privacy in encrypted content distribution using private broadcast encryption
DESCRIPTION
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption. Adam Barth Dan Boneh Brent Waters. Private Broadcast Encryption. Make data available to select principals Encrypt the data to those principals Often important to hide the set of principals - PowerPoint PPT PresentationTRANSCRIPT
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption
Adam BarthDan BonehBrent Waters
Private Broadcast Encryption
• Make data available to select principals– Encrypt the data to those principals
• Often important to hide the set of principals– BCC recipients in encrypted email– Customer list (hide from competitors)– Promotion committee can read evaluations
• Private broadcast encryption– Recipient privacy against active attackers
Related Work
• Key privacy in public-key setting [BBDP01]– IK-CCA: Ciphertext does not leak public key
• Attacker viewing ciphertext encrypted under one of two public keys cannot guess which key was used
– Cramer-Shoup is IK-CCA (with common prime)– Important building block for recipient privacy
• Previous broadcast encryption systems– Increasing collusion resistance– Reducing ciphertext overhead– We focus on hiding recipient set
Our Results
• Generic construction (standard model)– Achieves CCA recipient privacy– Uses generic IK-CCA public-key system– Decryption time is linear in number of recipients
• Efficient construction (random oracle)– Achieves CCA recipient privacy– Assumes CDH is hard– Decryption in O(1) cryptographic operations
Broadcast Systems in Practice
• Microsoft Outlook– Encrypted email as a broadcast system– Outlook completely reveals BCC recipients
• issuerAndSerialNumber
– BCC recipients’ names can appear in the clear– Could send separate message for email
• Windows Encrypted File System
• Pretty Good Privacy (PGP)– GnuPG as an example implementation
Pretty Good Privacy?
• Message encrypted with symmetric key, K
• K encrypted for each recipient
• To speed decryption, components labeled with KeyIDs– Hash of public key
• User identities completely revealed
{ }K
A:B:C:
{K}pk(A)
{K}pk(B)
{K}pk(C)
Recipient Privacy in PGP
• PGP labels encryptions using a KeyIDC:\gpg>gpg --verbose -d message.txtgpg: armor header: Version: GnuPG v1.2.2 (MingW32)gpg: public key is 3CF61C7Bgpg: public key is 028EAE1C
• KeyIDs easily translated into names and email addresses using a public key server
• GPG includes option to withhold KeyIDs– Vulnerable to passive recipient privacy attack
Security Model
Private Broadcast Encryption
• I Setup()– Generates global parameters I
• (pk, sk) Keygen(I)– Generates public-private key pairs
• C Encrypt(S, M)– Encrypts plaintext M for recipient set S
• M Decrypt(sk, C)– Decrypts ciphertext C with private key sk
CPA Recipient Privacy Defined
Global Parameter
S0 and S1
S0 and S1 subsets of {1, …, n} such that |S0| = |S1|
Adversary Challenger
All public keys
Secret keys for S0 S1
b R {0,1}
M encrypted for Sb as C*
Guess b’Adversary wins if b’ = b
Some schemes vulnerable with large overlap, whereas others are
vulnerable with small overlap
Simple CPA Recipient Privacy
• Remove labels• Use key-private scheme• Reorder components
• O(n) decrypt time• CPA recipient privacy• But, active attack…
– Even with IK-CCA
A:B:C:
{K}pk(A)
{K}pk(B)
{K}pk(C)
B:A:C:
XXX
{ }K
{K}pk(B)
{K}pk(A)
{K}pk(C)
{ }K
Active Attack on Simple Scheme
• Attacker a recipient– Learns K
• Replaces message with something alluring
• Forwards malicious message to Alice
• Waits for response
• Receives response only if Alice was a recipient
{K}pk(B)
{K}pk(A)
{K}pk(C)
CCA Recipient Privacy Defined
Global Parameter
S0 and S1
S0 and S1 subsets of {1, …, n} such that |S0| = |S1|
Adversary Challenger
All public keys
Secret keys for S0 S1
b R {0,1}
M encrypted for Sb as C*
Guess b’Adversary wins if b’ = b
Decrypt query on (u, C)
Decrypt query on (u, C) (C C*)
Constructions
Primitives Used in Constructions
• Strong correctness– Decrypting with wrong key results in
• Strong signatures– Attacker cannot create a new signature– Even on a previously signed message– Example: RSA full-domain hash
• CCA key private (IK-CCA) cryptosystem– Ciphertext does not leak public key
Generic CCA Construction
• Start with CPA scheme• Generate a fresh signing
key pair (vk, sk)• Include verification key,
vk, in each component• Sign the ciphertext
• Thm: CCA recipient private
• O(n) decryption time
{ , K}pk(B)
{ , K}pk(A)
{ , K}pk(C)
{ }K
vkvkvk
Added Primitives for Efficiency
• A group G where CDH is hard– Extend public keys with ga, private keys with a
• Model hash function as a random oracle– Use extraction property to break CDH– Use DH self-corrector [Shoup97]
Ciphertext Component Labels
• Speed decryption with private labels• To make labels for every component:
– Pick a single fresh exponent r– Include gr in the ciphertext– Label component for (pk, ga) with H(gar)
• Each recipient computes own label with gr and a– Attacker can not associate H(gar) with ga
• Still need to tie labels to verification key…– Include gar in ciphertext components
Efficient CCA Construction
• Thm: CCA recipient private (in RO model)• O(1) cryptographic operations for decryption
{vk, , K}pk(B)
{vk, , K}pk(A)
{vk, , K}pk(C)
{M}K
H(gbr):H(gar):H(gcr):
gbr
gar
gcr
, gr
Conclusions
• Many widely-deployed content distribution systems lack recipient privacy– Email and encrypted file systems
• Introduced private broadcast encryption– Recipient privacy against an active attacker– Performance similar to non-private schemes
• Open problem: private broadcast encryption with shorter ciphertext
Questions?
Broadcast Semantics of Email
Mail User Agent(MUA)
Mail Transfer Agent(MTA) Recipient MTA
Recipient MTARecipientRecipient
Recipient
BCC privacy in S/MIME
• S/MIME label is the RecipientInfo field.• Label consists of the issuer and serial
number of the recipient’s certificate• Self-signed certificate:
– Full name and email address in the clear444:d=9 hl=2 l= 3 prim: OBJECT :commonName449:d=9 hl=2 l= 11 prim: PRINTABLESTRING :Henry Kyser462:d=7 hl=2 l= 32 cons: SET 464:d=8 hl=2 l= 30 cons: SEQUENCE 466:d=9 hl=2 l= 9 prim: OBJECT :emailAddress477:d=9 hl=2 l= 17 prim: IA5STRING :[email protected]
• VeriSign certificate: identity at verisign.com
BCC Privacy by User Agent
Completely Exposes Partially Reveals Protects Identity
Apple Mail.app 2.622
Outlook 2003
Outlook Express 6
Thunderbird 1.02
Outlook Web Access
EudoraGPG 2.0
GPGshell 3.42
Hushmail KMail 1.8
PGP Desktop 9.0
Turnpike 6.04
S/M
IME
-bas
edP
GP
-bas
ed
Sending Separate Encryptions
• Sending separate encryptions provides BCC privacy• Advantages of separate encryptions
– Can be deployed immediately and unilaterally– Conceals the number (and existence of) BCC recipients
• Disadvantages of separate encryptions– Difficult to implement for MUA plug-ins such as EudoraGPG– Increases MTA workload and network traffic