1

Introduction to Practical Cryptography

RedactionProxy Cryptography

2

Agenda

•Redaction•Proxy Cryptography

3

Redaction

• Process of removing sensitive or confidential information from a document without distorting the meaning of the document.

• Portion of a document may be redactable, others may be non-redactable.

• Should provide indication when something has been redacted; otherwise, meaning of the document can be altered by removing portions of the content.

4

Redaction

• Removal of information from documents, media …

The project involved people with a budget of

•Image with brand name that must be removed

5

Redaction Example

• Original content:– John Doe testified that Al Smith did not commit the crime.

• After redaction:– [REDACTED] testified that Al Smith did not commit the crime.– testified that Al Smith did not commit the crime.

• If redaction is not indicated, the meaning can be changed: – John Doe testified that Al Smith did commit the crime.

6

Redaction - Examples

• Government documents • classified information is removed prior to public release

• Financial documents • mortgage application: different people need subsets of the information -

appraiser doesn’t need to see income• Legal documents

• some information remains under attorney-client privilege• Medical Records

• Different employees access different information• Corporations

• different employees have access to subsets of information• Public records

• towns in US that place mortgage, property tax information online – remove personal information

7

Mistakes

• Changing the background color to match the font color - underlying text is still there, can be retrieved by changing the color

• Changes saved automatically by program as part of revision history

• Drawing a black box over the text – box can be removed

8

Information Leakage

• Length of redacted area• The budget for project is .• The budget for project is .• The first name of the witness is .

• Inferred content • Name• Address• Date• Value

• Human error• Forget to redact/overlook one or more pieces

9

Formatting

• Altering length of redacted area to reduce information leakage changes format • Alters length of document• Re-align paragraphs, page breaks• If alter number of pixels in an image, can garble

display of rest of image

10

Authenticating Document

• How to sign a document?• Hash then encrypt doesn’t work – sign the

original then redact invalidates signature• If document signed after redaction, what

indicates information was not altered in the process?

11

Authenticating a Document

• How to sign a document?• “The witness is John Smith”

• Hash: 07ed235678a3b4de0075• Encrypt with RSA: 453872907

• Redact• The witness is

• Send redacted documented and signature

12

Authenticating a Document

• Recipient receives• The witness is • Signature 453872907

• Recipient tries to verify signature• Decrypt signature: 07ed235678a3b4de0075• Hash received text:

3245cea1eded01821111• Doesn’t match decrypted signature

13

Authenticating a Document

• How to verify information that was not suppose to be redacted was left intact?

• The problem is not only how to authenticate what remains in the clear, but that information that was suppose to remain in the clear was not redacted

14

Authenticating a Document

• Need to authenticate non-redacted information is unchanged from the original

• How?• Need to authenticate that information was not

improperly removed• How?

15

Authenticating a Document

• Hash tree – also called Merkle tree

H

H23H01

H1H0

H3H2

D0 D1 D2 D3

16

Algorithm

• Uses 4 binary trees• Roots of two trees are used for the signature• Retain nodes which allow the roots to be

recomputed.• Nodes retained depends on which

subdocuments are redacted and which ones are non-redactable.

• Easiest way to explain is via diagrams …

17

R and X Treesr11

r21 r22

r31 r32

r41 r42 r43 r44

r33 r34

r45 r46 r47 r48

seed

m1 m2 m3 m4 m5 m6 m7 m8

x21

x11

root

x11

x32x31

x42x41

x34x33

x46 x48x47x45x44x43

hash (mi || r4i)

x’s formed by hashing children

r’s formed by random bit generation using parent node as seed

18

s11

s21 s22

s31 s32

s41 s42 s43 s44

s33 s34

s45 s46 s47 s48

seed

y21

y11

root

y22

y32y31

y42y41

y34y33

y46 y48y47y45y44y43

y’s formed by hashing children

s’s formed by random bit generation using parent node as seed

y4i = hash (s4i)

S and Y Trees

19

How Trees are Used• Sign(x root || y root)• Original document: include r seed and s seed.

– Recipient can recompute all xi,yi to verify signature.

• Redact mi: delete path of r nodes to xi, include xi and siblings of deleted r nodes.

• Non-redactable mi: delete path of s nodes to yi , include yi and siblings of deleted s nodes.

• If both children of an x node are included, save parent node instead; likewise for y nodes.

20

Redacted Subdocument r11

r21 r22

r31 r32

r41 r42 r43 r44

r33 r34

r45 r46 r47 r48

seed

m1 m1 m3 m4 m5 m6 m7 m8

x21

x11

root

x22

x32x31

x42x41

x34x33

x46 x48x47x45x44x43

m2 is redacted

r42 must be

“removed”

21

Adjacent Redacted Subdocumentsr11

r21 r22

r31 r32

r41 r42 r43 r44

r33 r34

r45 r46 r47 r48

seed

m0 m1 m3 m4 m5 m6 m7 m8

x21

x11

root

x22

x32x31

x42x41

x34x33

x46 x48x47x45x44x43

m1 and m2

are redacted

22

Non-Redactable Subdocument

s11

s21 s22

s31 s32

s41 s42 s43 s44

s33 s11

s45 s46 s47 s48

seed

y21

y11

root

y22

y32y31

y42y41

y34y33

y46 y48y47y45y44y43

m5 is non-redactable

s45 must be “removed”

23

Adjacent Non-Redactable Subdocuments

s11

s21 s22

s31 s32

s41 s42 s43 s44

s33 s34

s45 s46 s47 s48

seed

y21

y11

root

y22

y32y31

y42y41

y34y33

y46 y47y46y45y44y43

m5 and m6 are non-redactable

24

Architecture

• Allow different document processing applications (document editors and viewers) to utilize the redaction software through a common API.

• Permit the application to decide what information must be signed and verified – e.g. content only, content and some formatting, content and all

formatting

• Permit the application to decide what constitutes a subdocument

25

Issues

• Format converter– Difficulty varies per editor/viewer - pdf vs ASCII– Opening file of same format in different editors can

unintentionally modify the content

• User interface– What should be a subdocument?– Should white space matter?– How to indicate to the user a subdocument has been redacted

and a subdocument is non-redactable?– If redaction is indicated, length provides hint to the user about

the deleted content. However, changing the length can alter the appearance and any white space in the content.

26

Original Text

"Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." Dale Carnegie

27

Subdocuments

<"Did><you><ever><see><an><unhappy><horse?><Did><you><ever><see><a> <bird><that><has><the><blues?><One><reason><why><birds><and><horses> <are><not><unhappy><is><because><they><are><not><trying><to><impress><other><birds><and><horses.“><Dale> <Carnegie>

28

Redact Author’s Name

"Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]

29

Make Two Words Non-Redactable

"Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]

30

Alter Content

"Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other people and horses." [R] [R]

31

Examples

http://www.nsa.gov/public/crypt_spectrum.cfm

32

Proxy Cryptography

33

Proxy Cryptography

• Convert ciphertext from encryption with one key to encryption with another key:– Encrypt with one key, let recipient decrypt

with some other key

• Similar notion for signatures: sign with one key, let recipient verify with another key.

34

Proxy Cryptography

• Proxy converts C1 to C2– A,B publish kab – ka, kb private keys

ProxyA B

C1 = Eka(P)

C1 C2

P = Dkb(C2)C2 = Hkab(C1)

• Allows an intermediate entity (proxy) to convert ciphertext between two keys without exposing the plaintext

35

Proxy Cryptography

• VPNs

• File servers

• Transform A’s signature into B’s signature

36

Proxy Cryptography

•Applied to public key ciphers

•El Gamal, RSA [Okamoto, Mambo, ‘97; Blaze, et.al. ‘98]

37

Blaze, et. al

• similar in structure to ElGamal encryption• but with the parameters used differently

and the inverse of the secret used to recover the message

• the speed of the scheme is comparable to standard ElGamal encryption, although initial key generation requires the additional calculation and storage of a parameter a-1

38

Cryptosystem X (encryption)

• Parameters• p is a prime of the form 2q + 1 for a prime q

• g is a generator in Z*p

• p and g are public • A’s private key

– A's private key: a, 0 < a < p -1, randomly picked from Z*2q (a is relatively prime to p-1)

– A calculates inverse: a-1 mod 2q. – A’s public key: (ga mod p, g, p)

39

Cryptosystem X (encryption)

• Encryption – Select a unique random k from Z*2q , k is secret

– To encrypt message m with A's key, compute and send ciphertext values (c1, c2):

• c1 = mgk mod p • c2 = (ga)k mod p

• Decryption: – A (knows a-1) calculates gk and recovers m:

• c2(a)-1= gk (mod p), solve for gk • Compute (gk) -1 mod p• m = c1 ((c2(a)-1)-1 ) mod p

40

Example• Parameters

– p = 23 = 2x11 + 1– g = 5 (generates {5,2,10,4,20,8,17,16,11,9,22,18,21, 13,19,3,15,6,7,12,14,1})– a = 3– a-1 = 15 (15*3 = 45 = 1 mod 22)– ga mod p = 53 mod 23 = 10

• Encrypt m = 2 using k = 7• gk mod 23 = 17• c1 = mgk = 2*57 mod 23 = 11• c2 = (ga)k = 107 mod 23 = 14

• Decrypt• c2 ^ ((a^-1)) = 1415 mod 23 (142 mod 23 = 12, 127 * 14 mod 23, 122 = 6 mod 23)• = 63*12*14 mod 23 = 17• c1 = m*g^k mod 23: • 11 = m*17 mod 23• 11*17-1 mod 23 = m (17-1 mod 23 = 19)• 11*19 mod 23 = 2

41

Proxy Function for X

• c1 ciphertext component produced by Cryptosystem X is independent of the recipient's public key.

• Recipient A's key is embedded only in the c2 exponent• Proxy function to convert ciphertext for A into ciphertext for B

– remove A's key a from c2 and replace it with B's key b. – similar to the first step of the decryption function, raising c2 to a-1 to

remove a. – then contribute a factor of b to the exponent.

• simply raising c2 to a-1 and then to b would accomplish this• but does not qualify as a secure proxy function; anyone who examines the

proxy key learns the secret keys for both A and B. • This problem is avoided by combining the two steps into one. Hence, the

proxy key AB: (a-1)b

– the proxy function is simply c2AB

42

Symmetric proxy function for X

• Note that this is a “symmetric” proxy function; – A and B must trust one another bilaterally.

– B can learn A's secret (by multiplying the proxy key by b-1 )

– A can similarly discover B's key.

• This proxy function is also translucent– the proxy key does not directly reveal A or B, but anyone can verify a

guess by encrypting a message with A's public key, applying the proxy function, and comparing the result with the encryption of the same message (with the same k) with B's public key.

• Applying the proxy function is more efficient than decryption and re encryption, in that only one exponentiation is required.

43

Proxy Signature

• Signature will verify with key other than that of the original signer

44

Conversion and Proxy Functions for Symmetric Key Ciphers

45

why a symmetric key cipher that is closed under functional composition is useful for applications but undesirable

from a security perspective

Or more appropriately …

46

Motivation

Pair-wise establishment or sharing of keys

Gateway converting ciphertext between keys

A1

A2A3

A4

A5

A6A7A8

A1

A2A3

A4

A5

A6A7

A8

• Each Ai wants to exchange ciphertext with each Aj• Size of data requires use of a symmetric key cipher• Collectively, the Ai’s do not share a key

47

Motivation

• Converting from encryption under one key,k1, to encryption under another key, k2:– For example, VPN gateways

• Is there a way to perform the conversion that – Is faster than decrypting with k1 and encrypting with k2?– Avoids exposing the plaintext during the conversion?

GatewayA B

C1 = Ek1(P)

C1 C2

P = Dk2(C2)C2 = Ek2(Dk1(C1))

48

Notation

• S: a symmetric key cipher• K: key space of S• |K|: size of K• k,ki: element of K• E: encryption function of S• D: decryption function of S• Ek: encryption using key k• Dk: decryption using key k• Gkg: conversion function using key kg• P: plaintext• C: ciphertext

49

Overview

• Conversion function G for symmetric key cipher S– Gkg(Ek1(P)) = Ek2(P) plaintext P

• Such that – kg dependent on k1 and k2– P may or may not be exposed during the conversion– G is a secure conversion function if P is not exposed

• G exists: (trivially) use Ek2(Dk1(C)) • Existence of G requiring less work than

Ek2(Dk1(C)) has implications on security of S

50

Proxy Cryptography and Symmetric Key Ciphers

• Can a proxy exist for symmetric key ciphers?– Trivial construction – “onion routing” [Ivan, Dodis, ‘03]– Subset of secure conversion functions

• Workload– Total work across 3 entities is same as if proxy decrypted then

encrypted– Reallocates work to A

• But … – notice that A, B share key material and A has B’s entire key

ProxyA B

C1 = Ek2(Ek1(P))

C1 C2

P = Dk1(C2)C2 = Dk2(C1)

51

Proxy Cryptography and Symmetric Key Ciphers

• Suppose a proxy function exists for a symmetric key cipher and requires one application of the cipher

• Implies closure under functional composition

ProxyA B

C1 = Eka(P)

C1 C2

P = Dkb(C2)C2 = Ekab(C1)

52

Implications of Group Property

• Proof that DES is not a group [Kaliski, et.al. ‘88]• Recall - a group is closed under functional

composition• For a block cipher, this implies

– for every k1,k2, a k3 such that

Ek3(Ek2(P)) = Ek1(P) P

– O(2n/2) time required for a key search vs. O(2n) for non-group (n = key length)

53

Attack Overview [Kaliski, et.al.]

• Attack due to Birthday Paradox:– Given a known (P,C) pair with C = Ek2(P), finds k1,k3 to use in place of k2– Divide K into two subsets KA, KB– Randomly choose k1 from KA, k3 from KB– Check if Ek3(Ek1(P)) = C (i.e. Ek1(P) = Dk3(C) )– O(2n/2) time

• Cycling attack:– Given P and C, randomly choose keys from K to form

Ekai(… Eka2(Eka1(P))…) = Dkbj(… Dkb2(Dkb1(C)…)– Finds a series of keys to use in place of k2– O(2n/2 +) time for small

54

Extension to Conversions

• Lemma: For a symmetric key cipher S with key space K and

encryption function E, if there exists a function G taking parameter kg KG, |KG| = |K| = 2n, and k1,k2 K, a kg for which Gkg(Ek1(P)) = Ek2(P) P then there exists a O(2n/2) known plaintext attack on S.

• To obtain security comparable to an exhaustive key search, need to double key length of S

• Assumes workload of G is O(workload of S)

55

Constructions – Double Encryption

• Converter cannot obtain P• Key material

– Pairwise sharing of partial key material, but no one has another’s entire key– kab can be used with other parties

• Workload– converter is decrypting and encrypting– A, B incur two applications of the cipher

ConverterA B

C1 = Eka(Ekab(P))

C1 C2

P = Dkab(Dkb(C2))C2 = Ekb(Dka(C1))

56

“Double Encryption” - Alternate View

• A encrypts r1 rounds using kab, r2 rounds using ka• Converter decrypts r2 rounds using ka, encrypts r2 rounds

using kb• B decrypts r2 rounds using kb, r1 rounds using kab

ConverterA B

C1 = Ekab,ka(P)

C1 C2

P = Dkb,kab(C2)C2 = Ekb(Dka(C1))r1,r2 r2 r2 r2,r1

Assuming a round based block cipher …

57

Alternate View continued

• Workload– Dependent on number of rounds

• Security– If r rounds in cipher …– Require r1+r2 = r to eliminate potential of a reduced

round attack at A, B

– Security of intermediate result Dka(C1), at converter depends on r1,r2

ConverterA B

C1 = Ekab,ka(P)

C1 C2

P = Dkb,kab(C2)C2 = Ekb(Dka(C1))r1,r2 r2 r2 r2,r1

58

Constructions – Stream Cipher

• Workload– No extra work required of A, B

• Security– A, B do not share key material– Converter does not expose P, but may have sufficient

information to do so depending on how combined key streams are created

– KSa, KSb can be computed in parallel

Converter

A B

C1 = KSa (P)

C1 C2

P = KSb (C2)

C2 = KSa (KSb (C1)) or (KSa KSb) C1

59

Constructions – Onion Routing

• Workload– Total same as decrypting then encrypting– Moves work from converter to A

• A, B share a key• Converter cannot obtain P

ConverterA B

C1 = Eka(Ekab(P))

C1 C2

P = Dkab(C2)C2 = Dka(C1)