Showing papers by "Gene Tsudik published in 2006"

YA-TRAP: yet another trivial RFID authentication protocol

Abstract: Security and privacy in RFID systems is an important and active research area. A number of challenges arise due to the extremely limited computational, storage and communication abilities of a typical RFID tag. This paper describes a simple technique for inexpensive untraceable identification of RFID tags. The proposed protocol (called YA-TRAP) involves minimal interaction between a tag and a reader and places low computational burden on the tag (a single keyed hash). It also imposes low computational load on the back-end server.

Authentication and integrity in outsourced databases

Abstract: In the Outsourced Database (ODB) model, entities outsource their data management needs to a third-party service provider. Such a service provider offers mechanisms for its clients to create, store, update, and access (query) their databases. This work provides mechanisms to ensure data integrity and authenticity for outsourced databases. Specifically, this article provides mechanisms that assure the querier that the query results have not been tampered with and are authentic (with respect to the actual data owner). It investigates both the security and efficiency aspects of the problem and constructs several secure and practical schemes that facilitate the integrity and authenticity of query replies while incurring low computational and communication costs.

Loud and Clear: Human-Verifiable Authentication Based on Audio

Abstract: Secure pairing of electronic devices that lack any previous association is a challenging problem which has been considered in many contexts and in various flavors. In this paper, we investigate the use of audio for human-assisted authentication of previously un-associated devices. We develop and evaluate a system we call Loud-and-Clear (L&C) which places very little demand on the human user. L&C involves the use of a text-to-speech (TTS) engine for vocalizing a robust-sounding and syntactically-correct (English-like) sentence derived from the hash of a device’s public key. By coupling vocalization on one device with the display of the same information on another device, we demonstrate that L&C is suitable for secure device pairing (e.g., key exchange) and similar tasks. We also describe several common use cases, provide some performance data for our prototype implementation and discuss the security properties of L&C.

Authentication of outsourced databases using signature aggregation and chaining

Abstract: Database outsourcing is an important emerging trend which involves data owners delegating their data management needs to an external service provider. Since a service provider is almost never fully trusted, security and privacy of outsourced data are important concerns. A core security requirement is the integrity and authenticity of outsourced databases. Whenever someone queries a hosted database, the results must be demonstrably authentic (with respect to the actual data owner) to ensure that the data has not been tampered with. Furthermore, the results must carry a proof of completeness which will allow the querier to verify that the server has not omitted any valid tuples that match the query predicate. Notable prior work ([4,9,15]) focused on various types of Authenticated Data Structures. Another prior approach involved the use of specialized digital signature schemes. In this paper, we extend the state-of-the-art to provide both authenticity and completeness guarantees of query replies. Our work analyzes the new approach for various base query types and compares it with Authenticated Data Structures. We also point out some possible security flaws in the approach suggested in the recent work of [15].

Authentication of outsourced databases using signature aggregation and chaining

Abstract: Database outsourcing is an important emerging trend which involves data owners delegating their data management needs to an external service provider. Since a service provider is almost never fully trusted, security and privacy of outsourced data are important concerns. A core security requirement is the integrity and authenticity of outsourced databases. Whenever someone queries a hosted database, the results must be demonstrably authentic (with respect to the actual data owner) to ensure that the data has not been tampered with. Furthermore, the results must carry a proof of completeness which will allow the querier to verify that the server has not omitted any valid tuples that match the query predicate. Notable prior work ([4][9][15]) focused on various types of Authenticated Data Structures. Another prior approach involved the use of specialized digital signature schemes. In this paper, we extend the state-of-the-art to provide both authenticity and completeness guarantees of query replies. Our work analyzes the new approach for various base query types and compares it with Authenticated Data Structures. We also point out some possible security flaws in the approach suggested in the recent work of [15].

Exploring mesh and tree-based multicast. Routing protocols for MANETs

Abstract: Recently, it became apparent that group-oriented services are one of the primary application classes targeted by MANETs. As a result, several MANET-specific multicast routing protocols have been proposed. Although these protocols perform well under specific mobility scenarios, traffic loads, and network conditions, no single protocol has been shown to be optimal in all scenarios. The goal of this paper is to characterize the performance of multicast protocols over a wide range of MANET scenarios. To this end, we evaluate the performance of mesh and tree-based multicast routing schemes relative to flooding and recommend protocols most suitable for specific MANET scenarios. Based on the analysis and simulation results, we also propose two variations of flooding, scoped flooding and hyper flooding, as a means to reduce overhead and increase reliability, respectively. Another contribution of the paper is a simulation-based comparative study of the proposed flooding variations against plain flooding, mesh, and tree-based MANET routing. In our simulations, in addition to "synthetic" scenarios, we also used more realistic MANET settings, such as conferencing and emergency response.

Aggregation queries in the database-as-a-service model

Abstract: In the Database-As-a-Service (DAS) model, clients store their database contents at servers belonging to potentially untrusted service providers. To maintain data confidentiality, clients need to outsource their data to servers in encrypted form. At the same time, clients must still be able to execute queries over encrypted data. One prominent and fairly effective technique for executing SQL-style range queries over encrypted data involves partitioning (or bucketization) of encrypted attributes. However, executing aggregation-type queries over encrypted data is a notoriously difficult problem. One well-known cryptographic tool often utilized to support encrypted aggregation is homomorphic encryption; it enables arithmetic operations over encrypted data. One technique based on a specific homomorphic encryption function was recently proposed in the context of the DAS model. Unfortunately, as shown in this paper, this technique is insecure against ciphertext-only attacks. We propose a simple alternative for handling encrypted aggregation queries and describe its implementation. We also consider a different flavor of the DAS model which involves mixed databases, where some attributes are encrypted and some are left in the clear. We show how range queries can be executed in this model.

A Family of Dunces: Trivial RFID Identification and Authentication Protocols.

Abstract: Security and privacy in RFID systems is an important and active research area. A number of challenges arise due to the extremely limited computational, storage and communication abilities of a typical RFID tag. This paper describes a step-by-step construction of a family of simple protocols for inexpensive untraceable identification and authentication of RFID tags. This work is aimed primarily at RFID tags that are capable of performing a small number of inexpensive conventional (as opposed to public key) cryptographic operations. It also represents the first result geared for so-called batch mode of RFID scanning whereby the identification (and/or authentication) of tags is delayed. Proposed protocols involve minimal interaction between a tag and a reader and place very low computational burden on the tag. Notably, they also impose low computational load on back-end servers.

Improving secure server performance by re-balancing SSL/TLS handshakes

Abstract: Much of today's distributed computing takes place in a client /server model. Despite advances in fault tolerance - in particular, replication and load distribution -- server overload remains to be a major problem. In the Web context, one of the main overload factors is the direct consequence of expensive Public Key operations performed by servers as part of each SSL handshake. Since most SSL-enabled servers use RSA, the burden of performing many costly decryption operations can be very detrimental to server performance. This paper examines a promising technique for re-balancing RSA-based client/server handshakes. This technique facilitates more favorable load distribution by requiring clients to perform more work (as part of encryption) and servers to perform commensurately less work, thus resulting in better SSL throughput. Proposed techniques are based on careful adaptation of variants of Server-Aided RSA originally constructed by Matsumoto, et al. [1]. Experimental results demonstrate that suggested methods (termed Client-Aided RSA) can speed up processing of RSA private key operations by a factor of between 11 to 19, depending on the RSA key size. This represents a considerable improvement. Furthermore, proposed techniques can be a useful companion tool for SSL Client Puzzles in defense against DoS and DDoS attacks.

A flexible framework for secret handshakes

Abstract: In the society increasingly concerned with the erosion of privacy, privacy-preserving techniques are becoming very important. This motivates research in cryptographic techniques offering built-in privacy. A secret handshake is a protocol whereby participants establish a secure, anonymous and unobservable communication channel only if they are members of the same group. This type of “private” authentication is a valuable tool in the arsenal of privacy-preserving cryptographic techniques. Prior research focused on 2-party secret handshakes with one-time credentials. This paper breaks new ground on two accounts: (1) it shows how to obtain secure and efficient secret handshakes with reusable credentials, and (2) it represents the first treatment of group (or multi-party) secret handshakes, thus providing a natural extension to the secret handshake technology. An interesting new issue encountered in multi-party secret handshakes is the need to ensure that all parties are indeed distinct. (This is a real challenge since the parties cannot expose their identities.) We tackle this and other challenging issues in constructing GCD – a flexible framework for secret handshakes. The proposed GCD framework lends itself to many practical instantiations and offers several novel and appealing features such as self-distinction and strong anonymity with reusable credentials. In addition to describing the motivation and step-by-step construction of the framework, this paper provides a thorough security analysis and illustrates two concrete framework instantiations.

Authentication for paranoids : Multi-party secret -handshakes

Abstract: In a society increasingly concerned with the steady assault on electronic privacy, the need for privacy-preserving techniques is both natural and justified. This need extends to traditional security tools such as authentication and key distribution protocols. A secret handshake protocol allow members of the same group to authenticate each other secretly, meaning that a non-member cannot determine, even by engaging someone in a protocol, whether that party is a member of the group. Whereas, parties who are members of the same group recognize each other as members, and can establish authenticated secret keys with each other. Thus, a secret handshake protocol offers privacy-preserving authentication and can be used whenever group members need to identify and securely communicate with each other without being observed or detected. Most prior work in secret handshake protocols considered 2-party scenarios. In this paper we propose formal definitions of multi-party secret handshakes, and we develop a practical and provably secure multi-party secret handshake scheme by blending Schnorr-signature based 2-party secret handshake protocol of Castelluccia et al. [5] with a group key agreement protocol of Burmester and Desmedt [4]. The resulting scheme achieves very strong privacy properties, is as efficient as the (non-private) authenticated version of the Burmester-Desmedt protocol [4, 6], but requires a supply of one-time certificates for each group member.

Revisiting oblivious signature-based envelopes

Abstract: In this paper, we investigate an interesting and practical cryptographic construct – Oblivious Signature-Based Envelopes (OSBEs) – recently introduced in [15]. OSBEs allow a sender to communicate information to a receiver such that the latter's rights (or roles) are unknown to the former. At the same time, a receiver can obtain the information only if it is authorized to access it. This makes OSBEs a natural fit for anonymity-oriented and privacy-preserving applications. Previous results yielded three OSBE constructs: one based on RSA and two based on Identity-Based Encryption (IBE). Our work focuses on the ElGamal signature family: we succeed in constructing practical and secure OSBE schemes for several well-known signature schemes, including: Schnorr, Nyberg-Rueppel, ElGamal and DSA. As illustrated by experiments with a prototype implementation, our schemes are more efficient than previous techniques. Furthermore, we show that some OSBE schemes, despite offering affiliation privacy for the receiver, result in no additional cost over schemes that do not offer this feature.

Authentication for paranoids: multi-party secret handshakes

Abstract: In a society increasingly concerned with the steady assault on electronic privacy, the need for privacy-preserving techniques is both natural and justified. This need extends to traditional security tools such as authentication and key distribution protocols. A secret handshake protocol allow members of the same group to authenticate each other secretly, meaning that a non-member cannot determine, even by engaging someone in a protocol, whether that party is a member of the group. Whereas, parties who are members of the same group recognize each other as members, and can establish authenticated secret keys with each other. Thus, a secret handshake protocol offers privacy-preserving authentication and can be used whenever group members need to identify and securely communicate with each other without being observed or detected. Most prior work in secret handshake protocols considered 2-party scenarios. In this paper we propose formal definitions of multi-party secret handshakes, and we develop a practical and provably secure multi-party secret handshake scheme by blending Schnorr-signature based 2-party secret handshake protocol of Castelluccia et al. [5] with a group key agreement protocol of Burmester and Desmedt [4]. The resulting scheme achieves very strong privacy properties, is as efficient as the (non-private) authenticated version of the Burmester-Desmedt protocol [4, 6], but requires a supply of one-time certificates for each group member.

Simple and flexible revocation checking with privacy

Abstract: Digital certificates signed by trusted certification authorities (CAs) are used for multiple purposes, most commonly for secure binding of public keys to names and other attributes of their owners. Although a certificate usually includes an expiration time, it is not uncommon that a certificate needs to be revoked prematurely. For this reason, whenever a client (user or program) needs to assert the validity of another party's certificate, it performs revocation checking. There are many revocation techniques varying in both the operational model and underlying data structures. One common feature is that a client typically contacts an on-line third party (trusted, untrusted or semi-trusted), identifies the certificate of interest and obtains some form of a proof of either revocation or validity (non-revocation) for the certificate in question. While useful, revocation checking can leak potentially sensitive information. In particular, third parties of dubious trustworthiness discover two things: (1) the identity of the party posing the query, as well as (2) the target of the query. The former can be easily remedied with techniques such as onion routing or anonymous web browsing. Whereas, hiding the target of the query is not as obvious. Arguably, a more important loss of privacy results from the third party's ability to tie the source of the revocation check with the query's target. (Since, most likely, the two are about to communicate.) This paper is concerned with the problem of privacy in revocation checking and its contribution is two-fold: it identifies and explores the loss of privacy inherent in current revocation checking, and, it constructs a simple, efficient and flexible privacy-preserving component for one well-known revocation method.

A Technical Approach to Net Neutrality.

Abstract: A recent statement by ATT but they are eligible to offer differentiated services to their customers. We present a technical design that aims to achieve this definition of net neutrality. Our design prevents an ISP from deterministically harming an application, a competing service, or singling out an individual innovator for extortion.

Simple and flexible revocation checking with privacy

Abstract: Digital certificates signed by trusted certification authorities (CAs) are used for multiple purposes, most commonly for secure binding of public keys to names and other attributes of their owners. Although a certificate usually includes an expiration time, it is not uncommon that a certificate needs to be revoked prematurely. For this reason, whenever a client (user or program) needs to assert the validity of another party's certificate, it performs revocation checking. There are many revocation techniques varying in both the operational model and underlying data structures. One common feature is that a client typically contacts an on-line third party (trusted, untrusted or semi-trusted), identifies the certificate of interest and obtains some form of a proof of either revocation or validity (non-revocation) for the certificate in question. While useful, revocation checking can leak potentially sensitive information. In particular, third parties of dubious trustworthiness discover two things: (1) the identity of the party posing the query, as well as (2) the target of the query. The former can be easily remedied with techniques such as onion routing or anonymous web browsing. Whereas, hiding the target of the query is not as obvious. Arguably, a more important loss of privacy results from the third party's ability to tie the source of the revocation check with the query's target. (Since, most likely, the two are about to communicate.) This paper is concerned with the problem of privacy in revocation checking and its contribution is two-fold: it identifies and explores the loss of privacy inherent in current revocation checking, and, it constructs a simple, efficient and flexible privacy-preserving component for one well-known revocation method.

Remarks on "Analysis of One Popular Group Signature Scheme" in Asiacrypt 2006.

Abstract: In [3], a putative framing “attack” against the ACJT group signature scheme [1] is presented. This note shows that the attack framework considered in [3] is invalid. As we clearly illustrate, there is no security weakness in the ACJT group signature scheme as long as all the detailed specifications in [1] are being followed. Group signature schemes allow a group member to sign messages anonymously on behalf of the group. In case of a dispute, the group manager (GM) can recover the identity of the actual signer. In [1], Ateniese, Camenisch, Joye, and Tsudik introduced a provably secure group signature scheme, the so-called ACJT scheme. In an upcoming paper [3], Cao presents an alleged framing attack against the ACJT scheme. This attack is based on the assumption that the GM knows the value t = loga0 a. This assumption is clearly invalid in the verifiable setting considered in [1] since the parameters a and a0 are verifiably random to GM. Although a verifiable setting involves no trusted party, evidence that the parameters are well-formed must be provided. For random parameters this means that they are generated as the outputs of practical pseudo-random functions (PRFs) or pseudo-random permutations (PRPs), such as those based on SHA or AES. This is needed in order to generate an unpredictable output sequence. The SETUP phase in [1] is assumed to be verifiable. We quote directly from [1]: “ ... We note that, in practice, components of Y must be verifiable to prevent framing attacks ... ” (where Y is the group signature public key). The above is general enough to completely invalidate the assumption underlying the alleged framing attack in [3]. However, we admit that the original paper [1] does not describe exactly how GM selects the values a and a0 (e.g., as a function of h(S) and h(S0), respectively, for a standard hash function h(·) and public strings S and S0). Refer to IEEE P1363 and ANSI X9.62 standards for prominent examples of methods used to generate verifiably random parameters. We further note that a verifiable or trusted SETUP phase is a common assumption among many group signature schemes in the literature. For instance, the work of Kiayias and Yung [4], (which provides a full proof of a variant of the ACJT scheme in a complete security model) assumes the SETUP phase to be a trusted operation. However, we stress that the ACJT scheme is secure as long as t = loga0 a is unknown. As the proof that GM cannot frame users was rather condensed in [1], we expand it here. Indeed, it is not hard to see that an ACJT group signature amounts to a proof of knowledge of values u and v such that: (T1/T2) ≡ aa0 (mod n) , where x = logg y (one of GM’s secret keys). Now, we note that, if T1/T2 x ≡ Ai (mod n) for some user Ui, it follows that: Ai u ≡ aa0 (mod n) . In other words, the party who generated a group signature must know values u and v such that this equation holds. A group member, Ui, is able to do so using u = ei and v = xi as witnesses. GM might be able to do so as well, — provided that it knows t = loga0 a (and can thus frame any user Ui)— by setting u = k(p′q′), for some k such that u lies in the required range (and thus u ≡ 0 (mod p′q′)), and v = −1/t mod p′q′ (cf. Cao [3]). We now show that, if GM does not know loga0 a, it is unable to frame a user Ui, i.e., to compute a group signature with T1/T2 ≡ Ai (mod n). For the sake of the argument, let us assume that factorization of n = pq = (2p′+1)(2q′+1) is known. We argue that, if GM can produce a group signature with T1/T2 ≡ Ai (mod n) then it can compute either loga0 a or a representation of C2 w.r.t. random bases a and a0, where C2 is computed as ai (mod n) during the JOIN protocol by the user corresponding to Ui. From the JOIN protocol in [1], we know that Ai ≡ C2a0 (mod n) holds. Therefore, we conclude that u and v must satisfy: C2 u ≡ (Ai)i a0 ≡ ai a0i (mod n) . First, we assume that u ≡ 0 (mod p′q′). Then, we have 1 ≡ (aa0)i (mod n). Now, provided that gcd(ei, p′q′) = 1 (otherwise, GM would leak the factorization of n in the JOIN protocol and it can be verified by Ui), we can conclude that computing a v satisfying aa0 ≡ 1 (mod n) (i.e., v = −1/t mod p′q′)‡ is infeasible under the discrete logarithm assumption. Thus, we get a contradiction and can rule out that u ≡ 0 (mod p′q′). W.l.o.g., we now assume that u 6≡ 0 ‡ Note that gcd(t, p′q′) = 1 since a is of order p′q′. (mod p′). In this case — since we assume that p′ is known— ei/u mod p′ can be computed and thus: C2 ≡ avei/uai 0 (mod p) , i.e., a representation of C2 w.r.t. random bases a0 and a in a group of order a (known) prime, which is infeasible under the discrete logarithm assumption [2] since C2 was chosen randomly by Ui. In all cases, we have a contradiction. ut In conclusion, provided that the discrete logarithm problem is hard and that loga0 a is unknown, the ACJT group signature scheme is provably secure against framing by GM. We point out, once again, that loga0 a is unknown in the verifiable setting, as in [1], where GM provides evidence that a and a0 are indeed random. It is similarly unknown in a trusted setting, as in [4], where the generation of a, a0 is trusted. Acknowledgments. We are grateful to Aggelos Kiayias and Moti Yung for their insightful comments and suggestions. We thank Zhengjun Cao for providing us with a copy of [3] upon our request.

On Security of Sovereign Joins.

Abstract: The goal of a sovereign joinoperation is to compute a query across independent database relations such that nothing beyond the join results is revealed. Each relation involved in a sovereign join is owned by a distinct entity and the party posing the query is distinct from the relation owners; it is not permitted to access the original relations. One notable recent research result proposed a secure technique for executing sovereign joins. It entails data owners sending their relations to an independent database service provider which executes a sovereign join with the aid of a tamper-resistant secure coprocessor. This achieves the goal of preventing information leakage during query execution. However, as we show in this paper, the proposed technique is actually insecure as it fails to prevent an attacker from learning the query results. We also suggest some measures to remedy the security problems.

Decentralized security services

Abstract: Many security services, such as authentication and key management, rely on trusted third parties (TTPs) which provide a common root of trust, thereby enabling secure communication among all users. However, in many applications it is impractical to assume universally trusted TTPs. A broad class of such applications involves ad hoe groups, which include peer-to-peer systems (P2P), and mobile ad hoc networks (MANETs). Another class of applications which can benefit from avoidance of a single centrally trusted TTP are critical online services, such as certification, revocation and time-stamping. Centralized operation of such security services is undesirable because it leads to a single point of failure. The security needs of both ad hoc groups and the critical online services motivate research on decentralized security services. This thesis investigates three decentralized security services: (1) Establishment of secure communication between two human-operated devices, without relying upon a TTP, (2) Distributed digital signature schemes that enable any set of t + 1 group members to sign messages on behalf of the group, even in the presence of at most t faulty members, and (3) Secure membership management and secure communication in ad hoc groups. The main research contributions of this thesis can be summarized as follows: We show how to establish secure communication two devices over a short-range wireless communication channel, using messages that are visually authenticated by the users of these devices. We also present a novel provably secure cryptographic protocol for establishing security between devices connected with a low-bandwidth (e.g. 20-bits) authenticated channel, e.g., the visually authenticated channel in the above application. Next, we focus upon distributed RSA signature schemes. We present a practical key-recover attack on a recently proposed distributed (proactive) RSA signature scheme [LL00]. Finally, we turn our attention to secure membership management and secure communication in ad hoc groups. Firstly, we propose an efficient protocol to securely extend an ad hoc group in a distributed manner. Compared to prior proposals [KZL+01, KLX+02, LZK+02, NTY03], our protocol has minimal communication requirements, namely a single round of asynchronous communication. Secondly, we present a scheme to speed-up secure communication in ad hoc groups. (Abstract shortened by UMI.)

Simple and Flexible Private Revocation Checking.

Abstract: Digital certificates signed by trusted certification authorities (CAs) are used for multiple purposes, most commonly for secure binding of public keys to names and other attributes of their owners. Although a certificate usually includes an expiration time, it is not uncommon that a certificate needs to be revoked prematurely. For this reason, whenever a client (user or program) needs to assert the validity of another party’s certificate, it performs revocation checking. There are many revocation techniques varying in both the operational model and underlying data structures. One common feature is that a client typically contacts an on-line third party (trusted, untrusted or semi-trusted), identifies the certificate of interest and obtains some form of a proof of either revocation or validity (non-revocation) for the certificate in question. While useful, revocation checking can leak potentially sensitive information. In particular, third parties of dubious trustworthiness discover two things: (1) the identity of the party posing the query, as well as (2) the target of the query. The former can be easily remedied with techniques such as onion routing or anonymous web browsing. Whereas, hiding the target of the query is not as obvious. Arguably, a more important loss of privacy results from the third party’s ability to tie the source of the revocation check with the query’s target. (Since, most likely, the two are about to communicate.) This paper is concerned with the problem of privacy in revocation checking and its contribution is two-fold: it identifies and explores the loss of privacy inherent in current revocation checking, and, it constructs a simple, efficient and flexible privacy-preserving component for one well-known revocation method.

Group secret handshakes or affiliation-hiding authenticated group key agreement

Abstract: Privacy concerns in many aspects of electronic communication trigger the need to re-examine - with privacy in mind - familiar security services, such as authentication and key agreement. An Affiliation-Hiding Group Key Agreement (AH-AGKA) protocol (also known as Group Secret Handshake) allows a set of participants, each with a certificate issued by the same authority, to establish a common authenticated secret key. In contrast to standard AGKA protocols, an AH-AGKA protocol has the following privacy feature: If Alice, who is a member of a group G, participates in an AH-AGKA protocol, none of the other protocol participants learn whether Alice is a member of G, unless these participants are themselves members of group G. Such protocols are useful in suspicious settings where a set of members of a (perhaps secret) group need to authenticate each other and agree on a common secret key, without revealing their affiliations to outsiders. In this paper we strengthen the prior definition of AH-AGKA so that the security and privacy properties are maintained under any composition of protocol instances. We also construct two novel AH-AGKA protocols secure in this new and stronger model under the RSA and Gap Diffie-Hellman assumptions, respectively. Each protocol involves only two communication rounds and few exponentiations per player (e.g., no bilinear map operations). Interestingly, these costs are essentially the same as those of the underlying (unauthenticated) group key agreement protocol. Finally, our protocols, unlike prior results, retain their security and privacy properties without the use of one-time certificates.