Embed Size (px)
Citation preview
Identity-Based Cryptography and Its Applications in Wireless Networks
4/17/2012The Explorer
Contents
● Backgrounds
● Identity-Based Cryptography
● Improved Efficiency of Identity-Based Cryptography for Wireless
Sensor Networks
● Identity-Based Cryptography for Vehicular Networks
● Identity-Based Cryptography for Distributed Social Network
Platforms
● Summary
Security in Wireless NetworksSymmetric Key Algorithms – AES, 3DES, IDEA
● Faster operation
● One time-pad, proved unbreakable
Challenge(s):
Establishing shared secret key
Asymmetric Key Algorithms – Diffie-Hellman, RSA
● Solves key sharing problem
Challenge(s):
● Slower operation and heavy computation
● Public Key Infrastructure is costly
Identity-Based Cryptography (IBC)
● Public key derived from publicly known identity representing a
user (Ex: email address, domain, IP address)
● Eliminates the need for a public key distribution infrastructure
● Useful for Wireless networks where pre-distribution of
authenticated keys is inconvenient or infeasible due to technical
restraints
● Current efficient IBC schemes based on bilinear pairings on
elliptic curves
How IBC works?
Private Key Generator(PKG)
MasterPrivate Key
MasterPublic Key
Alice
Alice’sPrivate Key
Bob
MasterPublic Key
Bob’sPrivate Key
Preliminary, offline activities
1. Obtain Master Public Key 3. Obtain Master
Public Key2. Authenticate and receive Alice’s
Private Key4. Authenticate
and receive Bob's Private Key
MasterPublic Key
Advantages of IBC
● No public key distribution infrastructure, authenticity of public
keys are guaranteed implicitly
● Possible to encode additional information into the identifier like
time-stamp to signify freshness
● Master secret key can be destroyed for fixed user systems with
no key revocation ---> Debatable !
Discussion on IBC
What do you think are the assumptions or limitations of using
the Identity based Cryptography?
Paper I:
Efficient online/offline identity-based signature for wireless sensor network –
Liu et al.(Int'l Journal of Info. Sec. 2010)
Need for Authentication in Wireless Sensor Networks
● Applications in Commercial and Industrial areas to monitor and
collect data
● Deals with sensitive data like reporting radiological levels to
base stations in Nuclear Power plants
● Authentication of sensed data becomes important.
● Limiting factors -
● Limited battery power in sensors
● Public key scheme is good, but PKI becomes costly for the
sensors
Efficient online/offline identity-based signature for wireless sensor network
● Paper Overview
● Proposes use of Identity Based Signatures, public key generated using user's identity
● Usage of online/offline signatures, as originally proposed in “On-line/off-line digital signatures – Goldreich et al.”
● Provides multi-time usage of the offline storage, which allows the signer to re-use the offline pre-computed information in polynomial time
● Demonstrate fesability of scheme in the WSN environment with an actual implementation on the MicaZ platform
Online/Offline IBS Scheme (1)
● The security of our scheme will be reduced to the hardness of the Discrete Logarithm (DL) problem in the group in which the signature is constructed.
● (Discrete Logarithm (DL) Assumption)
● Given a group G of prime order q with generator g and element gx G ∈
● Where x is selected uniformly at random from Z*q ● The discrete logarithm (DL) problem in G is to compute x.● The (e, t)-DL assumption holds in a group G if no algorithm
running in time at most “t” can solve the DL problem in G with probability at least e.
Online/Offline IBS Scheme (2)● Setup
● This algorithm computes a PKG’s public parameter “param” and a master key “msk”. Note that “param” is given to all parties involved while “msk” is kept secret.
● Extract
● Given an identity ID, this algorithm generates a private key associated with ID using msk, denoted by skID
● Offline Sign
● Given the public parameter, this algorithm generates an offline signature σ''
● Online Sign
● On input the private key skID, the offline signature σ'' and a message m, this algorithm generates a signature σ of the message m
Basic Setting
● Details
● Implementation in single-hop setting● Every WSN node assigned an identity● Signature done in two modes, offline mode at base stations
(prior to knowledge of message, mostly heavy computations), online mode at the sensor nodes (typically less computation overhead, so even a weak processor works)
● Implemented using 160 bit Elliptic Curve Crypto-system
Other Similar Schemes
● Improved online/offline signature schemes – Shamir et al. (ST Scheme)
● Online/offline signatures and multi-signatures for AODV and DSR routing security – Xu et al. (XMS Scheme)
Efficiency Analysis (1)
● Comparison of Computation Cost
● C(θ): the computation cost of operation θ● E: the exponentiation in G● M: the multiplication in G
● m: the modular multiplication in Z*q and
● P: the pairing operation
ST's Scheme XMS's Scheme “this” SchemeOffline (one-time) C(h) + C(σ
g) 2E + m 0
Offline (multi-time) - |q| · 2E 0Online (one-time) m m mOnline (multi-time) - O(|q|).2M + m O(|q|).M + m
Verification C(h) + C(σv) +
C(certv)
2P + 2E + M 2E + M
Efficiency Analysis (2)
● Comparison of Storage Cost and signature size
● |σ| represents the length of a normal digital signature,which is at least 160 bits.
● |cert| represents the length of a digital certificate, which is at least 320 bits
ST's Scheme XMS's Scheme “this” Scheme
Offline Storage (one time)
2|q| + |σ| + |cert| ≥ 800 bits
2|G| + 2|q| ≈ 640 bits |G| + |q| ≈ 320 bits
Offline Storage (multi time)
- 2|q| · |G| ≈ 6.4k bytes |q| · |G| ≈ 3.2k bytes
Size of Signature |q| + |σ| + |cert| ≥ 640 bits
2|G| + |q| ≈ 480 bits 2|G| + |q| ≈ 480 bits
Paper II:
Batch Verification Scheme for Vehicular Sensor Networks – Zhang et al.
(INFOCOM 2008)
Overview of Vehicular Networks
● Major communication nodes
● Vehicles are equipped on-
board unit (OBU)
● Vehicles communicate with
roadside units (RSU)
● RSU can connect with
application servers and trust
authority (TA)Fig. Vehicular networks
Security and Performance Requirements● Conditional privacy preserving
● The identity information of vehicles should be protected
● In case an abuse happens, a trust authority is able to trace
the real identity of the adversary
● Fast verify speed
● Challenging for RSU to verify all messages sent by more
than 200 vehicles every 100-300 ms
● Low communication overhead
● Procedures and overhead for security should be minimized
Challenges in Requirements
● Complicated PKI infrastructure
● Instead of using real ID, vehicles are required to use
different pseudo ID for each communication
● PKI infrastructure manages the pseudo ID and the
associated public key → high overhead due to changing
pseudo ID
● Large number of concurrent verification
● Single RSU should verify up to 2,000 messages per second
The Proposed Solution● IBC is used for conditional privacy
● Batch verification is used for fast verification
<ID1, M1, Sig(M1)> <ID2, M2, Sig(M2)> <ID3, Mn, Sig(Mn)>…
RSU
Batch: Sig(M1)+Sig(M2)+…+Sig(Mn), then verify the summation
Accelerate the speed of verifying multiple
signatures
No public key management required
Key and ID Generation at OBU
● At the time of manufacturing, OBU specific private key is securely stored in the temper-proof device
● At each transmission, tamper-proof device generates pseudo ID and corresponding secret key by using real ID (RID) and private key
Authentication enhancing
Change real ID to pseudo ID
Use pseudo ID to generate private key
ID-based Batch Signature and Verification
● Public parameters {G, GT, q, P, P
pub1, P
pub2}
● where Ppub1
=s1p, P
pub2=s
2p.
● {s1,s
2} is preloaded to a tamper-proof device
● Public key ID={ID1,ID
2}
● Secret key SK={SK1,SK
2}
● Sign: σ = SK1+h(m)SK
2
● Verify: Multiple signatures are summed and verified at once!
Advantages of ID-based Batch Signature Scheme
● Conditional privacy
● An adversary cannot discover the real identity from pseudo identities
● A trust authority can recover the real identity of the vehicle (ElGamal decryption)
● Fast verification of multiple messages
● Verification complexity is independent to the number of concurrent messages
● Less key management overhead
● Since pseudo ID is used for authentication, no PKI infrastructure is required
DiscussionWhat do you think are the limitations for such a Batch Verification
Scheme in Vehicular Networks?
Paper III:
A Mobile Social Network on ESP:an Egocentric Social Platform – Purtell et al.
(PETS 2012)
Slides References:
Presentation at MobiSocial Computing Laboratory at Stanford University - Monica Lam
Egocentric Social Platform - T. J. Purtell, Ian Vo, Monica S. Lam
Motivation● Today’s social networking
● Loss of privacy
Motivation● Today’s social networking
● Loss of privacy ● Monopoly
Motivation● Today’s social networking
● Loss of privacy ● Monopoly● Loss of competition
Zynga D ependency on Facebook w sj, 10-12-11
Zynga D ependency on Facebook w sj, 10-12-11
Motivation● Today’s social networking
TCP/IP
Global Social Graph
Motivation
● Egocentric Social Platform● No single owner of users’
data or app platform● ESP is distributed over all
user devices
● Problem● Secure communication with
all of my friends requires complicated PKI infrastructure!
→ IBC can help this!
EgocentricSocial Platform
IBC with Existing Identities
● User’s identity is verified using public authentication protocol (e.g., Facebook auth)● User obtains appropriate token from public service
ans submit it to IBC server● If token is valid, IBC server sends secret key
IBCserver
ESP Architecture
All data are encrypted outside the mobile device
Wordplay Game on IBC based Platform
Activate an Existing Identity
Alice activates the her existing identity on Musubi
Starting a Game● Alice wants to play WordPlay game now
● Alice chooses Bob's name from her address book
● Bob is not Musubi user
● Alice sends an automated invitation to Bob, presented by Musubi
Joining a Game
● Bob accepts and get the keys from IBC server by simply providing its identity
● Alice and Bob play games securely without a global social network platform! (No ads!)
Private Key Management
● Key update● All secrets have validity time period● Update period is 30 days and update date is the
well-known function of hashed identity
● Key revocation● Necessary in case of lost or infections● User can request a new key before expiration
Discussion
What do you think are the challenges for the Egocentric social
platform?
Summary
● IBC removes the PKI infrastructure, and thus is beneficial for
some applications of wireless networks
● Paper 1: efficient on/offline identity-base signature for sensor
networks
● Paper 2: identity-based batch signature for vehicular
networks
● Paper 3: identity-based encryption for Egocentric social
platform
