Professional Documents
Culture Documents
Cursuri SI
Cursuri SI
Symmetric Encryption
Fall 2020
Outline
Computational security
Symmetric encryption
Security models
Stream ciphers
Computational security
Symmetric encryption
Security models
Stream ciphers
Computational security
1. Perfect security is impractical: keys must be as long as messages
2. We would like to securely encrypt arbitrary long messages using
short keys
3. How ? Relax the security requirements:
3.1 Consider only adversaries that use a reasonable amount of resources
3.2 Consider a weaker notion of security such as concrete security or
asymptotic security
Computational security
1. We follow the asymptotic security approach
Computational security
Symmetric encryption
Security models
Stream ciphers
Symmetric encryption
Definition 1
A symmetric key encryption (SKE) scheme over (K, M, C) is a triple of
algorithms S = (G, E, D) such that:
1. G is a PPT algorithm, called the key generation algorithm, which
outputs a key K ∈ K when invoked on a security parameter λ;
2. E is a PPT algorithm, called the encryption algorithm, which outputs
a ciphertext c ∈ C when invoked on a key K and a message m ∈ M;
3. D is a deterministic PT algorithm, called the decryption algorithm,
which outputs a message m ∈ M or a special symbol ⊥ (denoting
failure) when invoked on a key K and a ciphertext c.
Symmetric encryption
1. The complexity of G is measured w.r.t. the input λ
Symmetric encryption
Terminology, notation, remarks:
1. Symmetric key encryption: the encryption key is also the decryption
key
Computational security
Symmetric encryption
Security models
Stream ciphers
Examples of attacks
Attacks frequently met in practice:
• Brute-force attack
• Denial of service attack
• Man-in-the-middle attack
• Meet-in-the-middle attack
• Frequency analysis attack
• Power analysis attack
• Timing attack
• Replay attack
• Birthday attack
• Dictionary attack
Security models
Definition 2
A security model is a pair consisting of a security goal and an attack
model.
Security goals
1. Semantic security
1.1 Proposed by Goldwasser and Micali in 1982, it was the first definition
of security for encryption
1.2 It formalizes the fact that no adversary can obtain any partial
information about the message of a given ciphertext (whatever can
efficiently be computed about a message from its ciphertext can also
be computed without the ciphertext)
1.3 It is a “polynomially bounded” version of the concept of perfect
secrecy introduced by Shannon in 1949
1.4 It is complex and difficult to work with
2. Indistinquishability is an equivalent definition to semantic security
which is somewhat simpler
3. Non-malleability means that, given a ciphertext c of some message
m, no efficient adversary can construct another ciphertext c 0 of
some message m0 meaningfully related to m
Attack models
Some common attack models are:
1. Passive attacks:
1.1 Cipher-only attack (COA): A has access to the ciphertext
1.2 Known plaintext attack (KPA): A knows pairs (plaintext,ciphertext)
2. Active attacks:
2.1 Chosen plaintext attack (CPA): A has access to the encryption
oracle (this is for free for PKE)
2.2 Non-adaptive chosen ciphertext attack (CCA1): A has, in addition
to the ability of a CPA adversary, access to a decryption oracle
before the challenge phase
2.3 Adaptive chosen ciphertext attack (CCA2): A has, in addition to the
ability of a CCA1 adversary, access to a decryption oracle after the
challenge phase. However, no decryption query is allowed involving
the challenge ciphertext
Security models
The diagram below only aims to create an image on the relationships
between the security models introduced so far (an arrow means an
implication). Some of these relationships are far from trivial.
Remark 3
ind-coa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S
ind-coa-b
(λ) returns
0 0
b , which is also the probability that A returns b in this experiment.
The probability is taken over the internal coin tosses of all algorithms !
Remark 4
ind-kpa-b ind-kpa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S (λ) returns
0 0
b , which is also the probability that A returns b in this experiment.
The probability is taken over the internal coin tosses of all algorithms !
Remark 5
ind-cpa-b ind-cpa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S (λ) returns
0 0
b , which is also the probability that A returns b in this experiment.
The probability is taken over the internal coin tosses of all algorithms !
IND-XXX security
Definition 6
An SKE scheme S is IND-XXX secure, where XXX ∈ {COA, KPA, CPA},
if
ind-xxx-0 ind-xxx-1
P(PrivKA,S (λ) = 1) − P(PrivKA,S (λ) = 1)
is negligible, for all PPT algorithms A.
Proposition 8
For any SKE scheme S and any PPT adversary A, the following property
holds:
ind-cpa
AdvA,S (λ) =
1
ind-cpa-0 ind-cpa-1
(λ) = 1) − P(PrivKA,S (λ) = 1)
P(PrivKA,S
2
Computational security
Symmetric encryption
Security models
Stream ciphers
Stream ciphers
Main characteristics of a stream cipher:
• The message is viewed as a sequence of blocks (also called
characters) of a very limited size, that can efficiently be enumerated
in practice (e.g., bits or bytes)
• The secret key is expanded to a keystream of the same size as the
message block size by a keystream generator initially seeded with the
secret key
• The encryption is block-driven
• OTP may be regarded as a stream cipher, but a quite impractical
one
Stream ciphers
keystream
encryption key K
generator
0
0
keystream
0
1
1
Theorem 10
The SKE scheme in Description 9 is IND-COA (provided that G is a
PRG).
Real scenarios:
• Microsoft implementation of PPTP in Windows NT uses RC4. Its
original implementation uses the same key to encrypt messages from
A to B and from B to A (see ScMu1998.pdf on the course site)
• Microsoft have used RC4 to protect Word and Excel document.
When encrypted documents were modified and saved, the same key
was used (see Wu2005.pdf on the course site)
Never use the same key to encrypt more than one message with stream
ciphers !
Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 27 / 55
Computational security Symmetric encryption Security models Stream ciphers Block ciphers and modes of encryption
Real scenarios:
• Assume that the adversary knows a prefix m1 of m (m1 might be a
standard header filled with someone’s address, name, etc.)
• The adversary wants to replace m1 by m2 (m2 might be a header
filled with information up to his desire)
• The adversary may compute c ⊕ (m1 ⊕ m2 )0 · · · 0 to obtain what he
wants
0, 0, S0 i1 , j1 , S1 i2 , j2 , S2
Z1 Z2
RC4 in practice
1. RC4 is suited for software implementations
3. The keystream generator runs in parallel the two LFSR and combines
their outputs by addition modulo 256 (the Trans algorithm)
CSS in practice
1. It was designed in 1980’s for preventing unauthorized duplication of
DVDs
2. CSS can be brute-force attacked in time 240 (the seed space size)
Computational security
Symmetric encryption
Security models
Stream ciphers
Block ciphers
An intensively used method to encrypt a message is the next one:
1. View the message as a sequence of blocks of a larger size so that the
enumeration of all blocks is infeasible in practice
Remark 11
1. The encryption of a message block by another block is done by
families of permutations (i.e., block ciphers) or families of functions
Block ciphers
K1 K2 ··· Kn
Notation:
1. Ti = initial transformation
2. Tf = final transformation
3. TKi = transformation induced by Ki , 1 ≤ i ≤ n
Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 36 / 55
Computational security Symmetric encryption Security models Stream ciphers Block ciphers and modes of encryption
and
dK = P0−1 ◦ Rev ◦ TK1 ◦ · · · ◦ TK16 ◦ P0 ,
where K1 , . . . , K16 are derived from K .
and
dK = TK−f0 ◦ TK−1
1
◦ · · · ◦ TK−1
n−1
◦ TKi n
• The number n of rounds depends on the key and message block
length
n m=4 m=6 m=8
k=4 10 12 14
k=6 12 12 14
k=8 14 14 14
Families of functions
1. A pseudo-random function is a family of functions with the property
that if we randomly choose a function from this family then its
input-output behavior is computationally indistinguishable from that
of a random function
2. Family of functions from {0, 1}`1 (n) to {0, 1}`2 (n) , where `1 and `2
are polynomials with positive values:
2.1 F`1 ,`2 ,n : random variable with values in ({0, 1}`1 (n) → {0, 1}`2 (n) )
2.2 F`1 ,`2 = (F`1 ,`2 ,n )n∈N
3. Special cases :
3.1 H`1 ,`2 = (H`1 ,`2 ,n )n∈N is the uniform distribution
3.2 H`0 = (H`,n0
)n∈N is the uniform distribution on all permutations on
`(n)
{0, 1} , n ∈ N
Af Oracle
–
···
– x
Query f for x f (x)
–
··· f
– x0
Query f for x 0 f (x )0
–
···
–
Oracle indistinguishability
We use A◦ to denote algorithms with oracle access to functions; Af is an
instantiation of the oracle by f .
is negligible.
Pseudo-random functions
Definition 13 (Pseudo-random function)
A set of functions
Pseudo-random permutations
Remark 16
1. Strong PRP are simply referred to as PRP
m1 m2 ··· m`
FK FK FK
c1 c2 ··· c`
Theorem 18
ECB is not IND-KPA.
Proof.
mi = mj ⇒ ci = cj .
ECB illustrated
m1 m2 ··· m`
IV ⊕ ⊕ ⊕
FK FK FK
c1 c2 ··· c`
• c0 = IV
• ci = FK (mi ⊕ ci−1 ), for all i ≥ 1
• ciphertext : (IV , c1 · · · c` )
Proof.
Show that for any adversary A against the scheme S, there exists a PRP
adversary B such that
m1 m2 ··· m`
⊕ ⊕ ⊕
r := 1 FK (r ) FK (r +1) ··· FK (r +`-1)
c1 c2 ··· c`
Remark 20
1. The ciphertext is c1 · · · c` (assuming r is publicly known)
2. The scheme works like a stream cipher with the PRG G given by
Proof.
For IND-CPA: query for m1 m2 and m3 m4 , and then request challenge for
(m1 m4 , m3 m2 ).
For IND-KPA: show that for any adversary A against the scheme S,
there exists a PRF adversary B such that
dctr prf
AdvA,S (λ) = 2 · AdvB,F (λ)
m1 m2 ··· m`
⊕ ⊕ ⊕
r ← {0, 1}n FK (r ) FK (r +1) ··· FK (r +`-1)
c1 c2 ··· c`
Remark 22
1. The ciphertext is (r , c1 · · · c` )
2. The scheme is similar to DCTR expect for the fact that the counter
r is uniformly at random generated from {0, 1}n
3. DES, 3DES, AES can be used with such a construction
Proof.
Show that for any adversary A against the scheme S, there exists a PRF
adversary B such that
FK (r ) k FK (r + 1) k FK (r + 2) k · · ·
FK (r ) k FK (c1 ) k FK (c2 ) k · · ·
n
where r ← {0, 1}
Fall 2020
Outline
Hash functions
Authenticated encryption
Outline
Hash functions
Authenticated encryption
Hash functions
A hash function outputs a fixed-length bitstring (e.g., 128 or 160) when
applied to an arbitrary-length bitstring.
Hash functions
Definition 1
A keyed hash function over (K, X , Z ) is a pair of algorithms H = (G, H)
such that:
1. G is a PPT algorithm which takes as input a security parameter λ
and outputs a key K ∈ K;
2. H is a DPT algorithm which takes as input a key K and a message
m ∈ X and outputs a digest H(K , m) ∈ Z .
As usual, X and Z are sets of binary strings; typically, Z = {0, 1}` for
some small ` (e.g., 128 or 256).
When |K| = 1, H is simply written as a function from X into Z and it is
called a hash function.
A collision for H under K is any pair (m0 , m1 ) of distinct messages such
that H(K , m0 ) = H(K , m1 ).
Definition 2
cr -kka
A keyed hash function H is collision-resistant (CRHF) if AdvA,H (λ) is
negligible for all PPT algorithms A.
The advantage of A is
u
AdvA,H (λ) = P(UHFA,H (λ) = 1)
Definition 3
u
A keyed hash function H is universal (UHR) if AdvA,H (λ) is negligible
for all PPT algorithms A.
One-way functions
kka
Experiment OWHFA,H (λ)
1: The challenger generates a key K ← G(λ) and y in the range of HK ,
and give them to A
2: The adversary A(K , y ) generates m
3: If H(K , m) = y then return 1, else return 0.
The advantage of A is
ow -kka kka
AdvA,H (λ) = P(OWHFA,H (λ) = 1)
Definition 4
ow -kka
A keyed hash function H is one-way (OWHF) if AdvA,H (λ) is
negligible for all PPT algorithms A.
Definition 5
uow -kka
A keyed hash function H is universal one-way (UOWHF) if AdvA,H (λ)
is negligible for all PPT algorithms A.
Corollary 7
Any CRHF is also a UOWHF, and any UOWHF is also a UHF.
Corollary 9
Any UOWHF is also a OWHF, as long as the domain of the hash
function is significantly larger than its range.
1 − p365,r .
Lemma 10
√
Let m and r be natural numbers such that m > r > b 2cmc, where
c > 0 is a real constant. Then,
1 − pm,r > 1 − e −c .
Example 11
√
1 − pm,r > 1 − e −c ≥ 1
2 for c ≥ ln 2 ∼ 0.693 and m > r > b 2cmc.
Example 12
√
Let m = 240 and r such that 240 > r > b220 2 ln 2c ≈ 1.200.000.
The probability of getting a collision is greater than 1/2. Therefore,
40-bit message digests do not ensure security.
For 128-bit message digests, the birthday attack needs to compute at
least 264 message digests to get a collision with the probability at least
1/2.
Construction of CRHF
Some general techniques:
The MD transform
Basic principle:
• Use a compression function h : K × {0, 1}`+k → {0, 1}`
size ` + k size `
h(K , ·)
`
• S
Use an MD-complaint padding pad from X ⊆ {0, 1}<2 into
n`
n≥1 {0, 1} , with the following properties:
1. m is a prefix of pad(m)
The MD transform
• Iterate h on messages m as follows:
1. pad(m) = m1 k · · · k mn with |mi | = k for all i
3. for i := 1 to n do V := h(K , mi k V )
4. return V
m1 m2 mn
···
message digest
IV hK hK ··· hK
Theorem 13
If h is collision-resistant then the MD-transform based of h is
collision-resistant.
Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 17 / 40
Hash functions Message authentication codes Authenticated encryption
m1 m2 ··· mn
m1 k 0c m2 k 0c ··· mn k 0c
0` ⊕ ⊕ ⊕
···
π π π
V
Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 19 / 40
Hash functions Message authentication codes Authenticated encryption
π π ··· π
V
z1 z2 zi each of size r
z1 z2 ··· zi
message digest
Theorem 14
If π is a random permutation and 2` and 2c are super-poly, then the
sponge construction yields a CRHF.
for any x1 , x2 ∈ Zq .
Theorem 15
If a collision of h can be computed efficiently, then c can be computed
efficiently.
Hash functions
Authenticated encryption
mac-forge
P(MACA,S (λ)), called the advantage of A and denoted AdvA,S (λ),
is the probability that A wins the above game (i.e., t is a valid tag for m).
mac-forge
S is a secure MAC system if AdvA,S (λ) is negligible, for all PPT
adversaries A.
FK (·)
m t
Theorem 17
If F is a PRF, then SF is a secure MAC scheme.
m1 m2 ··· mn
0` ⊕ ⊕ ⊕
FK FK ··· FK
m1 m2 ··· mn
FK Fc1 Fcn−1
···
t
Theorem 18
If F is a PRF, then the CBC-MAC and Cascade-MAC schemes are secure
in the class of messages of length n · `, where n is an arbitrary
poly-bounded value.
m1 m2 ··· mn
0` ⊕ ⊕ ⊕
FK FK ··· FK
cn FK 0 t
m1 m2 ··· mn
FK Fc1 Fcn−1
···
cn FK 0 t
Theorem 19
If F is a PRF, then the ECBC-MAC and NMAC schemes are secure in
the class of messages of length n · ` for some poly-bounded n.
Theorem 20
If F is a PRF, then the MAC schemes above are secure in the class of
messages of length n · ` for some poly-bounded n.
CMAC fits the randomized prefix-free encoding paradigm and its security
follows from it.
Theorem 21
If H is a UHF and F is a PRF, then FH is a PRF.
Theorem 22
If h and h0 given by h0 (K , m) = h(m, K ) are PRF, then FH is a PRF.
The HMAC construction uses one single key K from which two keys are
derived: K1 = K ⊕ ipad and K2 = K ⊕ opad.
HMAC-SHA1 and HMAC-SHA256 are instances of the above
construction, with H = SHA1 and H = SHA256.
Hash functions
Authenticated encryption
Ciphertext integrity
Consider the ciphertext integrity experiment between a cipher S and an
adversary A:
Experiment CIA,S (λ)
1: The challenger generates a key K ← G(λ)
2: The adversary A queries the encryption oracle
3: Eventually A outputs a candidate ciphertext c different than the
ones obtained by queries
4: If c is a valid ciphertext then return 1, else return 0.
The advantage of A is
ci ci
AdvA,S (λ) = P(CIA,H (λ) = 1)
Authenticated encryption
Definition 23
ci
A cipher S provides ciphertext integrity (CI) if AdvA,S (λ) is negligible for
all PPT algorithms A.
Definition 24
A cipher S provides authenticated encryption (AE) if:
1. S is IND-CPA secure
2. S provides CI.
Theorem 25
If S is AE secure then it is IND-CCA secure.
1. Encrypt-then-MAC (EtM)
1.1 c ← E(K , m), t ← Tg (K 0 , c), output (c, t)
1.2 Used in IPsec, TLS 1.2 and later versions, and in the NIST standard
GCM
2. MAC-then-Encrypt (MtE)
2.1 t ← Tg (K 0 , m), c ← E(K , (m, t)), output c
2.2 Used in SSL 3.0, TLS 1.0, and in 802.11i WiFi encryption protocol
Encrypt-then-MAC
Theorem 26
If S is an IND-CPA secure cipher and S 0 is a secure MAC, then the EtM
construction is AE secure.
1. Use the same key for the cipher and the MAC
2. Apply the MAC only to part of the ciphertext (we may loose
ciphertext integrity) – discovered in 2013 at RNCryptor facility in
Apple’s iOS
MAC-then-Encrypt
MtE is not generally secure:
Fall 2020
Outline
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
Outline
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
A bit of history
• 1976: Whitfield Diffie and Martin Hellman, and independently Ralph
Merkle, invented public-key cryptography to address the two
aforementioned deficiencies;
• The first concrete realization of a public-key cryptosystem is due to
R.C. Merkle and M.E. Hellman in 1978. Unfortunately, this
cryptosystem, as well as many other variations of it, have been
proved to be insecure;
• Soon after the Merkle-Hellman cryptosystem came the first
full-fledged public-key cryptosystem, RSA (named after its inventors,
R. Rivest, A. Shamir, and L. Adleman). RSA is by far the easiest to
understand and implement public-key cryptosystem; it gets its
security from the difficulty of factorization of very large numbers.
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
Public-key encryption
Definition 1
A public-key encryption (PKE) scheme over (K, M, C) is a triple of
algorithms S = (G, E, D) such that:
1. G is a PPT algorithm, called the key generation algorithm, which
outputs a (public-key, secret-key) pair (pk, sk) when invoked on a
security parameter λ;
2. E is a PPT algorithm, called the encryption algorithm, which
outputs a ciphertext c ∈ C when invoked on a public key pk and a
message m ∈ M;
3. D is a deterministic PT algorithm, called the decryption algorithm,
which outputs a message m ∈ M or a special symbol ⊥ (denoting
failure) when invoked on a secret-key sk and a ciphertext c.
+ = Asymmetric key
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
Definition 2
An SKE scheme S is IND-CPA secure, where if
ind-cpa-0 ind-cpa-1
(λ) = 1) − P(PubKA,S (λ) = 1)
P(PubKA,S
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
Security issues
• The RSA PKE scheme, as it was defined, is not IND-CPA (encrytion
is deterministic)
• If p or q is recovered (e.g., by factoring n in reasonable time), then
the system is completely broken
• If φ(n) can be computed in reasonable time, then the system is
completely broken
• If d can be easily computed from n and e, then the system is
completely broken
• If the same n is used with two different users, anyone of them can
break the other’s encryption
Security issues
√ √
• If e = 3 and m < 3
n, then m = 3
c (no modular computation)
• If e = 3 and m is sent to three receivers
3
c1 ≡ m mod n1
c2 ≡ m3 mod n2
c3 ≡ m3 mod n3
Padded RSA
Let ` = `(λ) be a function such that ` ≤ 2λ − 2
1. G(λ): generate an RSA modulus n = pq of size λ, a public key
pk = (n, e), and a secret key sk = (n, d);
2. E(pk, m): assume m ∈ {0, 1}`
• r ← {0, 1}λ−`−1
• c = (r k m)e mod n
3. D(sk, c): output the less significant ` bits of m0 = c d mod n
The RSA problem is hard for G if no PPT algorithm can solve it, except
with negligible probability. The RSA assumption is that there exists a
generator for which the RSA problem is hard.
Theorem 6
The RSA padded PKE scheme is IND-CPA, provided that ` = 1 and the
RSA problem is hard for its generator.
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
and
dsk (c) = c/g xy , assuming c = (g y , m · g xy )
Definition 9
The Decisional Diffie-Hellman (DDH) problem in a cyclic group G = hg i
of prime order p is to distinguish between the distributions
(g , g x , g y , g xy ) and (g , g x , g y , g z ), where x, y , z are drawn uniformly at
random from Zp .
Definition 10
The Computational Diffie-Hellman (CDH) problem in a cyclic group
G = hg i of prime order is to compute g xy , given (g , g x , g y ).
It is believed that there are groups where the DDH problem is easy but
the CDH problem is hard (such groups are called gap Diffie-Hellman
(GDH) groups
Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 25 / 36
Introduction Public-key encryption Security models The RSA PKE scheme The ElGamal PKE scheme Hybrid encryption IND-CCA s
Proof.
Assume that A is an adversary against the ElGamal PKE scheme. Define
an adversary B that uses A to distinguish the two probability
distributions in DDH:
1. B gives to A the public-key (G , q, g , g x )
2. B encrypts to A by (g y , mb · α)
3. If A guesses b, then B returns α = g xy ; otherwise, α = g z .
The probability to distinguish between the two probability distributions is
1 ind−cpa
| P(b 0 = b) − |= AdvA,S (λ)
2
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
Facts
• SKE is significantly faster than PKE
• Use SKE to encrypt messages and PKE to encrypt the secret key for
SKE
Hybrid encryption
1. S = (G, E, D) PKE scheme
2. S 0 = (G 0 , E 0 , D0 ) SKE scheme
3. Hybrid encryption with (S, S 0 )
3.1 (pk, sk) ← G(λ)
3.2 To encrypt m do:
• K ← G 0 (λ)
• c1 ← E(pk, K )
• c2 ← E 0 (K , m)
• c = (c1 , c2 )
3.3 To decrypt c do:
• K ← D0 (sk, c1 )
• m ← D(K , c2 )
Hybrid encryption is a PKE because the sender and receiver do not share
any secret key in advance!
The reason for which is required only IND-COA security of the scheme S 0
is that a fresh key is chosen each time a new message is encrypted
Introduction
Public-key encryption
Security models
Hybrid encryption
IND-CCA security
2. Encrypt m into c = (g y , m · g xy )
Trapdoor functions
Definition 13
A trapdoor function (TDF) over (X , Y ) is a triple T = (G, F , I ), where:
1. G is a PPT algorithm that generates pairs (pk, sk) (as in a PKE
scheme);
2. F is a deterministic algorithm that acts on a pk and an x ∈ X and
returns a y ∈ Y ;
3. I is a deterministic algorithm that acts on an sk and a y ∈ Y and
returns an x ∈ X .
Moreover, for any (pk, sk) ← G(λ), for any x ∈ X , I (sk, F (pk, x)) = x.
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Cryptographic Keys
Classification by algorithm type
symmetric keys : for symmetric cryptography
short-term keys
Key Management
Key management goals:
Standards
International standards: ANSI X9.17 / ISO 8732, ANSI X9.24, ISO 11166,
ISO 11568
defines both the manual and automated management of keying material
used for financial services such as point-of-sale (POS) transactions (debit
and credit), automated teller machine (ATM) transactions, messages among
terminals and financial institutions, and interchange messages among
acquirers, switches and card issuers
Cryptomathic (http://www.cryptomathic.com/)
KeyConductor (http://www.capturetech.com/)
keyAuthority (http://www.thales-esecurity.com/) etc.
network topology
cryptographic services (confidentiality, authentication etc.)
cryptographic mechanism (digital signature, MAC etc.)
S. Bellovin (RFC 4107, June 2005): Key management schemes should not be
designed by amateurs !
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Key Generation
Key generation techniques:
Key Length
Key lengths for confidentiality:
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
General Requirements
Two general requirements a random sequence should fulfill:
(R1) Random sequences should have “good” statistical properties
(R1) is usually checked by applying a particular statistical test suite, such as
the NIST 800-22 Statistical Test Suit or Diehard Tests of Randomness;
(R1) may be sufficient for some applications (e.g., for
challenge-and-response protocols) but may be insufficient for others (e.g.,
generation of session keys).
Classification
Random number generators (RNG) can be classified as follows:
Pure PRNG
Definition 1
A pure PRNG is a 4-tuple G = (S, O, δ , g), where:
S is a finite set of states;
O is a finite set of outputs;
δ : S→S is the transition function;
g : S→O is the output function.
r1 , r2 , · · ·
Pure PRNG
Remark 1
1 The seed is generated outside G.
2 In order to meet (R2), the transition and output functions should be
sufficiently complex, and the entropy of the seed should be large;
3 The least p > 0 with sn+p = sn for all n ≥ 1 is called the period of G. Large
periods are better.
Requirement (R3)
If an attacker get knowledge of the current internal state of the PRNG from the
previous example, then (R2) does not hold anymore. As (R2) is important in
many applications, it is desirable to add one more requirement to PRNG:
(R3) The knowledge of the internal state shall not allow one to practically
compute “old” random numbers or even a previous internal state or to
guess these values with non-negligible larger probability than without
knowledge of the internal state.
If h1 and h2 are one-way functions, then the above PRNG fulfills (R3).
Remark 2
If h1 = h2 in the above example, then the PRNG does not fulfill (R2) because
one can easily obtain the successor of a random value from the current
random value.
Remark 3
The BBS generator is slow due to the modular multiplication it uses.
It can be shown that BBS is cryptographically secure in the sense that the
next outputted bit is unpredictable. Moreover, this property holds true
even if BBS outputs not only the least significant bit but also the least
log log m significant bits.
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Key Management 24 / 52
Key generation Random Bit Generators
Hybrid PRNGs
In a hybrid PRNG, the update process of the current internal state takes into
consideration not only the current state but also an additional input from some
finite set E∞ = E ∪ {∞}. When the element ∞ is used, this means that the
update of the current state is only performed on the basis of the current state.
Therefore, if E∞ = {∞} then the hybrid PRNG is in fact a pure PRNG.
Definition 7
A hybrid PRNG is a 5-tuple G = (S, O, E, δ , g), where S, O, and g are as in the
case of a pure PRNG, E is a finite set (not including ∞), and δ is a function
from S × E∞ into S with the property δ (s, ∞) = s, for any s ∈ S.
Requirement (R4)
In the case of pure PRNG, the knowledge of an internal state may
compromise the generator. This might not be the case of hybrid PRNG
because the generation of a new state takes into account external inputs. But,
it may be desirable to add one more requirements:
(R4) The knowledge of the internal state shall not allow one to practically
compute the next random numbers or to guess these values with
non-negligible larger probability than without knowledge of the internal
state.
The external input t is the 64-bit representation of the current (date and) time
(the (date and) time just before the generation of a new state).
This PRNG does not fulfill (R3) if the adversary knows the exact time when
the random numbers are generated (that is, if the adversary knows t).
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Key Establishment
Key establishment = protocol whereby a shared secret becomes available to
two or more parties (for subsequent cryptographic use)
Key Establishment
Requirements:
Key Establishment
General classification:
key distribution
point-to-point techniques - communicating parties involved directly
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Protocol:
1. A→B : (NA ) {NA , A}KB
2. B→A : (NB ) {NA , NB , B}KA
3. A→B : {NB }KB
Diffie-Hellman Protocol
Protocol:
1. A→B : (x←{2, . . . , p − 2}) α x
2. B→A : (y←{2, . . . , p − 2}) α y
Station-to-Station Protocol
where K = α xy
Goal: A and B agree on α xy as the source keying material
Properties: mutual entity authentication and mutual explicit key
authentication
Remark: there are several variations of this protocol such as full STS
(certificates included) and STS-MAC ({·}K replaced by MACK )
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Key Management 39 / 52
Key Establishment Public-key Infrastructures
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Certifying Public-keys
Examples: X.509 v3
Managing Certificates
Revocation
certificate revocation list (CRL)
on-line certification status protocol (OCSP)
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Other Techniques
Identity-based encryption !
Voltage security: http://www.voltage.com/
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Key Storage
Techniques for storing secret keys:
Stored on a database
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use
Key Use
Techniques for controlling the use of keys:
Key variants: keys derived from a base key (for instance, K ⊕ v or {r}K ,
where v and are random)
1 Introduction
Benefits:
Better stability
Better security
Easy of deployment
Policies
Three main classes of security policies:
Models
Security models based on:
Matrices
Graphs
Partial orders
Logics
Mechanisms
Modern access control mechanisms are based on the reference monitor
concept introduced in 1972 by Anderson:
Reference Monitor
Audit
File
Access
Control
Database
Reference Monitor
Fundamental implementation principles of a reference monitor:
Reference Monitor
The reference monitor can be implemented using various topologies:
1 Introduction to DAC
3 Other Models
The Take-grant Model
The Schematic Model
Basic features:
DAC models are called “discretionary” as users can be given the ability of
passing on their privileges to other users
DAC models:
Take-grant model
Access-matrix model
Schematic model
It is called the access control matrix model or the access-matrix model or the
HRU model.
Basic features:
It is a state-transition system
States are matrices where each row corresponds to a subject, each
column corresponds to an object, and a cell specifies the rights a subject
has over an object
Transitions between states are performed by commands
Subjects are objects too
Definition 1
A state over R is a triple Q = (S, O, A), where S and O are non-empty finite sets
of subjects and objects, respectively, and A is an | S | × | O |-matrix whose
elements are subsets of R.
Example 2
Let S = {process1 , process2 }, O = {process1 , process2 , file}, and A given below:
Primitive Operations
Vsub = set of variables of type subject, Vob = set of variables of type object
Definition 3
A primitive operation over R is a construct of the one of the following types:
1 enter r into (Xs , Xo )
2 delete r from (Xs , Xo )
3 create subject Xs
4 create object Xo
5 destroy subject Xs
6 destroy object Xo
Commands
Definition 4
A command over R is a construct of the form:
command α(X1 , . . . , Xk )
if r1 in (Xs1 , Xo1 ) and
command α(X1 , . . . , Xk )
···
op1 , . . . , opn
rm in (Xsm , Xom )
end
then op1 , . . . , opn
end
where m, n ≥ 1, r1 , . . . , rm ∈ R, X1 , . . . , Xk ∈ Vsub ∪ Vob , 1 ≤ s1 , . . . , sm , o1 , . . . , om ≤ k,
Xsi ∈ Vsub and Xoi ∈ Vob for all 1 ≤ i ≤ m, and op1 , . . . , opn are operations over R
whose variables are among X1 , . . . , Xk .
Definition 5
A protection system over R is a finite set C of commands over R.
Examples of Commands
Example 6
command CREATE(process, file)
create object file
enter own into (process, file)
end
Example 7
command CONFER_READ(owner, friend, file)
if own in (owner, file)
then
enter r into (friend, file)
end
Examples of Commands
Example 8
command REMOVE_READ(owner, exfriend, file)
if own in (owner, file) and
r in (exfriend, file)
then
delete r from (exfriend, file)
end
Substitution
Example 9
Let S be a set of subjects and O be a set of objects. If σ (X) = s ∈ S and
σ (X 0 ) = o ∈ O, then
Transition Relation
Given an operation op and a substitution σ , define the binary relation ⇒σ (op)
on states by
(S, O, A)⇒σ (op) (S0 , O0 , A0 )
if and only if one of the following properties holds:
1 if op = enter r into (X, Y), then σ (X) ∈ S, σ (Y) ∈ O, S0 = S, O0 = O, and
(
0 A(s, o) ∪ {r}, if (σ (X), σ (Y)) = (s, o)
A (s, o) =
A(σ (X), σ (Y)), otherwise
Transition Relation
3 if op = create subject X, then σ (X) 6∈ O, S0 = S ∪ {σ (X)}, O0 = O ∪ {σ (X)},
and (
A(s, o), if (s, o) ∈ S × O
A0 (s, o) =
0,
/ otherwise
4 if op = create object Y, then σ (Y) 6∈ O, S0 = S, O0 = O ∪ {σ (Y)}, and
(
0 A(s, o), if (s, o) ∈ S × O
A (s, o) =
0,
/ otherwise
5 if op = destroy subject X, then σ (X) ∈ S, S0 = S − {σ (X)}, O0 = O − {σ (X)},
and A0 (s, o) = A(s, o), for all (s, o) ∈ S0 × O0 ;
6 if op = destroy object Y, then σ (Y) ∈ O − S, S0 = S, O0 = O − {σ (X)}, and
A0 (s, o) = A(s, o), for all (s, o) ∈ S0 × O0 .
Define now
(S, O, A)⇒op (S0 , O0 , A0 ) ⇔ ∃σ : (S, O, A)⇒σ (op) (S0 , O0 , A0 )
Transition Relation
Given a command α and a substitution σ , define the binary relation ⇒σ (α) on
states by
(S, O, A)⇒σ (α) (S0 , O0 , A0 )
if and only if one of the following properties holds:
1 if the test of σ (α) is not satisfied at (S, O, A), then (S0 , O0 , A0 ) = (S, O, A);
2 if the test of σ (α) is satisfied at (S, O, A), then there exist Q0 , Q1 , . . . , Qn
such that
(S, O, A) = Q0 ⇒σ (op1 ) Q1 ⇒σ (op2 ) · · · ⇒σ (opn ) Qn = (S0 , O0 , A0 )
where op1 , . . . , opn is the body of α.
Define now
(S, O, A)⇒α (S0 , O0 , A0 ) ⇔ ∃σ : (S, O, A)⇒σ (α) (S0 , O0 , A0 )
and
(S, O, A)⇒(S0 , O0 , A0 ) ⇔ ∃α : (S, O, A)⇒α (S0 , O0 , A0 )
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Discretionary Access Control Models : : 13 / 45
The Access-matrix Model
Safety
Definition 10
Let C be a protection system over R, Q a state of C , r ∈ R, and α a command
of C . We say that α leaks r from Q if there exists a substitution σ such that:
1 the test of σ (α) is satisfied at Q;
2 there exist Q0 , Q1 , . . . , Qi such that:
Q0 = (S0 , O0 , A0 )⇒σ (op1 ) Q1 = (S1 , O1 , A1 )⇒σ (op2 ) · · · ⇒σ (opi ) Qi = (Si , Oi , Ai );
r ∈ Ai (s, o) − Ai−1 (s, o) for some s and o,
Definition 11
Let C be a protection system over R, Q a state of C , and r ∈ R. We say that C
leaks r from Q if there exists a command of C that leaks r from Q.
Safety
Definition 12
Let C be a protection system over R, Q a state of C , and r ∈ R. We say that Q
is unsafe for r if there exists a reachable state Q0 from Q such that C leaks r
from Q0 .
Deciding safety
Theorem 13
The safety problem for bi-conditional (i.e., at most two conditions) monotonic
(i.e., without delete and destroy operations) protection systems is
undecidable.
Theorem 14
The safety problem for mono-conditional protection systems without
destroy-operations is decidable.
Implementation
Access control matrix implementations do not scale well: a bank with 50,000
staff and 300 applications would have an access control matrix of 15 million
entries !
We need compact ways of storing and managing access control matrices.
Two main ways of doing this are:
1 use groups (roles) to manage the privileges (rights) of large sets of users
simultaneously (role-based access control - RBAC);
2 store the matrix either by columns (access control lists - ACL) or rows
(capability lists).
Definition 15
An access control list (ACL) is a column of the access control matrix
(therefore, associated to an object - the ACL associated to o is denoted ACLo ,
and it is stored along with o).
less suited where the user population is large and constantly changing;
less suited where users want to be able to delegate their authority to run
a particular program to another user for some set period of time;
simple to implement;
tedious to run system wide checks, such as verifying that no files have
been left world-writable by users whose access was revoked.
Example 16
ACL for a file:
Example 17
ACL for a folder:
drwxrwxrwx Alice Accounts
The first bit specifies that the ACL is for a folder (directory); the next bits have
the same meaning as above.
the owner of the program mark the program as suid (the bit x in owner
ACL is set to s meaning both x and suid, or to S meaning only suid);
then, the program is placed in some folder where some user Alice has
access;
Alice can run the program with the privilege of its owner.
permissions are defined for users and groups. Each permission type has
three values, Access denied, Access allowed, and System audit.
ACLs are associated to items (i.e., files or directors), and each ACL is a list of
entries of the form
· · · (user/group,permissions) · · ·
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Discretionary Access Control Models : : 23 / 45
The Access-matrix Model
Capability Lists
Definition 18
An capability list (C-list) is a row of the access control matrix (therefore,
associated to a subject - the C-list associated to s is denoted Cs , and it is
stored along with s).
Capability Lists
Problems with capabilities:
protected address space: store capabilities in parts of memory that are not
accessible to programs;
Outline
1 Introduction to DAC
3 Other Models
The Take-grant Model
The Schematic Model
A.K. Jones, R.J. Lipton, L. Snyder: A Linear Time Algorithm for Deciding
Security, Proc. of 17th Annual Symp. on Found. of Comp. Sci., 1976.
Basic features:
Take-grant States
Example 19
mount root r, w
x t
user file1
r, w
r, w
file2 device
Meaning:
Dark circles stand for subjects
Open circles stand for objects
Gray circles denote either a subject or an object
An arc from x to y labeled α says that x has rights r ∈ α for y
t r t r
⇒
x y z x y z
g g r
⇒
x y z x y z
where:
Definition 20
Let G be a take-grant state, r a right, and x and p nodes in G. G is called safe
for r and x w.r.t. p if can.share(r, x, p, G) does not hold.
Connected Nodes
Definition 21
Let G be a take-grant state and x and y two nodes of G.
1 x and y are directly connected if there is an arc between them.
2 x and y are directly tg-connected if there is an arc between them with a
label containing t or g.
3 A path (tg-path) is a sequence x0 , x1 , . . . , xn of nodes such that xi and xi+1
are directly connected (tg-connected), for any 0 ≤ i < n.
4 x and y are connected (tg-connected) if there is a path (tg-path) between
them.
Remark 2
We emphasize that if x and y are not connected in G then they cannot become
connected in any G0 obtained by rewriting G. This is because no rule adds
arcs between unconnected nodes.
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Discretionary Access Control Models : : 32 / 45
Other Models The Take-grant Model
Let G be a take-grant state. With each tg-path associate one or more words
→
− ← −− ←
over the alphabet { t , t , →
g, −
g } in an obvious way.
Definition 22
Let G be a take-grant state.
1 An island of G is any subject-only tg-connected subgraph of G.
Deciding Safeness
Theorem 23
Let G be a take-grant state, r a right, and x and p nodes in G. Then,
can.share(r, x, p, G) is true if and only if r ∈ (p, x) or there exists a node s, two
subjects p0 and s0 , and islands I1 , . . . , In such that:
1 r ∈G (s, x);
2 p0 = p or p0 initially spans to p;
3 s0 = s or s0 terminally spans to s;
Corollary 24
There is an algorithm for testing can.share that operates in linear time in the
size of the initial state (graph).
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Discretionary Access Control Models : : 34 / 45
Other Models The Schematic Model
Outline
1 Introduction to DAC
3 Other Models
The Take-grant Model
The Schematic Model
To fill the gap between the richness in expressive power of the HRU
model and its intractability with respect to the safety question as
compared with the limited applicability of the take-grant model but
efficient decidability of safety.
How ?
The schematic model provides considerably more structure than HRU.
Rights:
inert rights: RI (do not affect the protection state)
control rights: RC (may change the protection state)
R = RI ∪ RC
copy flag c: rc means “r is copyable”, while r means “r is not copyable”
r : c denotes r or rc (rc subsumes r !)
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Discretionary Access Control Models : : 37 / 45
Other Models The Schematic Model
Presence of x/rc in dom(y) subsumes presence of x/r, but not vice versa !
copy: moves a copy of a ticket from the domain of one subject to the
domain of another, leaving the original ticket intact
create: introduces new subjects and objects in the system
where r ∈ RC;
fi : TS × TS→P(T × R)
A ticket z/r : c can be copied from dom(x) to dom(y) iff there exists i such that:
z/rc ∈ dom(x);
linki (x, y) evaluates to true;
τ(z)/r : c ∈ fi (τ(x), τ(y))
cc ⊆ TS × T
TS = {user}, TO = {file}
RI = {r : c, w : c, a : c, x : c} (read, write, append, execute)
RC = 0/
link(u, v) = true, for all u and v of type user
f (user, user) = {file/xc}
cc = {(user, file)}
cr(user, file) = {file/rc, file/wc, file/xc}
Concluding Remarks
DAC policies enforce access control on the basis of the identity of the
requester and explicit access rules
DAC policies ignore the distinction between users and subjects and
evaluate all requests submitted by a process (subject) running on behalf
of some user against the authorizations of the user
DAC policies are vulnerable from processes executing malicious
programs (such as Trojan Horses) exploiting the authorizations of the
user on behalf of whom they are executing
DAC policies do not enforce any control on the flow of information once
this information is acquired by a process
A more precise examination of the access control problem shows the utility of
separating users from subjects and controlling the flow of information !
1 Introduction to MAC
7 MAC Implementations
Basic features:
MAC models:
Basic features:
IF models are concerned with the flow of information from one security
class to another
Definition 1
An information flow model is a triple (SC, →, ⊕), where:
Meaning:
A→B : the information may flow from the security class A to the security
class B
A ⊕ B : if information from the two security classes A and B are combined,
the result belongs to the security class A ⊕ B
Axiom 1: SC is finite
Proposition 1
Any information flow model that satisfies the Denning’s axioms is a lattice.
Definition 2
Let (SC, →, ⊕) be an information flow model and A, B ∈ SC. We say that A
dominates B, denoted A ≥ B, if B→A.
TS
H
H
S
A1 ··· An
C
L
L
U
{A, B, C}
{A, B}
0/
{0}
/
The security level of a subject, also called security clearance, reflects the
user’s trustworthiness
Overview:
Key idea: augment DAC with MAC to enforce information flow policies
Two-step approach:
1 First, an access control matrix D is established
2 Second, operations must be authorized by the mandatory access control
policy
Remark 1
The ∗-property allows secret data be destroyed or damaged by unclassified
subjects. To prevent this the ∗-property is sometimes used in the form
In some approaches, write access means “read and write”, with append
access provided for “write only”
The BLP model is stated in terms of read and write operations (which
suffices to illustrate the main points). Other operations may be added,
such as create and destroy objects, constrained by the ∗-property
because they modify the state of the object in question
The integrity level of an object reflects both the degree of trust of the
information stored in the object and the potential damage resulting from
unauthorized modifications of the information
Remark 2
The Biba model’s rules are the dual of the BLP model’s rules.
Conclusions:
s can read or write o only if s and o have the same security class !
Irrelevant model
Conclusions:
Rules:
1 s is allowed to read o only if λ (s) ≥ λ (o) and ω(s) ≤ ω(o)
The model uses two lattices with information flow going in opposite
directions
Conclusions:
Rules:
1 s is allowed to read o only if λ (s) ≥ λ (o) and ω(s) ≥ ω(o)
The two lattices can be combined in just one lattice (see next slide)
In this lattice, the entity with highest confidentiality has lowest integrity,
and vice versa
Case 3: Example
information flow
λH ωL
highest confidentiality
highest integrity
λL ωH
λH ωL
highest confidentiality, lowest integrity
λH ωH λL ωL
Where it arises:
In the commercial sector that provides consulting services to other
companies
Aim:
Prevent information flows that result in a conflict of interest and
inadvertent disclosure of information by a consultant or contractor
Example of conflict of interest: lawyer providing consultancy services for
two airline companies
How:
Combines commercial discretion with legally enforceable mandatory
controls
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Mandatory Access Control Models : : 20 / 26
The Chinese Wall Model
Basic idea:
2 no object can be read which is in a different company dataset to the one for
which write access is requested
MAC Implementations
Early implementations of MAC (started out in the eighties):
Concluding Remarks
Covert channels can exist in any MAC system that restrict information flow
1 Introduction to RBAC
2 Basic RBAC
3 Hierarchical RBAC
4 Constrained RBAC
5 Consolidated RBAC
6 RBAC Implementations
Basic features:
Access rights are grouped according to a particular functionality into a
role
User flexibility: a user moving to a new function is simply assigned to the
new role and removed from the old one
Powerful mechanism to an administrator to specify the privileges required
by various job functions
RBAC models:
Basic RBAC
Hierarchical RBAC
Constrained RBAC
Consolidated RBAC
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Role-based Access Control : : 3 / 10
Basic RBAC
Basic elements:
U is set users
R is set of roles
P ⊆ P(Op × O) is set of permissions
(Op is the set of operations, and O is the set of objects)
UR ⊆ U × R is the user-to-role assignment relation
PR ⊆ P × R is the permission-to-role assignment relation
su : S→U is the subject-to-user mapping
(S is the set of subjects)
sr : S→P(R) is the subject-to-role mapping, constrained by
sr(s) ⊆ UR(su(s))
Basic RBAC
Role authorization: a subject can never have an active role that is not
authorized for its user
Hierarchical RBAC
Hierarchical RBAC builds on top of basic RBAC by adding a role inheritance
relation which is a partial order relation ≥ on R
Meaning of r1 ≥ r2 :
{u ∈ U | (u, r0 ) ∈ UR ∧ r0 ≥ r}
{p ∈ P | (p, r0 ) ∈ PR ∧ r0 ≤ r}
Constrained RBAC
Constrained RBAC is obtained from basic RBAC by adding constraints
Types of constraints:
Consolidated RBAC
Consolidated RBAC combines hierarchical and constrained RBAC
Consolidated RBAC
Basic RBAC
RBAC Implementations
Implementation in two important classes of commercial software:
Concluding Remarks
1 Introduction
Cloud computing
Limitations of traditional access control
Outline
1 Introduction
Cloud computing
Limitations of traditional access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 3 / 16
Introduction Cloud computing
large number of dynamic users who join and exit the environment in a
dynamic manner
large amount of resources
flexible constructions
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 4 / 16
Introduction Cloud computing
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 5 / 16
Introduction Limitations of traditional access control
Outline
1 Introduction
Cloud computing
Limitations of traditional access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 6 / 16
Introduction Limitations of traditional access control
DAC is not well suited for large-scale networks with high security
requirements mainly because it does not offer any mechanism or method to
manage the improper access control.
Improper access control means that access control mechanism fails to restrict
or incorrectly restricts access to a resource from an unauthorized user (and
so the user can hack into the system and can have an outbreak to the
confidential files and can also perform all the actions on it like read, write,
delete, etc.)
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 7 / 16
Introduction Limitations of traditional access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 8 / 16
Introduction Limitations of traditional access control
Although RBAC alleviates some of the security issues with DAC and MAC, it is
still not very well suited for cloud computing:
It does not scale easily to systems with large number of users and roles
where the user’s roles change frequently
It is difficult to extended RBAC across administrative domains because it
is difficult to decide a role’s privileges
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 9 / 16
Access control models for cloud computing Task based access control
Outline
1 Introduction
Cloud computing
Limitations of traditional access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 10 / 16
Access control models for cloud computing Task based access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 11 / 16
Access control models for cloud computing Attribute based access control
Outline
1 Introduction
Cloud computing
Limitations of traditional access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 12 / 16
Access control models for cloud computing Attribute based access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 13 / 16
Access control models for cloud computing Usage based access control
Outline
1 Introduction
Cloud computing
Limitations of traditional access control
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 14 / 16
Access control models for cloud computing Usage based access control
Park and Sandhu (2002, 2004). It starts from the limitations of:
Traditional access control – focuses on closed systems where all users are
known and primarily utilizes a server-side reference monitor
Trust management – has been introduced to cover authorization for
newcomers in an open environment such as the Internet
Digital right management – focuses on the control of the digital information
usage
UCON
Deals with the above techniques in a systematic unified manner
Enables finer-grained control over usage of digital objects than the above
models. For example, print once as opposed to unlimited prints
Covers both centrally controllable environments and environments where
central control authorities are not available
Deals with privacy issues in both commercial and non-commercial
environments
Implementation: grid environments, cloud based services (Nego-UCON),
U-XACML
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 15 / 16
Access control models for cloud computing Usage based access control
UCON
Privacy
Digital
IPR Right
Management
AC
t
Sensitive en
em t
ag us
al
on
an Tr
information
iti
ad
m
Tr
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 16 / 16
Attribute-based Encryption for Access Control
Fall 2020
Outline
Introduction to ABE
Access structures
Introduction to ABE
Access structures
Symmetric encryp-
Encrypted files and
Files to be encrypted tion for files and
keys
ABE for keys
Company’s ABAC
KeyGen
Access control policy User
based on attributes attributes
such as:
Decryption key gen-
User
erators
A ∨ HR Dept decr key
(in general, it is
given by a Boolean
circuit)
Standards on ABE
ETSI – European
Standards
ETSI TS 103 458 V1.1.1 (2018-06) Organization that
produces globally
applicable
standards for
ICT-enabled
systems,
applications and
services deployed
TECHNICAL SPECIFICATION
across all sectors
of industry and
society
CYBER
Introduction to ABE
Access structures
Access structures
Assume U is a non-empty finite set of attributes
1.1 The subsets (of U) that are in S are called authorized sets
2. S is called monotone if
Access structures
Let U = {1, . . . , n} be a set of attributes
1. k out of n access structure (1 ≤ k ≤ n) :
S = {A ⊆ U | |A| ≥ k}
Access structures
1. Compartmented access structure :
1.1 Consider U = (U1 , . . . , Uk ) a partition of U into k ≥ 1 non-empty
subsets called compartments (the number of participants in Ui is ni ,
for all 1 ≤ i ≤ k)
1.3 Consider
Pk t an integer (called global threshold) such that
i=1 ti ≤ t≤n
Boolean circuits
Basis = finite set of Boolean operators
Definition 1
An n-input single-output Boolean circuits over a basis B, where n ≥ 1, is
a labeled directed acyclic graph with the following properties:
1. It has exactly n vertices with no incoming edges
2. It has exactly one vertex with no outgoing edges
3. Each vertex with incoming edges is labeled with a logical operator in
B such that the number of incoming edges equals the arity of the
operator.
Boolean circuits
Conventions:
1. The basis B usually consists of AND, OR, NOT. It may also contain
(k, n)-gates (“k out of n” gates)
2. All Boolean circuits will have only one output gate and therefore the
terminology is simplified to n-input Boolean circuit
3. Input gates are totally ordered so that we may speak about the i-th
input gate
Boolean circuits
4 Γ5 OR
3 Γ4 OR Γ4 AND
2 Γ3 AND Γ2 OR AND Γ3
1 Γ1 OR AND Γ2 Γ1 NOT
0 1 2 3 4 1 2 3 4
1 0 0 1 1 0 0 1
Boolean circuits
Definition 2
A Boolean circuit is monotone if it does not have NOT-gates.
x ≤y ⇒ C(x) ≤ C(y )
Definition 3
A Boolean circuit has fan-out k, where k ≥ 1, if it has at least one gate
of fan-out k, the others gates having fan-out smaller than k.
Remark 4
Non-monotone Boolean circuits might not define monotone access
structures: the second Boolean circuit in our previous example computes
C(1, 0, 0, 1) = 1 and C(1, 0, 1, 1) = 0. That is, {1, 4} is authorized but
{1, 3, 4} is not authorized. Therefore, the induced access structure is not
monotone.
Proof.
(1) Consider U = {1, 2, 3, 4}, U1 = {1, 2}, U2 = {3, 4}, a1 = 2, and
a2 = 3. The disjunctive multilevel access structure induced by these
parameters cannot be represented by monotone Boolean circuit of
fan-out 1.
(2) Consider U = {1, 2, 3, 4, 5}, U1 = {1, 2, 3}, U2 = {4, 5}, a1 = 1,
a2 = 2, t = 3. The compartmented access structure induced by these
parameters cannot be represented by monotone Boolean circuit of
fan-out 1.
Introduction to ABE
Access structures
A bit of history
1. 2005, Sahai and Waters (Eurocrypt) : Fuzzy Identity-Based
Encryption (FIBE) – an identity is viewed as a set of attributes
3. 2006, Goyal et al. (CCS) : first practical ABE scheme for access
control (of encrypted data). The scheme is limited to Boolean
circuits of fan-out 1
KP-ABE scheme
Definition 6 (KP-ABE scheme)
A KP-ABE scheme consists of four PPT algorithms:
Setup(λ) : outputs public parameters PP and a master key MSK ;
Enc(PP, m, A) : outputs a ciphertext E of the message m with a
non-empty set A ⊆ U of attributes;
KeyGen(MSK , C) : outputs a decryption key D for a Boolean circuit C
defining an access structure over U;
Dec(E , D) : this is a deterministic polynomial-time algorithm that
inputs a ciphertext E and a decryption key D, and outputs
a message m or the special symbol ⊥.
CP-ABE scheme
Definition 7 (CP-ABE scheme)
A CP-ABE scheme consists of four PPT algorithms:
Setup(λ) : outputs public parameters PP and a master key MSK ;
Enc(PP, m, C) : outputs a ciphertext E of the message m with a
Boolean circuit C for a set U of attributes;
KeyGen(MSK , A) : outputs a decryption key D for a set A ⊆ U of
attributes;
Dec(E , D) : this is a deterministic polynomial-time algorithm that
inputs a ciphertext E and a decryption key D, and outputs
a message m or the special symbol ⊥.
Introduction to ABE
Access structures
Conclusions
KP-ABE from Secret Sharing and Bilinear Maps
V. Goyal et al.: Attribute-based Encryption for Fine-grained Ac-
cess Control of Encrypted Data, CCS 2006
Setup(λ): y , t1 , . . . , tn ← Zp , MSK = (y , t1 , . . . , tn )
PP = (p, G1 , G2 , g , e, n, Y = e(g , g )y , (Ti = g ti |i ∈ U))
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 2 / 37
Example: KeyGen – Secret Sharing
Γ4 OR
y
Γ3 AND
y
x2
Linear sharing y
Γ1 OR
AND Γ2
x1
x2 x2
x3 x4
1 2 3 3’ 4
x1 x2 x2 x3 x4
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 3 / 37
Example: KeyGen – Key Computation
Γ4 OR
y
Γ3 AND
y
x2
Linear sharing y
Γ1 OR
AND Γ2
x1
x2 x2
x3 x4
1 2 3 3’ 4
x1 x2 x2 x3 x4
0
g x1 /t1 g x2 /t2 g x2 /t3 g x3 /t3 g x4 /t4
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 4 / 37
Example: Decryption
Γ4 OR e(g , g )ys
y
Γ3 AND
Γ1 OR
AND Γ2
x1
x2 x2
x3 x4
1 2 3 3’ 4
x1 x2 x2 x3 x4
x1 /t1 x2 /t2 x2 /t3 0 x4 /t4
g g g g x3 /t3 g
e(g , g )x1 s e(g , g )x2 s e(g , g )x2 s e(g , g )x3 s e(g , g )x4 s
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 5 / 37
Boolean Formula – Boolean Circuit
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 6 / 37
The Backtracking Attack
Γ4 OR Γ4 OR
Γ3 AND Γ3 AND
Γ1 OR AND Γ2 Γ1 OR AND Γ2
1 2 3 4 1 2 3 4
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 7 / 37
Solutions to the Backtraking Attack (1)
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 8 / 37
Solutions to the Backtraking Attack (2)
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 9 / 37
Bi/Multi-linear map based
solutions to the backtracking
attack
gi gj
ei,j
gi−1 gi+11
gj+1 gj−1
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 10 / 37
Leveled Multi-linear Map Based (LMM) KP-ABE Scheme
5. Associate two keys to each input wire, three keys to each output wire
of an AND-gate, and four keys to each output wire of an OR-gate
srw
gj+1
w
rw −aw ·rw rw −bw ·rw
gj 1 OR gj 2
g1aw g1bw
w1 w2
srw srw
gj 1 gj 2
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 11 / 37
Security in the Selective Model
Theorem 1
The LMM KP-ABE scheme is secure in the selective model under the
decisional multi-linear Diffie-Hellman assumption.
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 12 / 37
Bi/Multi-linear map based
solutions to the backtracking
attack
1. Proposed in
F.L. Ţiplea and C. Drăgan: Attribute-Based Encryption for Cir-
cuits from multi-linear Maps, BCS 2014
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 13 / 37
FO-gates
Γ4 OR Γ4 OR
Γ3 AND Γ3 AND
Γ1 OR AND Γ2 Γ1 OR AND Γ2
Γ0 FO
1 2 3 4 1 2 3 4
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 14 / 37
Secret Sharing and Key Generation
Γ4 OR
y
Γ3 : x1 ← Zp , x2 = y − x1
Γ3 AND
y
x2 Γ0 : a1 ← Zp , b1 = x2 − a1
a2 ← Zp , b2 = x3 − a2
Γ1 OR
AND Γ2
x1 x2
x3
x2 x4
Γ0 FO
(a1 , a2 )
1 2 3 4
x1 x2 a1 a2 x4
g t1 g t2 (g , g )
t3 t3
g t4
( g b1 , g b2 )
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 15 / 37
Resistance to the Backtracking Attack
Γ4 OR
y
y
Γ3 AND
x2
Γ1 OR AND Γ2
x2 x3
x1
x2 Γ10 FO1 2
FO2 Γ0 x4
a1 a2
1 2 (3,1) (3,2) 4
x1 x2 a1 a2 x4
g t1 g t2 g t3 g t3 g t4
g b1 g b2
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 16 / 37
Security in the Selective Model
Theorem 2
The FO KP-ABE scheme is secure in the selective model under the
decisional bilinear Diffie-Hellman assumption.
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 17 / 37
Bi/Multi-linear map based
solutions to the backtracking
attack
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 18 / 37
Efficient KP-ABE Schemes for CASs and MASs
1. Proposed in
F.L. Ţiplea et al.: Practically Efficient Attribute-based Encryp-
tion for Compartmented Access Structures, SECRYPT 2020
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 19 / 37
FO KP-ABE Scheme for CASs
AND
y1 yk yk+1
)
k
.1)
.n
k
1 (k
1.1) ) 1(
f k +1 ( f k +1(
1.n 1 f k+
fk +
1
b1,1 2
b1,1 1
b1,n 2
b1,n 1
bk,1 b2 1
bk+1,1 2
bk+1,1
g /g FO g 1 /g 1 FO g /g k,1 FO g /g FO
1 2
1
a1,1 2
a1,1 an1 an2 1
ak,1 2
ak,1 ak,n ak,n
1 ,1 1 ,1 k k
··· ··· ···
1.1 1.n1 k.1 k.nk
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 20 / 37
CAS KP-ABE Scheme
We may remove the FO gates in the scheme above and get a more
efficient one:
AND
y1 yk yk+1
k)
1)
.n
(k .
(k
1.1) 1.n 1 ) f k +1
f k +1 ( f k +1 (
+1
fk
1.1 1.n1 k.1 k.nk
··· ··· ···
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 21 / 37
Security in the Selective Model
Theorem 3
The CAS KP-ABE scheme is secure in the selective model under the
decisional bilinear Diffie-Hellman assumption.
2. This is the most efficient KP-ABE scheme for CASs known so far
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 22 / 37
FO KP-ABE Scheme for MASs
(z, k)
FO FO FO FO
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 23 / 37
MAS KP-ABE Scheme
We may remove the FO gates in the scheme above and get a more
efficient one:
(z, k)
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 24 / 37
Security in the Selective Model
Theorem 4
The MAS KP-ABE scheme is secure in the selective model under the
decisional bilinear Diffie-Hellman assumption.
k · n1 + (k − 1) · n2 + · · · + nk · 1
2. This is the most efficient KP-ABE scheme for MASs known so far
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 25 / 37
Bi/Multi-linear map based
solutions to the backtracking
attack
1. Proposed in
P. Hu and H. Gao: A Key-Policy Attribute-based Encryption
Scheme for General Circuit from Bilinear Maps, Intern. J. Net-
work Security 19(5), 2017
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 26 / 37
Bi/Multi-linear map based
solutions to the backtracking
attack
1. Proposed in
C. Drăgan and F.L. Ţiplea: Attribute-Based Encryption for Cir-
cuits from multi-linear Maps, BCS 2015
2. Based on FO gates
3. The secret sharing procedure is totally diferent than the one in the
previous schemes
4. Reconstruction is based on chained multi-linear maps
g1 e1 g2 e2 g3
g1
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 27 / 37
FO-levels and FO-sequences
6 Γ12 OR
5 Γ11 OR
3 Γ7 AND Γ8 AND
Γ6 FO
(2)
(2, 0)
2 (FO-level) Γ5 OR
1 Γ2 OR Γ3 AND Γ4 AND
Γ0 FO Γ1 FO
0 (FO-level) 1 2 3 4 5 6 7 8
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 28 / 37
Secret Sharing: Main Idea
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 29 / 37
Secret Sharing 1: Gates not Crossing FO-levels
6 OR
y
5 OR y
y
4 y AND AND
x1 x2
x3 x4
3 AND AND
x8 x6
x7 x5
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 30 / 37
Secret Sharing 2: Gates Crossing FO-levels
y x1
3 AND AND x2
x8 x3
x5 x4
g1b1 FO g1b2 x6
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
g1b5 FO g1b6 x13 x10 g1b3 FO g1b4
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 31 / 37
Secret Sharing 2: AND-gate
y x1
3 AND AND x2
x8 x3
x5 x4
x7 a1 a2 + x8 ≡ y mod p
g1b1 FO g1b2 x6
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
g1b5 FO g1b6 x13 x10 g1b3 FO g1b4
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 32 / 37
Secret Sharing 2: OR-gate
y x1
3 AND AND x2
x8 x3
x5 x4
g1b1 FO g1b2 x6
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
g1b5 FO g1b6 x13 x10 g1b3 FO g1b4
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 33 / 37
Secret Sharing 2: FO-gate
y x1
3 AND AND x2
x8 x3
x5 x4
x8 ≡ x9 b1 mod p,
g1b1 FO g1b2 x6
x5 ≡ x9 b2 mod p,
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
g1b5 FO g1b6 x13 x10 g1b3 FO g1b4
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 34 / 37
Reconstruction by Chained Multi-linear Maps
g4x1 s
g4x2 a1 s
3 AND AND g4x4 a1 s
⊥
g4x8 s
g4x5 s
g1b1 FO g1b2
g4x6 a1 s
g3x9 s
2: g1a1 OR
⊥
1 ⊥
OR AND AND
g3x9 s
g3x11 s
g3x12 s
g1b3 FO g1b4
⊥ ⊥ g1b5 FO g1b6 ⊥ g3x10 a2 s
g2x15 s g2x14 s
0: g1a2 1 2 3 4 5 6 7 8
−1 x15 x10 x14
x9 a
2
⊥ g1
t2 ⊥ ⊥ g1
t5
⊥ g1
t7
g1
t8
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 35 / 37
Security in the Selective Model
Theorem 5
The CMM KP-ABE scheme is secure in the selective model under the
decisional multi-linear Diffie-Hellman assumption.
Comparison:
Leveled multi-linear map Chained multi-linear map
gi gj
ei,j g1 e1 g2 e2 g3
gi−1 gi+11
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 36 / 37
Conclusions
3. The schemes presented in the first part of this talk largely cover the
current practical needs. Would more be needed?
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 37 / 37
IP Security
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
Data modification
IP address spoofing
Routing attacks
IPsec: What Is It ?
Node
device attached to a network where messages can be created, received, or
transmitted
examples: computers, personal digital assistants (PDAs), cell phones, or
various other networked devices
on a TCP/IP network, a node is any device with an IP address
Security gateway
system that implements IPsec protocols
examples: router or firewall implementing IPsec
2 Security associations
Because of these protocols are provided at the IP layer, they can be used by
any higher layer protocol (e.g., TCP, UDP, ICMP etc.)
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
IP Datagrams
IP hdr IP payload
IPv6 hdr
···
routing extension header
fragmentation extension header
destination options extension header
Transport Mode
Due to its definitions, the transport mode provides protection for upper
layer protocols (e.g., TCP or UDP)
AH in Transport Mode
In the transport mode, AH authenticates the IP payload and selected portions
of the IP header (e.g., mutable and unpredictable fields are not authenticated)
ext hdrs
Encrypted
Authenticated
ext hdrs
IPv6 IP main hdr ··· rout ESP dest IP payload ESP ESP
hdr trailer auth
Encrypted
Authenticated
Tunnel Mode
Remark that hosts must support both transport and tunnel mode
AH in Tunnel Mode
In the tunnel mode, AH authenticates the entire inner IP packet plus selected
portions of the outer IP header and outer IP extension headers
Authenticated (except for mutable fields in the new IP hdr and its extensions hdrs)
Encrypted
Authenticated
IPv6 new IPv6 new ext hdrs ESP IPv6 datagram ESP ESP
main hdr hdr trailer auth
Encrypted
Authenticated
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
Authentication Header
0 8 16 31
next header payload length researved
sequence number
Figure: AH format
Authentication Header
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
0 16 24 31
security parameter index (SPI)
authenticated
sequence number
Encryption in ESP
RFC 4835 recommendation:
NULL does nothing to alter data: it is the identity function with a block size of 1
byte (therefore, padding is not necessary).
Authentication in ESP
RFC 4835 recommnedation:
Authentication and encryption can each be "NULL", but not at the same time
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
Security Associations
A security association (SA) is a unidirectional logical connection between two
IP systems, uniquely identified by a triple
where
Security Associations
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
SA Bundle
End-to-end Security
Internet/
Host 1 intranet Host 2
tunnel
connection
Two hosts are connected through the Internet or an intranet without any
security gateway between them. They can use ESP, AH, or both. Either
transport or tunnel mode can be applied
Internet/
Host 1 intranet Gtw 1 intranet Gtw 2 intranet Host 2
tunnel
connection
The hosts in the intranets are not required to support IPsec, but the gateways
are required to run IPsec and support tunnel mode (either with AH or ESP)
Internet/
Host 1 intranet Gtw 1 intranet Gtw 2 intranet Host 2
connection
tunnels
This is a combination of the previous two cases. For instance, the gateways
may use AH in tunnel mode, while the hosts use ESP in transport mode
Remote Access
Internet/ G2
Host 1 intranet Host 2
intranet (firewall)
connection
tunnels
Between the host H1 and the firewall G2, only the tunnel mode is required
(e.g., AH in tunnel mode), and between the host H1 and H2, either transport
or tunnel mode can be used (e.g., ESP in transport mode)
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
Outline
1 What is IPsec?
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
IKE Exchanges
IKE Exchanges
IKE SA
Child SA
IKE_AUTH
KEYMAT = prf + (SKd , NI k NR )
key(s)
CREATE_CHILD_SA
new Child SA
IKE_SA_INIT
key(s)
IKE_SA_INIT
IKE_SA_INIT
I→R: Hdr , SAI1 , KEI , NI
R→I: Hdr , SAR1 , KER , NR [, CertReq]
Hdr contains SPIs, version numbers, exchange type, message ID, and
flags
SAI1 states the cryptographic algorithms the initiator supports for the IKE
SA
SAR1 is the responder choice selected from the initiator’s offered choices
(SAI1 )
NI and NR are nonces
KEI and KER are DH values (g i and g r )
CertReq : certificate request
SKd will be used for derivation of further keying material for Child_SAs
IKE_AUTH
IKE_AUTH
I→R: Hdr , {IDI , [Cert, ][CertReq, ][IDR , ]Auth, SAI2 , TSI , TSR }SK
R→I: Hdr , {IDR , [Cert, ]Auth, SAR2 , TSI , TSR }SK
Generally, keys are taken from KEYMAT in the order: encryption key and
then integrity key
CREATE_CHILD_SA
Used to:
Re-key a Child SA
Re-key an IKE SA – the main reason for rekeying the IKE SA is to ensure
that the compromise of old keying material does not provide information
about the current keys, or vice versa
Re-keying an SA: create a new SA and then delete the old one
where:
If KEI and KER are not used, the keys are generated as in the case of a
Child SA created by IKE_SA but with the fresh nonces NI and NR
If KEI and KER are used, the keys are generated as follows:
KEYMAT = prf + (SKd , g ir k NI k NR ) (g ir , NI , NR are the fresh ones)
the same rules for taking the keys
where:
where:
The new SKd , SKai etc., are computed as usual (a new prf may be used)
INFORMATIONAL
INFORMATIONAL
I→R: Hdr , {[N, ] [D, ] [CP, ] . . .}SK
R→I: Hdr , {[N, ] [D, ] [CP, ] . . .}SK
where:
N : notify
D : delete
CP : configuration
Outline
SSL Structure
SSL record
TCP Transport
Outline
SSL connection
transport (in the OSI layering model definition) that provides a suitable type
of service
each connection is associated with one session
SSL session
association between two communicating peers
defines a set of cryptographic parameters which can be shared among
multiple connections
created by the SSL handshake protocol
primarily used to avoid expensive negotiation of new security parameters for
each connection
Session States
Two pending states are also maintained by each party (to change the
current states)
pending read (for receive)
pending write (for send)
compression algorithm
master secret
Outline
Master Secret
It is generated from
pre-master secret
client and server nonces
constants
Pre-master Secret
The pre-master secret is established between parties, in the handshake
protocol, by one of the following methods:
1 RSA: the client generates a pre-master secret that is encrypted with the
server’s public key, and sends it to the server
2 DH: the pre-master secret is the DH value obtained from the client’s and
server’s DH public parameters. There are three variants:
Fixed DH: the server must have a certificate which should include his DH
public parameters. The client provides its DH public parameters either in a
certificate or in a key exchange message
Ephemeral (temporary, one-time) DH: DH public parameters are
exchanged and signed using sender’s private RSA or DSS key. Certificates
are needed to authenticate the public keys
Anonymous DH: this is DH with no authentication
where:
In some cases, the client/server write key and the client/server write IV may
be subject to some additional processing
Outline
exchange nonces
resuming a session
1. C → S : ClientHello
2. S → C : ServerHello,
[Certificate, ]
[ServerKeyExchange, ]
[CertificateRequest, ]
ServerHelloDone
3. C → S : [Certificate, ]
ClientKeyExchange,
[CertificateVerify , ]
ChangeCipherSpec,
Finished
4. S → C : ChangeCipherSpec,
Finished
1. C → S : ClientHello
2. S → C : ServerHello,
ChangeCipherSpec,
Finished
3. C → S : ChangeCipherSpec,
Finished
message
current read state pherSpec current read state
ChangeCi
current write state current write state
ChangeCi
current read state pherSpec current read state
message
Outline
Application data
Compression
Add MAC
Encryption
where:
Encryption
Outline
The SSL change cipher spec message consists of a single one byte
message with the value 1
Outline
Alert messages convey the severity of the message and the description
of the alert
Closure alerts : notify the recipient that the sender will not send any more
messages on this connection
Outline
Takes application data and feeds it into the SSL record protocol
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SHA-256 is the default digest method (the combined use of MD5 and
SHA-1 has been removed)
Several new cipher suites use SHA-256
A new, simpler but more secure, PRF
TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to
implement cipher suite
Added HMAC-SHA256 cipher suites
Removed IDEA and DES cipher suites, they are now deprecated
Support for the SSL v2.0 backward-compatible is now optional only
Removes obsolete algorithms and ciphers: RC4 stream cipher, RSA key
transport, SHA-1 hash function, CBC mode ciphers, MD5 algorithm,
various Diffie-Hellman groups, EXPORT-strength ciphers, DES, 3DES
Introduces a brand new handshake:
Removes the RSA method and keeps the Ephemeral Diffie-Hellman method
TLS 1.2 requires two round-trips to complete the TLS handshake, but TLS
1.3 needs only one round-trip
TLS 1.3 – uses the Ephemeral Diffie-Hellman key exchange protocol, which
generates a one-time key that is used only for the current session. At the
end of the session, the key is discarded
New feature that cuts down the encryption time: Zero Round Trip Time
Resumption (0-RTT). When a user re-visits a site in a short time, 0-RTT
makes the connection almost instantaneous
January 6, 2021
2 What is DNSsec?
4 Zone signing
Outline
2 What is DNSsec?
4 Zone signing
2 DNS original specifications were published in 1983 in RFC 882 and RFC
883
3 DNS became an Internet Standard in 1986 (RFC 1034 and RFC 1035)
Root
Top Level
Domains ... com edu org ...
(TLD)
sw hw net ...
Zones of authority
Zones of authority
Root
mit
Zone of authority
managed by a name
server
admin cs
delegation between
authority zones
sw hw net
1 Each node in the DNS name tree has associated a number of records,
usually called resource records (RR), depending on the node type
2 The RRs are added, changed, or deleted when DNS information changes
(this is done by administrators)
3 The set of all RRs gives rise to a distributed database that is structured in
a hierarchy comparable to the hierarchy of authorities
RR format
0 16 32
= Name =
Type Class
TTL
RData length
= RData =
DNS resolution
1 Most typical types of resolution
1 (Standard) name resolution
3 E-mail resolution
2 Recursive resolution
Outline
2 What is DNSsec?
4 Zone signing
DNS vulnerabilities
Author’s note: “... this paper has been withheld by the author for over
four years ... because it described a serious vulnerability for which
there was no feasible fix. The only choice would have been to give up
entirely on name based authentication, a choice the industry was not
able to make in 1990.”
DNS snooping
DNS ID hacking
DNS cache poisoning
What is DNSsec?
Data integrity protection – allows the resolver to know that the data has
not been modified in transit since it was originally signed by the zone
owner with the zone’s private key.
Outline
2 What is DNSsec?
4 Zone signing
New RR types
NSEC (NSEC3) – used to prove that something really does not exist
Remarks:
1 SHA-256 is widely used and considered strong
example
z.example
a.example
\001.z.example
yljkjljk.a.example
*.z.example
Z.a.example
\200.z.example
zABC.a.EXAMPLE
0 16 24 32
Flags Protocol Algorithm
= Public key =
0 16 24 32
Type covered Algorithm Labels
Original TTL
Sig expiration
Sig inception
Key tag
Signer’s name
= Signature =
Original TTL = the TTL of the Key tag = the key tag value of the
covered RRset DNSKEY RR that validates this
Sig expiration/inception = validity signature (see RFC 4034)
period for the signature Signer’s name = must contain the
name of the zone of the covered
RRset
F.L. Tiplea (UAIC) Information Security January 6, 2021 23 / 29
DNSsec specific elements
0 32
Next domain name = the next Type bit maps = identifies the
owner name (in the canonical RRset types that exist at the
ordering of the zone) that has NSEC RR’s owner name
authoritative data or contains a
delegation point NS RRset
RData for DS
0 16 24 32
Key tag Algorithm Digest type
= Digest =
Key tag = the key tag of some Digest type = identifies the
DNSKEY RR. It is identical to the algorithm used to construct the
key tag used by all RRSIG RRs digest
that sign by the same key Digest = includes a digest of that
Algorithm = the algorithm number DNSKEY RR.
of some DNSKEY RR. It is
identical to the algorithm number
used by all RRSIG RRs that sign
by the same key
Outline
2 What is DNSsec?
4 Zone signing
Signed zone
To sign a zone means to include DNSKEY RRs, RRSIG RRs, NSEC RRs, and
optionally DS RRs in that zone, according to the following rules:
A signed zone includes DNSKEY RRs, RRSIG RRs, NSEC RRs, and
optionally DS RRs
Each owner name in the zone that has authoritative data or a delegation
point ND RRset, must have an NSEC RR
Outline
2 What is DNSsec?
4 Zone signing