Certified Pseudonym Colligated with Master Secret Key
0 likes523 views
The document provides an overview of a proposed anonymous certification system that uses pseudonyms. Key points: - It aims to allow users to generate multiple unlinkable pseudonyms from a single master secret key, providing anonymity while still allowing authentication. - Pseudonyms are generated using an identity generation process that squares the master public key. Certificates are obtained on pseudonyms using an anonymous certification scheme based on blind signatures. - The system includes protocols for identification, where a user proves possession of a certified pseudonym, and tracing, where a trustee can reveal a user's identity using a verification transcript. - The security is based on computational assumptions like factoring and the square root problem. Protocols are described
Certified Pseudonym Colligated with Master Secret Key
- 1. Certified Pseudonym Colligated with Master Secret Key ! Vijay Pasupathinathan Macquarie University, Sydney. joint work with Josef Pieprzyk, Macquarie University, Sydney. and, Huaxiong Wang, NTU, Singapore.
- 2. Outline ๏ Introduction ๏ Why a new system? ๏ Contribution ๏ How to achieve? ๏ Anonymous Certification systems ๏ Proposed Protocol ๏ Assumptions ๏ Protocol settings ๏ Security ๏ Applications, Advantages and open problem
- 3. What is a Pseudonym? ! ! A mechanism to hide a user’s identity by providing anonymity, while being still suitable to authenticate the holder of the pseudonym in a communication system. (Chaum, 1985).
- 4. How are they achieved? ๏ Chaum and Evertse (1986) developed a pseudonym system and proposed an RSA based implementation while relying on a trusted centre who must sign all credentials. ๏ Chen (1995) extended the scheme and presented its discrete-logarithm version that relies on a trusted centre. ๏ However, these schemes have a common weakness. Although the identity of the user is hidden, the credentials (such as certificates of his/her public key) or pseudonyms can be easily shared (unauthorised transfer) with other users.
- 5. How are they achieved? part 2 ๏ Based on security of preserving a high-value (master) secret key, Canettie et al. (2000) and Lysayanskaya et al.(1999) independently proposed non-transferable pseudonym systems. ๏ Security is also based on the idea that “to force a user to reveal the master secret key if they choose to share their credentials”. ๏ The problem is during the registration phase, users are required to disclose their true identity (master public key) to a CA. ๏ Makes them prone to collusion between a CA and a Verifier.
- 6. What do we want! ๏ Pseudonym system based on a single trusted master secret-public key pair. ๏ Pseudonyms should be independent of the master public key. (Anonymity) ๏ Ability to generate multiple pseudonyms easily from a single trusted secret-key. (Colligation) ๏ Verifiable using certificates that were issued against pseudonyms.
- 7. Desired System Pseudonym 1 Pseudonym 2 User Trusted SK0/PK0 SK0 PK 1 PK 2 . . . Pseudonym i Cert<PK1> PK i . . . Pseudonym n Certifier PK n Cert<PK2> ..... Cert<PKn>
- 8. Desired System Pseudonym 1 PK 1 Certifier Cert<PK1> User Trusted SK0/PK0 SK0 SK0{M} PK 1 ? Cert<PK1> Verify Message using PK1 Think as group signatures looking through a mirror! Verifier
- 9. Proposed Protocol ๏ Make use of an ACS (to certify pseudonyms) ๏ Make use of squaring (to provide colligation) ๏ There exits an underlying link between all pseudonyms and the root secret key.
- 10. Anonymous Certification System ๏ Anonymous certification system (ACS) represents the certification process of a public key by a certifier who does not know the public key. ๏ This could essentially be a blind signature on the public key of the user. ๏ That is, it provides anonymity to the receiver. ๏ Whereas, group signature schemes as employed by provide anonymity to the source.
- 11. Anonymous Certification System ๏ Consists of four (4) entities: a user, verifier, certifier and a trustee (tracer). ๏ The protocol suites include: ๏ a certification protocol, where an user interacts with the certifier to obtain a certified pseudonym, i.e., the pseudonym is blindly signed. ๏ An identification protocol, where verifier interacts with the user to authenticate the user's credential and provide services. ๏ A trace protocol, where the trustee participates and is invoked to trace the real identity associated with the user's pseudonym.
- 12. Security Assumptions ๏ Factoring: The probability that any probabilistic polynomial time algorithm, can factor a composite formed from two primes is negligible. ๏ Square Root: the probability that a probabilistic polynomial time algorithm can output b such that b2 ≡ a mod N, where a ∈ QRN, is negligible. ๏ Square Decisional Diffie-Hellmann: Distinguish between distributions of the form (g, ga , ga2) from (g, ga , gr), where r is random and uniformly chosen. We assume that there is no probabilistic polynomial-time algorithm that can solve a random instance of the SDDH problem.
- 13. The U master public-secret key-pair is generated as in Section 2.1.1. U then obtains a certificate on the master public key PKU 0 from a certification authority C , which represents the U ’s true identity. The public key of the certification authority is obabilistic SKC and the trustee is PK = gSKT , where PKC = g T 1 on input NAn user and SK are the corresponding secret keysthe SKC generates new identities using for ๏ T two prime the certification authority generation process and the trustee respectively. a quadratic put b, such 3.2 Identity Generation ๏ Which takes the inputs, e probabil- gorithm A , negligible maller than al Diffiee-Hellman ws. Disthe form andom and N − 1}. We olynomiala random probability onstruction Identity Generation following key U generates secret key. ๏ Nj, g, master new identities using the following key generation process, which takes the inputs, N j , g, a counter value i i (indicating the total number new ๏ a counter value(indicating the total number of of new identities being identities being generated), identity level l (number generated), of identities generated previously) and the master ๏ identity level U(number of identities generated previously). secret key SKl 0 . I-Generation(g,i,l,SKU 0 ) 2 SKU For j = l,. . . ,i do PKU j = g Return(PKU l ,. . . ,PKU j ) j 0 mod N j EndFor During the first run the value of identity level l
- 14. r user aining raphic s. ter public key is certified by the manufacturer, and the following describes the certification of the pseudonyms. The user, U , generates pseudonyms of the form Certifier User ๏ A modified Certification scheme (PKU 1 , . . . , PKU l ) using the identity generation pror∈ Z based on blind signature x = PK cess described in Section 3.2. The user then identifies g −−−−−− −−−−−→ scheme by (Pointcheval, 2000) β, γ, s ∈ Z himself/herself (using, s)the master public key) to the (X, Y ) = EncElg (P K PK α = x ·engages g certifier andIHI(PK ∥(X,· Y )∥α) in a ๏ Signature scheme now includes certify protocol to obtain a δ= =δ− the . The public key of i certificate e on γa pseudonym PKU i mastervalue of PKUthe ←−−−−− −−−−−− y = r − eSK user which is used by the is −−−−−−−−−−−→ never revealed to the certifier. We shall express this certifier to form the = phase as x = yg + β P K ρ Certification User m R N0 r U0 a1 = g w ; a2 x Verifier k, w ∈R ZNi = (PKT · PKU0 )w k h = I I(g 2 ) H h,(a1 ,a2 ),(X,Y ) −−−−−− −−−−−→ R nts the er who ially a public he re- N0 β−SKU P KT −γ C 0 c1 ∈R ZNi c2 = I I(X, Y, a1 , a2 ) H U0 c1 ,c2 ←−−−−− −−−−−− i z1 = 2k − c1 · SK2 0 U Ui z1 ,z2 ,CERTC ⟨P KU ⟩ z2 = w − s · c2 − − − − − −i −−−−−→ e Verify CERTC ⟨P KUi ⟩ and obtain (α, δ) C y ? ? y+SKU δ ′ = I I(PKUi ∥(X, Y )∥α) H ? a1 = g z2 X c2 ; a2 = PKz2 Y c2 T e C 0 commitment and is later verified by the , C , Figure 1: (PKU , CERTC ⟨PKU ⟩) ← Certi f y(Uuser.CERTC ⟨PKU ⟩) Modified Blind Certification Protocol of Figure 2: Identification Protocol i i 0 (Pointcheval, 2000) - The signature on PK is (α, δ, ρ) and ? c h = I I(g z P KUi ) H Ui d threea receiver can verify using the relation α = g PKC between the verifier V and the trustee T . To trigger i.e. “ U (e.g. applications in the certify protocol with C protocol parengages based on the protocol V has to provide proof of usfier V ,but certain applications TPM) require the new identities to beU ⟩ to obtain a certificate on PKU , ing CERTC ⟨PK protected even ticipation by U . We shall express this phase as 0 otocolfrom the certifier. So, we propose a modification to (PKU ) ← Trace(V , T , PKU , CERTC ⟨PKU ⟩,i⟨PROOFU ⟩) CERTC ⟨PKU i ⟩”. the certification scheme based on a blind signature U in-scheme using a composite modulus by Pointcheval 2000). The blind scheme now .e. the(Pointcheval,master public keysignatureuser which is includes the the 2.1.3 to form theofcommitment and is Protocol Identify proto-used by the certifier ? ρ δ i 0 Verifier i Trustee σ = SIGNV ⟨c, z, h⟩ σ,α,δ,ρ,PKU ,PKC i i
- 15. ol ne oee y U0 , s) = h d on even s on to ature rheval now e ch is nd is us ol of ) and i 0 CERTC ⟨PKU i ⟩”. Identification Protocol 2.1.3 Protocol Identify ๏ Based offered by a A user U who wishes to avail serviceson Pointcheval verifier V , engages in a identification protocol to conoptimised identification vince that he/she possess the necessary (Pointcheval, scheme credentials. We shall express this phase as 2000) User Verifier k, w ∈R ZNi a1 = g w ; a2 = (PKT · PKU0 )w k h = I I(g 2 ) H h,(a1 ,a2 ),(X,Y ) −−−−−− −−−−−→ c1 ∈R ZNi c2 = I I(X, Y, a1 , a2 ) H c1 ,c2 ←−−−−− −−−−−− i z1 = 2k − c1 · SK2 0 U z1 ,z2 ,CERTC ⟨P KU ⟩ z2 = w − s · c2 − − − − − −i −−−−−→ Verify CERTC ⟨P KUi ⟩ and obtain (α, δ) ๏ Now also includes the DLEQ logg C = log ⟩, Y ⟨PROOFU i ⟩ ← Identi f y(U , V , PKU i , CERTX ⟨PKU iPKTPKT ) ? δ ′ = I I(PKUi ∥(X, Y )∥α) H ? a1 = g z2 X c2 ; a2 = ? c h = I I(g z P KUi ) H PKz2 Y c2 T Figure 2: Identification Protocol i.e. “ U engages in an identification protocol with a verifier V using the psuedonymn PKU i and (PKCERT ⟨PK , ⟩ and ⟩, ⟨PROOF ⟩) contains the encryption of ) ← Trace(V , T , PK CERT ⟨PK which C Ui the identity under the public key PKT ”. between the verifier V and the trustee T . To trigger the protocol V has to provide proof of protocol participation by U . We shall express this phase as U0 Ui Verifier C Ui Trustee σ = SIGNV ⟨c, z, h⟩ σ,α,δ,ρ,PKU ,PKC 2.1.4 Protocol Trace −−−−−− − − − −i − → CERTC ⟨P KUi ⟩ VERIFY ⟨σ⟩ Ui
- 16. ρ) and sed on d even ion to nature cheval me now hich is and is nature ccomFigure ol trivl’s pa- based cheme cheme DL-EQ ses his with a verifier in the ted by Figure 2: Identification Protocol ⟩ the trustee T . To trigger CERTC ⟨PKU iand and which contains the encryption of between the verifier V the provide proof theprotocol V .has to under thisof protocol par- key PKT ”. identityshall express the public ticipation by U We phase as Tracing Protocol (PKU 0 ) ← Trace(V , T , PKU i , CERTC ⟨PKU i ⟩, ⟨PROOFU i ⟩) 2.1.4 Protocol Trace Verifier Trustee σ = SIGNV ⟨c, z, h⟩ ๏ Invoked by a verifier after a user has misused a pseudonym. A verifier who needs to trace the identity of the user ๏ Verifier provides proof of a contacts the trustee T by providing with the transcript users participation. from an identification protocol ⟨PROOFU i ⟩. We shall ๏ Trustee can reveal a user’s express this phase as σ,α,δ,ρ,PKU ,PKC −−−−−− − − − −i − → CERTC ⟨P KUi ⟩ VERIFYPKV ⟨σ⟩ ? h = I I(g z PKc i ) H U ? α = g ρ PKδ C Verify CERTC ⟨P KUi ⟩ Obtain (X, Y ) from ⟨PROOFUi ⟩ P KU0 = DecElgSK (X, Y ) T Figure 3: Tracing Protocol master public key. (PKU 0 ) ← Trace(V , T , PKU i , CERTC ⟨PKU i ⟩, ⟨PROOFU i ⟩) 4 SECURITY i.e. “ V engages in the tracing protocol with T using 4.1 Adversary Goals the values PKU i , CERTC ⟨PKU i ⟩ and proof of identity We assume an active adversary A , who is capable of use ⟨PROOFU i ⟩ messages in the commu- master identity PKU 0 ”. eavesdropping and injecting to obtain the nication medium. We also assume that an adversary may be also be a legitimate (but dishonest) participant in a protocol, i.e. either the certifier or the verifier or both may be dishonest. As in (Damgard, 1988; Lysyanskaya et al., 1999),
- 17. Security ๏ The proposal is secure against (as identified by Damgard, 1988; Lysyanskaya,1999): ๏ Pseudonym forgery: where an adversary tries to forge a pseudonym for some user. ๏ Identity compromise: An adversary in association with other participants tries to obtain information regarding the user's master public-secret key-pair ๏ Pseudonym linking and colligation: An adversary tries to obtain information that links a pair of pseudonyms to the same user or to a user's master public key.
- 18. Application to TPM ๏ We are considering a TPM setting because of tamper resistant protection offered to the master secret key, but the protocols can be applied to other structures like directory based services (e.g. active directory, LDAP) ๏ The endorsement (EK) in a TPM will be of the form (PK0 ,SK0) ๏ A user who wishes to obtain services from an application software on a machine generates a pseudonym of the form (PKi ,SKi ) ๏ At the end of the protocol run the application software is provided a guarantee on the identity of the user and the associated TPM, but the system still protects the identity of both the TPM and the user associated with it.
- 19. Advantages ๏ Compared to other pseudonym schemes, our scheme has an efficient identification protocol. ๏ Computations may be performed on the module itself, whereas the DAA scheme requires computation to be distributed among the TPM and the host computer. ๏ there are no new secret key to be generated for each pseudonyms, only counter values of the pseudonym ๏ no appreciable increase in storage requirement even when the number of pseudonyms required are high ๏ ideally suited for storage constraint devices
- 20. What’s Missing? Future Work? ๏ Needs a strong composite modulus. (May be 4096 bits) ๏ Prime modulus method ruled out, as SDDH is trivial. ๏ Every generated pseudonym needs to fall with the same group as the master secret key. ๏ Identity Transfer ๏ Pseudonym chains cannot be formed. (NOT YET!) ๏ That is, using PK1 to generate new pseudonyms, but still verifiable using SK0.