1
Introduction to Practical Cryptography
RedactionProxy Cryptography
2
Agenda
•Redaction•Proxy Cryptography
3
Redaction
• Process of removing sensitive or confidential information from a document without distorting the meaning of the document.
• Portion of a document may be redactable, others may be non-redactable.
• Should provide indication when something has been redacted; otherwise, meaning of the document can be altered by removing portions of the content.
4
Redaction
• Removal of information from documents, media …
The project involved people with a budget of
•Image with brand name that must be removed
5
Redaction Example
• Original content:– John Doe testified that Al Smith did not commit the crime.
• After redaction:– [REDACTED] testified that Al Smith did not commit the crime.– testified that Al Smith did not commit the crime.
• If redaction is not indicated, the meaning can be changed: – John Doe testified that Al Smith did commit the crime.
6
Redaction - Examples
• Government documents • classified information is removed prior to public release
• Financial documents • mortgage application: different people need subsets of the information -
appraiser doesn’t need to see income• Legal documents
• some information remains under attorney-client privilege• Medical Records
• Different employees access different information• Corporations
• different employees have access to subsets of information• Public records
• towns in US that place mortgage, property tax information online – remove personal information
7
Mistakes
• Changing the background color to match the font color - underlying text is still there, can be retrieved by changing the color
• Changes saved automatically by program as part of revision history
• Drawing a black box over the text – box can be removed
8
Information Leakage
• Length of redacted area• The budget for project is .• The budget for project is .• The first name of the witness is .
• Inferred content • Name• Address• Date• Value
• Human error• Forget to redact/overlook one or more pieces
9
Formatting
• Altering length of redacted area to reduce information leakage changes format • Alters length of document• Re-align paragraphs, page breaks• If alter number of pixels in an image, can garble
display of rest of image
10
Authenticating Document
• How to sign a document?• Hash then encrypt doesn’t work – sign the
original then redact invalidates signature• If document signed after redaction, what
indicates information was not altered in the process?
11
Authenticating a Document
• How to sign a document?• “The witness is John Smith”
• Hash: 07ed235678a3b4de0075• Encrypt with RSA: 453872907
• Redact• The witness is
• Send redacted documented and signature
12
Authenticating a Document
• Recipient receives• The witness is • Signature 453872907
• Recipient tries to verify signature• Decrypt signature: 07ed235678a3b4de0075• Hash received text:
3245cea1eded01821111• Doesn’t match decrypted signature
13
Authenticating a Document
• How to verify information that was not suppose to be redacted was left intact?
• The problem is not only how to authenticate what remains in the clear, but that information that was suppose to remain in the clear was not redacted
14
Authenticating a Document
• Need to authenticate non-redacted information is unchanged from the original
• How?• Need to authenticate that information was not
improperly removed• How?
15
Authenticating a Document
• Hash tree – also called Merkle tree
H
H23H01
H1H0
H3H2
D0 D1 D2 D3
16
Algorithm
• Uses 4 binary trees• Roots of two trees are used for the signature• Retain nodes which allow the roots to be
recomputed.• Nodes retained depends on which
subdocuments are redacted and which ones are non-redactable.
• Easiest way to explain is via diagrams …
17
R and X Treesr11
r21 r22
r31 r32
r41 r42 r43 r44
r33 r34
r45 r46 r47 r48
seed
m1 m2 m3 m4 m5 m6 m7 m8
x21
x11
root
x11
x32x31
x42x41
x34x33
x46 x48x47x45x44x43
hash (mi || r4i)
x’s formed by hashing children
r’s formed by random bit generation using parent node as seed
18
s11
s21 s22
s31 s32
s41 s42 s43 s44
s33 s34
s45 s46 s47 s48
seed
y21
y11
root
y22
y32y31
y42y41
y34y33
y46 y48y47y45y44y43
y’s formed by hashing children
s’s formed by random bit generation using parent node as seed
y4i = hash (s4i)
S and Y Trees
19
How Trees are Used• Sign(x root || y root)• Original document: include r seed and s seed.
– Recipient can recompute all xi,yi to verify signature.
• Redact mi: delete path of r nodes to xi, include xi and siblings of deleted r nodes.
• Non-redactable mi: delete path of s nodes to yi , include yi and siblings of deleted s nodes.
• If both children of an x node are included, save parent node instead; likewise for y nodes.
20
Redacted Subdocument r11
r21 r22
r31 r32
r41 r42 r43 r44
r33 r34
r45 r46 r47 r48
seed
m1 m1 m3 m4 m5 m6 m7 m8
x21
x11
root
x22
x32x31
x42x41
x34x33
x46 x48x47x45x44x43
m2 is redacted
r42 must be
“removed”
21
Adjacent Redacted Subdocumentsr11
r21 r22
r31 r32
r41 r42 r43 r44
r33 r34
r45 r46 r47 r48
seed
m0 m1 m3 m4 m5 m6 m7 m8
x21
x11
root
x22
x32x31
x42x41
x34x33
x46 x48x47x45x44x43
m1 and m2
are redacted
22
Non-Redactable Subdocument
s11
s21 s22
s31 s32
s41 s42 s43 s44
s33 s11
s45 s46 s47 s48
seed
y21
y11
root
y22
y32y31
y42y41
y34y33
y46 y48y47y45y44y43
m5 is non-redactable
s45 must be “removed”
23
Adjacent Non-Redactable Subdocuments
s11
s21 s22
s31 s32
s41 s42 s43 s44
s33 s34
s45 s46 s47 s48
seed
y21
y11
root
y22
y32y31
y42y41
y34y33
y46 y47y46y45y44y43
m5 and m6 are non-redactable
24
Architecture
• Allow different document processing applications (document editors and viewers) to utilize the redaction software through a common API.
• Permit the application to decide what information must be signed and verified – e.g. content only, content and some formatting, content and all
formatting
• Permit the application to decide what constitutes a subdocument
25
Issues
• Format converter– Difficulty varies per editor/viewer - pdf vs ASCII– Opening file of same format in different editors can
unintentionally modify the content
• User interface– What should be a subdocument?– Should white space matter?– How to indicate to the user a subdocument has been redacted
and a subdocument is non-redactable?– If redaction is indicated, length provides hint to the user about
the deleted content. However, changing the length can alter the appearance and any white space in the content.
26
Original Text
"Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." Dale Carnegie
27
Subdocuments
<"Did><you><ever><see><an><unhappy><horse?><Did><you><ever><see><a> <bird><that><has><the><blues?><One><reason><why><birds><and><horses> <are><not><unhappy><is><because><they><are><not><trying><to><impress><other><birds><and><horses.“><Dale> <Carnegie>
28
Redact Author’s Name
"Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]
29
Make Two Words Non-Redactable
"Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]
30
Alter Content
"Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other people and horses." [R] [R]
31
Examples
http://www.nsa.gov/public/crypt_spectrum.cfm
32
Proxy Cryptography
33
Proxy Cryptography
• Convert ciphertext from encryption with one key to encryption with another key:– Encrypt with one key, let recipient decrypt
with some other key
• Similar notion for signatures: sign with one key, let recipient verify with another key.
34
Proxy Cryptography
• Proxy converts C1 to C2– A,B publish kab – ka, kb private keys
ProxyA B
C1 = Eka(P)
C1 C2
P = Dkb(C2)C2 = Hkab(C1)
• Allows an intermediate entity (proxy) to convert ciphertext between two keys without exposing the plaintext
35
Proxy Cryptography
• VPNs
• File servers
• Transform A’s signature into B’s signature
36
Proxy Cryptography
•Applied to public key ciphers
•El Gamal, RSA [Okamoto, Mambo, ‘97; Blaze, et.al. ‘98]
37
Blaze, et. al
• similar in structure to ElGamal encryption• but with the parameters used differently
and the inverse of the secret used to recover the message
• the speed of the scheme is comparable to standard ElGamal encryption, although initial key generation requires the additional calculation and storage of a parameter a-1
38
Cryptosystem X (encryption)
• Parameters• p is a prime of the form 2q + 1 for a prime q
• g is a generator in Z*p
• p and g are public • A’s private key
– A's private key: a, 0 < a < p -1, randomly picked from Z*2q (a is relatively prime to p-1)
– A calculates inverse: a-1 mod 2q. – A’s public key: (ga mod p, g, p)
39
Cryptosystem X (encryption)
• Encryption – Select a unique random k from Z*2q , k is secret
– To encrypt message m with A's key, compute and send ciphertext values (c1, c2):
• c1 = mgk mod p • c2 = (ga)k mod p
• Decryption: – A (knows a-1) calculates gk and recovers m:
• c2(a)-1= gk (mod p), solve for gk • Compute (gk) -1 mod p• m = c1 ((c2(a)-1)-1 ) mod p
40
Example• Parameters
– p = 23 = 2x11 + 1– g = 5 (generates {5,2,10,4,20,8,17,16,11,9,22,18,21, 13,19,3,15,6,7,12,14,1})– a = 3– a-1 = 15 (15*3 = 45 = 1 mod 22)– ga mod p = 53 mod 23 = 10
• Encrypt m = 2 using k = 7• gk mod 23 = 17• c1 = mgk = 2*57 mod 23 = 11• c2 = (ga)k = 107 mod 23 = 14
• Decrypt• c2 ^ ((a^-1)) = 1415 mod 23 (142 mod 23 = 12, 127 * 14 mod 23, 122 = 6 mod 23)• = 63*12*14 mod 23 = 17• c1 = m*g^k mod 23: • 11 = m*17 mod 23• 11*17-1 mod 23 = m (17-1 mod 23 = 19)• 11*19 mod 23 = 2
41
Proxy Function for X
• c1 ciphertext component produced by Cryptosystem X is independent of the recipient's public key.
• Recipient A's key is embedded only in the c2 exponent• Proxy function to convert ciphertext for A into ciphertext for B
– remove A's key a from c2 and replace it with B's key b. – similar to the first step of the decryption function, raising c2 to a-1 to
remove a. – then contribute a factor of b to the exponent.
• simply raising c2 to a-1 and then to b would accomplish this• but does not qualify as a secure proxy function; anyone who examines the
proxy key learns the secret keys for both A and B. • This problem is avoided by combining the two steps into one. Hence, the
proxy key AB: (a-1)b
– the proxy function is simply c2AB
42
Symmetric proxy function for X
• Note that this is a “symmetric” proxy function; – A and B must trust one another bilaterally.
– B can learn A's secret (by multiplying the proxy key by b-1 )
– A can similarly discover B's key.
• This proxy function is also translucent– the proxy key does not directly reveal A or B, but anyone can verify a
guess by encrypting a message with A's public key, applying the proxy function, and comparing the result with the encryption of the same message (with the same k) with B's public key.
• Applying the proxy function is more efficient than decryption and re encryption, in that only one exponentiation is required.
43
Proxy Signature
• Signature will verify with key other than that of the original signer
44
Conversion and Proxy Functions for Symmetric Key Ciphers
45
why a symmetric key cipher that is closed under functional composition is useful for applications but undesirable
from a security perspective
Or more appropriately …
46
Motivation
Pair-wise establishment or sharing of keys
Gateway converting ciphertext between keys
A1
A2A3
A4
A5
A6A7A8
A1
A2A3
A4
A5
A6A7
A8
• Each Ai wants to exchange ciphertext with each Aj• Size of data requires use of a symmetric key cipher• Collectively, the Ai’s do not share a key
47
Motivation
• Converting from encryption under one key,k1, to encryption under another key, k2:– For example, VPN gateways
• Is there a way to perform the conversion that – Is faster than decrypting with k1 and encrypting with k2?– Avoids exposing the plaintext during the conversion?
GatewayA B
C1 = Ek1(P)
C1 C2
P = Dk2(C2)C2 = Ek2(Dk1(C1))
48
Notation
• S: a symmetric key cipher• K: key space of S• |K|: size of K• k,ki: element of K• E: encryption function of S• D: decryption function of S• Ek: encryption using key k• Dk: decryption using key k• Gkg: conversion function using key kg• P: plaintext• C: ciphertext
49
Overview
• Conversion function G for symmetric key cipher S– Gkg(Ek1(P)) = Ek2(P) plaintext P
• Such that – kg dependent on k1 and k2– P may or may not be exposed during the conversion– G is a secure conversion function if P is not exposed
• G exists: (trivially) use Ek2(Dk1(C)) • Existence of G requiring less work than
Ek2(Dk1(C)) has implications on security of S
50
Proxy Cryptography and Symmetric Key Ciphers
• Can a proxy exist for symmetric key ciphers?– Trivial construction – “onion routing” [Ivan, Dodis, ‘03]– Subset of secure conversion functions
• Workload– Total work across 3 entities is same as if proxy decrypted then
encrypted– Reallocates work to A
• But … – notice that A, B share key material and A has B’s entire key
ProxyA B
C1 = Ek2(Ek1(P))
C1 C2
P = Dk1(C2)C2 = Dk2(C1)
51
Proxy Cryptography and Symmetric Key Ciphers
• Suppose a proxy function exists for a symmetric key cipher and requires one application of the cipher
• Implies closure under functional composition
ProxyA B
C1 = Eka(P)
C1 C2
P = Dkb(C2)C2 = Ekab(C1)
52
Implications of Group Property
• Proof that DES is not a group [Kaliski, et.al. ‘88]• Recall - a group is closed under functional
composition• For a block cipher, this implies
– for every k1,k2, a k3 such that
Ek3(Ek2(P)) = Ek1(P) P
– O(2n/2) time required for a key search vs. O(2n) for non-group (n = key length)
53
Attack Overview [Kaliski, et.al.]
• Attack due to Birthday Paradox:– Given a known (P,C) pair with C = Ek2(P), finds k1,k3 to use in place of k2– Divide K into two subsets KA, KB– Randomly choose k1 from KA, k3 from KB– Check if Ek3(Ek1(P)) = C (i.e. Ek1(P) = Dk3(C) )– O(2n/2) time
• Cycling attack:– Given P and C, randomly choose keys from K to form
Ekai(… Eka2(Eka1(P))…) = Dkbj(… Dkb2(Dkb1(C)…)– Finds a series of keys to use in place of k2– O(2n/2 +) time for small
54
Extension to Conversions
• Lemma: For a symmetric key cipher S with key space K and
encryption function E, if there exists a function G taking parameter kg KG, |KG| = |K| = 2n, and k1,k2 K, a kg for which Gkg(Ek1(P)) = Ek2(P) P then there exists a O(2n/2) known plaintext attack on S.
• To obtain security comparable to an exhaustive key search, need to double key length of S
• Assumes workload of G is O(workload of S)
55
Constructions – Double Encryption
• Converter cannot obtain P• Key material
– Pairwise sharing of partial key material, but no one has another’s entire key– kab can be used with other parties
• Workload– converter is decrypting and encrypting– A, B incur two applications of the cipher
ConverterA B
C1 = Eka(Ekab(P))
C1 C2
P = Dkab(Dkb(C2))C2 = Ekb(Dka(C1))
56
“Double Encryption” - Alternate View
• A encrypts r1 rounds using kab, r2 rounds using ka• Converter decrypts r2 rounds using ka, encrypts r2 rounds
using kb• B decrypts r2 rounds using kb, r1 rounds using kab
ConverterA B
C1 = Ekab,ka(P)
C1 C2
P = Dkb,kab(C2)C2 = Ekb(Dka(C1))r1,r2 r2 r2 r2,r1
Assuming a round based block cipher …
57
Alternate View continued
• Workload– Dependent on number of rounds
• Security– If r rounds in cipher …– Require r1+r2 = r to eliminate potential of a reduced
round attack at A, B
– Security of intermediate result Dka(C1), at converter depends on r1,r2
ConverterA B
C1 = Ekab,ka(P)
C1 C2
P = Dkb,kab(C2)C2 = Ekb(Dka(C1))r1,r2 r2 r2 r2,r1
58
Constructions – Stream Cipher
• Workload– No extra work required of A, B
• Security– A, B do not share key material– Converter does not expose P, but may have sufficient
information to do so depending on how combined key streams are created
– KSa, KSb can be computed in parallel
Converter
A B
C1 = KSa (P)
C1 C2
P = KSb (C2)
C2 = KSa (KSb (C1)) or (KSa KSb) C1
59
Constructions – Onion Routing
• Workload– Total same as decrypting then encrypting– Moves work from converter to A
• A, B share a key• Converter cannot obtain P
ConverterA B
C1 = Eka(Ekab(P))
C1 C2
P = Dkab(C2)C2 = Dka(C1)