice’s timestamp with timestamp previously generated by
Trent
• A: Alice’s name, Hn: Alice’s hash value, Tn-1: Previous timestamp
• Protocol– Alice sends Trent Hn and A– Trent sends back to Alice:
Tn = SK(n, A, Hn, tn, In-1, Hn-1, Tn-1, Ln)Where Ln consists of the following hashed linking information:Ln = H(In-1, Hn-1, Tn-1, Ln-1)SK: signed with Trent’s private keyn: nth timestamptn : time parameter
– After Trent stamps the next document, he sends Alice the identification of the originator of that document In+1
Timestamping: Distributed Protocol• It maybe impossible for Alice to get a copy of In-1’s
timestamp• Protocol (Without Trent)
– Using Hn as input, Alice generates a string of random values using a cryptographically secure pseudo-random-number generator:
V1, V2, V3, . . . Vk and interprets each number as the identification, I of another person
– She sends Hn to each of these people– Each person attaches date and time to hash value, signs it
and sends it back to Alice– Alice collects and stores all signatures as timestamp
• To fake, Alice has to convince all k people to cooperate, which is difficult if k is large enough
•
Subliminal Channel• A covert communications channel between two or more parties • Gustavus Simmons
– invented the concept of a subliminal channel using digital signature algorithm
• Protocol– Alice generates an innocuous message– Using a secret key shared with Bob, Alice signs the message in such a
way that she hides her subliminal message in the signature– Alice sends this to Bob via Walter (an adversary)– Walter reads the message, checks the signature, and finds nothing
amiss; he passes the signed message to Bob– Bob checks the signature on the signed message– Bob ignores the message and, using the secret key, he extracts the
subliminal message• Application
– Spy network– A company can sign and embed subliminal messages in documents for
tracking purposes
Undeniable Digital Signatures• Normal digital signatures can be copied exactly and can
be verified by anyone• Undeniable signature (non-transferable signature)
– Unlike normal digital signatures, an undeniable signature cannot be verified without the signer’s consent
– Also, signer cannot falsely deny the signature• Basic protocol
– Alice presents Bob with a signature– Bob generates a random number and sends it to Alice– Alice does a calculation using the random number and her
private key and sends Bob the result. Alice could only do this calculation if the signature is valid.
– Bob confirms this• Controlling who verifies her signature is a way for Alice
to protect her personal privacy
Designated Confirmer Signatures
• Designated confirmer signatures allows a signer to designate someone else to verify his signature
• Suppose– Alice signs a document– Bob knows, Alice’s signature is valid but cannot
convince it to a third party– Alice can designate Carol as the confirmer. How?
Alice uses Carol’s public key– Carol can be
• A copyright office• A government agent
Proxy Signatures• How to allow someone to sign messages on your behalf?• Properties
– Distinguishability• Proxy signatures are distinguishable from normal signatures
– Unforgeability• No one but original signer and designated proxy signer can create a
valid proxy signature– Proxy signer’s deviation
• A proxy signer cannot create a valid proxy signature not detected as a proxy signature
– Verifiability• A verifier can be convinced of the original signer’s agreement from a
proxy signature– Identifiability
• Original signer can determine proxy signer’s identity from a proxy signature
– Undeniability• Proxy signer cannot disavow an accepted proxy signature he
created
Group Signatures• Group signatures have the following
properties– Only members of the group can sign
messages– Receiver can verify the group signature– Receiver must not know the identity of the
signer in the group– In case of dispute, the signer’s identity can be
revealed
Group Signatures with a Trusted Arbitrator
1. Trent generates a master list of public/private key pairs and gives each member a unique sub-list of private keys
2. Trent publishes list of all public keys in random order
3. To sign a document, a group member picks any key from his/her sub-list of private keys
4. To verify, receiver picks corresponding public key from the master list
• In case of dispute, Trent knows which public key corresponds to which group member
Fail-Stop Digital Signatures
• If Eve forges Alice’s signatures after brute-force attack, then Alice can prove they are forgeries. How?
• Basic idea– For every possible public key, there are many
possible private keys– Each of these private keys yields many
different possible signatures– Signer has only one private key and does not
know any of the other private keys
Computing with Encrypted Data
• Alice wants Bob to compute f(x) for her but does not want to disclose x to Bob
• Called hiding information from an oracle
• Discussed in Section 23.6
Bit Commitment: Using Symmetric Cryptography
1. Bob sends Alice a random-bit string , R.
2. Alice sends Bob: EK(R,b)
where K: random key and b: bit or bits to commit
• Note that Bob cannot decrypt the message.
3. When it comes time for Alice to reveal her bit, Alice sends Bob: K
4. Bob decrypts the message to reveal the bit. Bob checks his random string to verify the bit’s validity
Bit Commitment: Using One-Way Functions
• Alice sends Bob: H(R1, R2, b), R1
where R1, R2: random bit-strings, b: committed bit
• When it comes time for Alice to reveal her bit, Alice sends Bob original message: (R1,R2,b)
• Bob verifies with one-way function H• It works since Alice cannot find another
message (R1, R2’, b’) such that (R1, R2’, b’) = H(R1, R2, b)
Bit Commitment: Using Pseudo-Random-Sequence Generators
1. Bob sends Alice a random-bit string: RB
2. Alice generates a random seed for a pseudo-random-bit generator. For every bit in Bob’s random-bit string, she sends Bob either:
a) Output of the generator if Bob’s bit is 0, orb) XOR of output of the generator and her bit b, if Bob’s bit is 1.
3. When it comes time to reveal her bit, Alice sends Bob her random seed
4. Bob completes step 2 to confirm
• Note: – Blobs
• Strings that Alice sends to Bob to commit to a bit
Fair Coin Flips• We need to do it fairly over a
communication channel
• Need a protocol with properties– Alice must flip the coin before Bob guesses– Alice must not be able to re-flip the coin and
change the result after hearing Bob’s guess– Bob must not be able to know how the coin
landed before making his guess
Coin Flipping Using One-Way Functions
1. Alice sends y = f(x), where x is a random number
2. Bob guesses whether x is even or odd and sends his guess to Alice
3. If Bob’s guess is correct, the result is head otherwise it is tail. Alice sends the result (tail or head) and x to Bob
4. Bob confirms that y = f(x)• Security depends on the one-way function f(x)
Coin Flipping Using Public-Key Cryptography
• Assumption– The algorithm commutes. DK1(EK2(EK1(M)))=EK2(M)
• Protocol– Alice generates two messages M1=(RA, Head) and M2 = (RA,
Tail) where RA: random number chosen by Alice– Alice sends Bob: EA(M1) and EA(M2) where A: Alice’s public key– Bob chooses EA(M1) or EA(M2) at random and sends Alice:
EB(EA(M1)) or EB(EA(M2))– Alice decrypts it with her private key and sends it back to Bob:
DA(EB(EA(M1))) = EB(M1) or EB(M2)– Bob decrypts it to find M1 or M2 and send the result to Alice– Alice reads the result and verifies RA is correct– Both Alice and Bob reveal their key pairs so that both can verify
that the other did not cheat
Anonymous Key Distribution• Problem
– Setup a Key Distribution Center (server) to generate and distribute keys in such a way that no one, including the server, can figure out who got which key
• Protocol1. Alice generates a public/private key pair and keeps both keys secret2. KDC generates a continuous stream of keys3. KDC encrypts the keys, one by one by its own public key4. KDC transmits the encrypted keys, one by one, onto the network5. Alice chooses a key at random6. Alice encrypts the chosen key with her public key7. Alice waits a while (long enough so that the server has no idea which
key she has chosen) and sends the double-encrypted key back to KDC8. KDC decrypts the double-encrypted key with its private key, leaving a
key encrypted with Alice’s public key9. Server sends the encrypted key back to Alice10.Alice decrypts the key with her private key
Key Escrow
• Micali’s Fair Cryptosystem– Break up the private key into n pieces and
distribute each piece to different trusted authorities
– Each piece can be verified for correctness without reconstructing the private key
– If needed, court order can authorize law enforcement authorities to gather n pieces from trustees and construct the private key
Key Escrow Protocol• Alice creates her private/public key pair. She splits the
private key into several public pieces and private pieces• Alice sends a public piece and corresponding private
piece to each of the trustees. These messages must be encrypted. She also sends the public key to the KDC
• Each trustee, independently, performs a calculation on its public piece and its private piece for correctness. Each trustee stores the private piece somewhere secure and sends the public piece to the KDC
• KDC performs another calculation on the public pieces and the public key for correctness. It then signs the public key and either sends it back to Alice or posts it in a database somewhere.
