Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University
Messaging is Popular … 2
Major Effort: E2E-Encrypted Messaging • Government surveillance and/or coercion • Untrusted or corrupted messaging servers Key challenge: Detecting man-in-the-middle attacks when setting up E2E-encrypted channels 3
Man-in-the-Middle Attacks Alice ’ s phone Bob ’ s phone 4
Man-in-the-Middle Attacks • Impossible to detect without any setup 𝒉 𝒃 𝒉 ෝ 𝒃 𝒉 𝒄 𝒉 𝒄 Bob ’ s phone Alice ’ s phone Impractical to assume a trusted PKI in messaging platforms … 5
Out-of-Band Authentication Practical to assume: Users can “ out-of-band ” authenticate one short value Bob ’ s phone Alice ’ s phone Bob 𝒉 𝒃 𝒉 ෝ 𝒃 𝒉 𝒄 𝒉 𝒄 • Users can compare a short string displayed on their devices • Assuming that they recognize each other ’ s voice, this is a low-bandwidth authenticated channel 6
Out-of-Band Authentication Facebook Telegram Allo Signal WhatsApp Wire 7
Out-of-Band Authentication Bounded vs. unbounded adversaries Within the cryptography community: • Considered by Rivest and Shamir in ’ 84 ( “ Interlock ” protocol) • Formalized by Vaudenay ’ 05 (computational security) and by Naor, Segev and Smith ’ 06 (statistical security) 8
The User-to-User Setting • An equivalent problem: Detecting MitM attacks in message authentication Alice ’ s phone Bob ’ s phone 𝑛 𝑛 ෝ Detect with prob. 1 − 𝜗 whenever ෝ 𝑛 ≠ 𝑛 ⇒ Given a shared key: MAC the message ⇐ Given a message authentication protocol: Run any key exchange protocol and authenticate the transcript 9
The User-to-User Setting Alice ’ s phone Bob ’ s phone 𝒉 𝒃 𝒉 ෝ 𝒃 𝒉 𝒄 𝒉 𝒄 𝒏 = 𝒉 𝒃 ||𝒉 𝒏 = 𝒉 ෝ 𝒃 ||𝒉 𝒄 𝒄 ෝ 10
The User-to-User Setting 𝑛 𝑛 ෝ Alice ’ s phone Bob ’ s phone 𝑛 𝑛 ෝ … … Out-of-band channel … … ℓ -bit value Detect with prob. 1 − 𝜗 whenever ෝ 𝑛 ≠ 𝑛 How low-bandwidth is the out-of-band channel? • WhatsApp\Signal ℓ = 200 bits (60 digits) • Telegram ℓ = 288 bits (64 characters) • … • Lower bound: ℓ ≥ log(1/𝜗) [PV06] 11
The User-to-User Setting 𝑛 𝑛 ෝ Alice ’ s phone Bob ’ s phone … … Out-of-band channel ℓ -bit value Detect with prob. 1 − 𝜗 whenever ෝ 𝑛 ≠ 𝑛 Goal: Optimal tradeoff between ℓ and 𝜗 Minimize Maximize user effort security 12
User-to-User Bounds Protocols Lower Bounds Computational log(1/𝜗) log(1/𝜗) − 𝑃(1) Security [Vau05, PV06] Statistical 2 log(1/𝜗) + 𝑃 1 2 log(1/𝜗) − 𝑃 1 Security [NSS06] 13
This Talk: The Group Setting User-to-User Setting Group Setting ✓ ? Tightly characterized Not yet studied x ✓ Practical protocols deployed Impractical protocols deployed 14
Our Contributions A framework modeling out-of-band authentication in the group setting … … … Out-of-band channel • Users communicate over an insecure channel • Group administrator can out-of-band authenticate one short value to all users • Consistent with and supported by existing messaging platforms 15
Our Contributions A framework modeling out-of-band authentication in the group setting Tight bounds for out-of-band authentication in the group setting Protocols Lower Bounds Computational log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1) Security Statistical 𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙 Security 𝑙 – number of receivers Our computationally-secure protocol is practically relevant, and substantially improves the currently-deployed protocols : E.g., 𝑙 = 32 and 𝜗 = 2 −80 : 32 × 85 = 2720 bits vs. 85 bits!! 16
Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1) Security Statistical 𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙 Security 17
Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1) Security Statistical 𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙 Security 18
Communication Model 𝑆 1 𝑆 2 𝑇 … … … 𝑆 𝑙 Out-of-band channel • Insecure channel: Adversary can read, remove and insert messages • Out-of-band channel: Adversary can read, remove and delay messages, for all or for some of the users Adversary cannot modify messages/insert new ones in an undetectable manner 19
Correctness & Security Output: ෝ 𝑛 1 𝑆 1 Input: 𝑛 Output: ෝ 𝑛 2 𝑆 2 𝑇 … … … 𝑆 𝑙 Output: ෝ 𝑛 𝑙 Out-of-band channel • Correctness: In an honest execution ∀𝑗: ෝ 𝑛 𝑗 = 𝑛 • Unforgeability: Pr ∃𝑗: ෝ 𝑛 𝑗 ∉ 𝑛, ⊥ ≤ 𝜗 +𝜉 𝜇 • Computational vs. statistical security 20
Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1) Security Statistical 𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙 Security 21
The Naïve Protocol • Independently invoke a user-to-user protocol 𝜌 with each 𝑆 𝑗 𝑆 1 𝜌 𝑇 𝜌 𝑆 2 𝜌 … … 𝑆 𝑙 • 𝑇 out-of-band authenticates at least 𝑙 ⋅ log 𝑙/𝜗 bits • E.g., 𝑙 = 2 10 and 𝜗 = 2 −80 : 2 10 × 90 bits 𝑙 = 32 and 𝜗 = 2 −80 : 32 × 85 bits 22
Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1) Security Statistical 𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙 Security 23
Warm-Up: Vaudenay’s Protocol Possibly interactive 𝑛, 𝑑 = com 𝑛||𝑠 𝑇 𝑇 ← 0,1 ℓ 𝑠 𝑠 𝑆 ← 0,1 ℓ 𝑆 𝑠 𝑇 𝑆 decom 𝑑 Accept 𝑛 if and only if Input: 𝑛 Out-of-band channel 𝑠 𝑇 ⊕ 𝑠 𝑆 is consistent 𝑠 𝑇 ⊕ 𝑠 with insecure channel 𝑆 Theorem [Vau05,LN06]: If (com, decom) is non-malleable then for any ℓ ∈ ℕ it holds that 𝜗 = 2 −ℓ Proof sketch: • Consider all possible synchronizations of a MitM attack • Reduce each one to the security of the commitment scheme 24
Our First Attempt 𝑆 1 1 ← 0,1 ℓ 𝑠 2 𝑛, 𝑑 = com(𝑛| 𝑠 1 𝑡 𝑇 ← 0,1 ℓ 𝑠 𝑇 3 decom(𝑑) Out-of-band channel Input: 𝑛 𝑠 𝑇 ⊕ 𝑠 1 ⊕ 𝑠 4 2 2 𝑆 2 2 ← 0,1 ℓ 𝑠 1 2 2 3 4 25
Our First Failure Knows 𝑆 1 Output: ෝ 𝑛 𝑠 𝑇 and 𝑠 2 𝑛, 𝑑 = com(𝑛| 𝑠 𝑡 𝑇 𝑠 1 , 𝑠 2 decom(𝑑) Input: 𝑛 Out-of-band channel 𝑠 𝑇 ⊕ 𝑠 1 ⊕ 𝑠 2 𝑠 𝑇 ⊕ 𝑠 1 ⊕ 𝑠 2 = ෝ 𝑠 𝑇 ⊕ 𝑠 1 ⊕ ෝ 𝑠 2 𝑆 2 • Solution: Avoid sending 𝑠 1 and 𝑠 2 in the clear 26
Our Computationally-Secure Protocol 𝑆 1 1 1 ← 0,1 ℓ 𝑠 3 𝑇 ← 0,1 ℓ 𝑠 𝑛, 𝑑 𝑇 = com(𝑛| 𝑠 2 𝑡 𝑇 4 decom(𝑑 𝑇 ) Out-of-band channel 𝑠 𝑇 ⊕ 𝑠 1 ⊕ 𝑠 5 2 1 𝑆 2 𝑠 2 ← 0,1 ℓ 3 1 1 2 3 3 4 5 27
Our Computationally-Secure Protocol Theorem: If (com, decom) is statistically-binding & concurrent non-malleable, then for any 𝑙, ℓ ∈ ℕ it holds that 𝜗 = 𝑙 ⋅ 2 −ℓ Proof sketch: • Focus individually on each receiver 𝑆 𝑗 • Consider all possible synchronizations of a MitM attack • Today: Exemplify 2 notable attacks • Reduce each one to the security of the commitment scheme • Statistical binding or concurrent non-malleability 28
Attack #1 • 𝑇 chooses 𝑠 𝑇 after 𝑆 1 decommits 𝑑 1 = com 𝑠 1 com 𝑠 2 1 ← 0,1 ℓ 𝑠 𝑛, com ෝ ෝ 𝑛||ෝ 𝑠 𝑇 𝑆 1 𝑇 decom(𝑑 1 ) 𝑇 ← 0,1 ℓ 𝑠 com ෝ 𝑠 1 , com(ෝ 𝑠 2 ) 𝑑 𝑇 = com(𝑛| 𝑠 𝑇 • 𝑆 1 accepts ෝ 𝑛 if and only if 𝑠 𝑡 ⊕ ෝ 𝑠 1 ⊕ ෝ 𝑠 2 = ෝ 𝑠 𝑇 ⊕ 𝑠 1 ⊕ 𝑠 2 • Statistical binding implies that, by the time 𝑠 𝑡 is chosen, all values except for 𝑠 𝑡 are already determined 2 = 2 −ℓ 𝑠 𝑇 ← 0,1 ℓ 𝑠 Pr 𝑡 = ෝ 𝑠 1 ⊕ ෝ 𝑠 2 ⊕ ෝ 𝑠 𝑇 ⊕ 𝑠 1 ⊕ 𝑠 29
Recommend
More recommend
