David Evans cs.virginia/~evans

  • View
    24

  • Download
    0

Embed Size (px)

DESCRIPTION

Lecture 14: Digital Cash, Randomness. David Evans http://www.cs.virginia.edu/~evans. CS588: Security and Privacy University of Virginia Computer Science. Menu. Randomness Cannibalistic Voting Protocols Digital Cash. Random Numbers. - PowerPoint PPT Presentation

Text of David Evans cs.virginia/~evans

  • David Evanshttp://www.cs.virginia.edu/~evansCS588: Security and PrivacyUniversity of VirginiaComputer ScienceLecture 14:Digital Cash, Randomness

    University of Virginia CS 588

  • MenuRandomnessCannibalistic Voting ProtocolsDigital Cash

    University of Virginia CS 588

  • Random NumbersFor numbers in range 0...2n-1, an observer with the first m - 1 numbers, cannot guess the mth with probability better than 1/2n.

    University of Virginia CS 588

  • Good Random NumbersLava Lamps (http://www.lavarnd.org)

    Gieger Counter and Radioactive stuff

    University of Virginia CS 588

  • Pseudo-Random Number GeneratorsStart in a hard-to-guess stateRun an algorithm that generates an unpredictable sequence from that state

    University of Virginia CS 588

  • Typical Random Numbersrandom ()Doesnt give cryptographic random numbersUsing system clock in milliseconds to seed (even a good PRNG)There are only 24*60*60*1000 = 86.4MFine for video games, not fine for protecting nuclear secrets.srandom (time (NULL));for (...) random ();

    Doesnt satisfy either property!

    University of Virginia CS 588

  • Jefferson Wheel Key Generatorlong key[NUMWHEELS]; int i, j;

    srandom ((unsigned)time (NULL));for (i = 0; i < NUMWHEELS; i++) key[i] = random ();for (i = 0; i < NUMWHEELS; i++) { long highest = -1; int highindex = -1; for (j = 0; j < NUMWHEELS; j++) { if (key[j] > highest) { highindex = j; highest = key[j]; } } fprintf (stdout, "%d\n", highindex); key[highindex] = -1;}Reduces key space from 36! (3.7 * 1041) to 86M!Challenge is now 2.3 * 1034 easier!

    University of Virginia CS 588

  • Tiny, Yarrow-160Accumulate EntropyUnspecified how: implementer decidesRecent Linux systems have /dev/randomUser keystrokes, disk seek times, network activity (be careful!), etc.Use entropy and SHA1 hash function produce unpredictable K.Calculate random numbers:C = (C + 1) mod 2nR = EK (C)EK is AES (Tiny); 3DES (Yarrow-160)

    University of Virginia CS 588

  • Jon Erdman

    University of Virginia CS 588

  • Erdman Sand EncryptionOr, Why I Dont Need to Take the Midterm

    University of Virginia CS 588

  • ProblemOur survivors need to reveal their public keys without revealing who owns which key.All messages must be exchanged through a public forum (the sand).

    University of Virginia CS 588

  • The solutionPlayers encrypt their message with the public keys of two other players.Secretly pass the encrypted message at random through the group until the two encryptions are removed.

    University of Virginia CS 588

  • Before we get started:Each pair of people needs to establish a secret key to communicate with each other.They could use the Diffie-Hellman key exchange or the Erdman Key Exchange

    University of Virginia CS 588

  • Erdman Key ExchangeEach player generates a RSA key pair.Encrypt secret key using their private key followed by player Xs public key.Send encrypted message to player X by writing it in the sand.Decrypt using your private key and other players public key.Each player sends a key to every other player using this method: the pair key is the xor of the keys the players sent to each other.

    University of Virginia CS 588

  • Erdman Key Exchange (ctd.)Encrypting with your private key verifies to the other person that the message is coming from you.Encrypting with their public key verifies to you that only the other person can read the message.Can add check bits to the end to ensure message was not tampered with.

    University of Virginia CS 588

  • Step 1: EncryptionPlayer generates a random bit string (which Ill call the messer) equal in length to the RSA keys.Player does a RSA encryption on their public key,KUx, xored with the messer.Concatenate result with the messer and the check bits (CB) corresponding to the word final.Encrypt result using the public key (KU2y) of a random player of their choosing. C1 = EKU2y[(M xor messer1) || messer1 || CB]

    University of Virginia CS 588

  • Step 2: More EncryptionRepeat step one using C1 instead of M, choosing a different person, different messer, and using the check bits for middle. C2 = E KU2z[C1 xor messer2 || messer2 || CB]

    University of Virginia CS 588

  • Step 3: PassingEach player does a 3DES encryption on the resulting messages and some check bits, using the unique key they made with yet another random playerWrite the result in the sand for all to seeC3 = 3DES (C2 || CB, Kxq)

    University of Virginia CS 588

  • Step 4:GatheringPlayers need to find messages sent to them

    Decrypt the messages in the sand using the Kxy established earlier. If the check bits are valid they know the message was ment for them.

    University of Virginia CS 588

  • Step 5: Decrypting (maybe)Players take messages sent to them and attempt to decrypt using their private key. If they see the check bits middle they know they have C1. If they see the check bits final they have one of the keys. If they have one of the keys, they can write it in the sand for all to see.

    University of Virginia CS 588

  • Mathematical InterludeC = E KUz[M xor messer || messer || CB]attempt to decrypt using E KRzD KRz[C] = D KRz[E KUz[M xor messer || messer || CB]] = M xor messer || messer || CBCB will only be valid if the decryption key is the pair to the encryption key. M = M xor messer xor messer

    University of Virginia CS 588

  • Step 6: RepeatIf the messages players received are not a final message, send it to another random player.Repeat until all keys have been found.

    University of Virginia CS 588

  • Why the messer?What if there is no messer?The first person is being passed a message encrypted with two public keys. After final messages are revealed they can try encrypting the messages with various public key combinations and find the one that produces the same message they got on the first pass. Only N choose 2 combinations!The messer introduces a random factor into the encryption so this will not be possible.

    University of Virginia CS 588

  • Shortest Path ExampleA encrypts the message with the keys of C then B.A then passes to DD who passes to B who takes of one lockB passes to C who takes off other lock

    Each person knows who passed it to them and who they passed it to.

    University of Virginia CS 588

  • Shortest Path (continued)Path: A -> D -> B -> CD does not know who B passed to so can not know the message C writes is As.B does not know that it was A that passed to D.C does not know the identity of D or A.

    University of Virginia CS 588

  • Shortest Path (continued)Path: A -> D -> B -> C

    If D and B decide to share information they can figure out As message.This depends on the random passes being very lucky.Can improve the algorithm by adding more encryptions at the beginning.

    University of Virginia CS 588

  • Questions?

    University of Virginia CS 588

  • Digital Cash

    University of Virginia CS 588

  • Properties of Physical CashUniversally recognized as valuableEasy to transferAnonymousBig and HeavyAverage bank robbery takes $4552500 US bills / poundBill Gates net worth would be 400 tons in $100 billsModerately difficult to counterfeit in small quantitiesExtremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria)

    University of Virginia CS 588

  • Bank IOU ProtocolAlice{KUA, KRA}Trusty Bank{KUTB, KRTB}

    University of Virginia CS 588

  • Bank IOU ProtocolAlice{KUA, KRA}Trusty Bank{KUTB, KRTB}MEKRTB[H(M)]Bob Bobs secret curry recipeEKUA[Bobs secret curry recipe]

    University of Virginia CS 588

  • Bank IOU ProtocolTrusty BankMEKRTB[H(M)]Bob

    University of Virginia CS 588

  • Bank IOU ProtocolUniversally recognized as valuableEasy to transferAnonymousHeavyModerately difficult to counterfeit in small quantitiesExtremely difficult to get away with counterfeiting large quantities

    University of Virginia CS 588

  • Bank IdentifiersBank adds a unique tag to each IOU it generatesWhen someone cashes an IOU, bank checks that that IOU has not already been cashedCant tell if it was Alice or Bob who cheatedAlice loses her anonymity the bank can tell where she spends her money

    University of Virginia CS 588

  • Digital Cash, Protocol #1Alice prepares 100 money orders for $1000 each.Puts each one in a different sealed envelope, with a piece of carbon paper.Gives envelopes to bank.Bank opens 99 envelopes and checks they contain money order for $1000.Bank signs the remaining envelope without opening it (signature goes through carbon paper).

    University of Virginia CS 588

  • Digital Cash, Protocol #1 cont.Bank returns envelope to Alice and deducts $1000 from her account.Alice opens envelope, and spends the money order.Merchant checks the Banks signature.Merchant deposits money order. Bank verifies its signature and credits Merchants account.

    University of Virginia CS 588

  • Digital Cash, Protocol #1Is it anonymous?Can Alice cheat?Make one of the money orders for $100000, 1% chance of picking right bill, 99% chance bank detects attempted fraud.Better make the penalty for this high (e.g., jail)Copy the signed money order and re-spend it.Can Merchant cheat?Copy the signed money order and re-deposit it.

    University of Virginia CS 588

  • Digital Cash, Protocol #2Idea: prevent double-spending by giving each money order a unique ID.Problem: how do we provide unique IDs without losing anonymity?Solution: let Alice generate the unique IDs, and keep them sec