optionally identifiable private handshakes

26
Optionally Identifiable Private Handshakes Yanjiang Yang

Upload: jane-hoffman

Post on 02-Jan-2016

28 views

Category:

Documents


1 download

DESCRIPTION

Optionally Identifiable Private Handshakes. Yanjiang Yang. Agenda. Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion. Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion. Secret handshakes. - PowerPoint PPT Presentation

TRANSCRIPT

Optionally Identifiable Private Handshakes

Yanjiang Yang

RFID Security Seminar 2008

2

Agenda

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

3

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

4

Secret handshakes

• Users are increasingly concerned about individual privacy in cyberspace

– Privacy-preserving techniques are expected play a key part

– Secret handshakes• non-members learn nothing on the handshake

between the two users

• A non-member cannot impersonate a member

RFID Security Seminar 2008

5

Unlinkable secret handshakes

• Secret handshakes are linkable

• Unlinkable secret handshakes provides unlinkability

• Traceability is a feature of unlinkable secret handshakes

• Differences between unlinkable secret handshakes and anonymous credentials

RFID Security Seminar 2008

6

Project Summary - why should it be done? Private handshakes

• Traceability may not be always desired

• Hoepman proposed the concept of private handshakes

• No traceability whatsoever in private handshakes

RFID Security Seminar 2008

7

Optionally identifiable private handshakes

• Secret handshakes/private handshakes each have own applications

• A primitive optionally between them is more flexible

• We proposed the concept of optionally identifiable private handshakes

RFID Security Seminar 2008

8

Nutshell

Private handshakes(linkable) Secret

handshakes

Optionally identifiable private handshakes

No identifiability identifiability

Unlinkable secret handshakes

RFID Security Seminar 2008

9

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

10

Secret handshakes

• Balfanz et al. first formulated the notion of secret handshakes (S&P’03)

• Castelluccia et al. proposed secret handshake protocols, with security under computational Diffie-Hellman assumption (Asiacrypt’04)

RFID Security Seminar 2008

11

Secret handshakes - continued

• Jarecki et al. (CT-RSA’07) and Vergnaud et al. (coding and cryptography’05) proposed RSA-based secret handshakes

RFID Security Seminar 2008

12

Unlinkable secret handshakes

• Xu et al. proposed k-anonymous secret handshakes (CCS’04)

• Tsudik et al. proposed (full) unlinkable secret handshakes, but all members from the same group are required to share a group secret

• Jarecki et al.’s scheme does not sharing of group secret (ACNS’07)

• Ateniese et al. proposed fuzzy unlinkable secret handnhakes (NDSS’07)

RFID Security Seminar 2008

13

Private handshakes

• Hoepma proposed private handshakes (security and privacy in Ad Hoc and sensor networks’07)

RFID Security Seminar 2008

14

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

15

Project Summary - why should it be done?Model

• Entities – a set of users– a set of groups– a set of group administrators who create

groups and enrol users in groups. – a user may or may not be affiliated to a

group– if a user belongs to a group, then he is a

member of that group; otherwise, he is non-member of that group.

RFID Security Seminar 2008

16

Model - continued

• Algorithms– CreateGroup(1k)

– EnrolUser(G, u)

– HandShake(u1, u2, b)

– RevokeUser(G, u)

RFID Security Seminar 2008

17

Project Summary - why should it be done?Details of algorithms

• Parameters– e(GG1, G, G1) GG2

– H0, H1,H2

– Enc().

RFID Security Seminar 2008

18

Project Summary - why should it be done?Details of algorithms - continued

• CreateGroup(1k)– Group administrator selects sG

• EnrolUser(G, u)– Group administrator issues u a credential

xu = sGH0(u),

RFID Security Seminar 2008

19

Project Summary - why should it be done? Details of algorithms - continued

• Handshake(u1, u2, b)

R1=r1H0(u1)

u1 u2xu1=sGH0(u1) xu2=sGH0(u2)

R1, b

R2=r2H0(u2)

V2 = H1(e(R1,r2xu2), b)R2, V2

21))(),(( 2010rrsGuHuHe

u1 u2xu1=sGH0(u1) xu2=sGH0(u2)

RFID Security Seminar 2008

20

Details of algorithms - continued

u1 u2xu1=sGH0(u1) xu2=sGH0(u1)

H1(e(r1xu1, r2), b) =? V2

V1 = H1(b, e(r1xu1, R2))

sk1 = H2(e(r1xu1, R2), R1, R2)

H1(b, e(R1, r2xu2)) =? V1

sk2 = H2(e(r2xu2, R1), R1, R2)

V1

So far, private handshake is completed!

21))(),(( 2010rrsGuHuHe

RFID Security Seminar 2008

21

Details of algorithms - continued

u1 u2xu1=sGH0(u1) xu2=sGH0(u1)

C1 = Enc(sku1, r1, u1)C1

(r1’, u1’) = Enc(sku2, C1)

R1 =? r1’H0(u1’)

C2 = Enc(sku2, r2, u2)

sku2 = …C2 …

RFID Security Seminar 2008

22

Future Work

• User Revocation

RFID Security Seminar 2008

23

Security

• Impersonation resistance

• Membership detection resistance

• Unlinkability of private handshake

• Unlinkability to eavesdropper

RFID Security Seminar 2008

24

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

25

Conclusion

• We proposed the concept of private handshakes with optional identifiability, interpolating between private handshakes and secret handshakes, representing a more flexible primitive

• A concrete scheme was presented, and its security was defined and proved.

RFID Security Seminar 2008

26

Project Summary - why should it be done? Q & A

THANK YOU!