two head dragon protocol
play

Two-Head Dragon Protocol Introduction Two-Head Preventing Cloning - PowerPoint PPT Presentation

Two-Head Dragon Protocol P . Kubiak Two-Head Dragon Protocol Introduction Two-Head Preventing Cloning of Signature Keys Dragon Signatures An Exemplary Realization Przemysaw Ba skiewicz, Przemysaw Kubiak, Mirosaw Kutyowski


  1. Two-Head Dragon Protocol P . Kubiak Two-Head Dragon Protocol Introduction Two-Head Preventing Cloning of Signature Keys Dragon Signatures An Exemplary Realization Przemysław Bła´ skiewicz, Przemysław Kubiak, Mirosław Kutyłowski Wrocław University of Technology INTRUST 2010, Beijing, 14.12.2010

  2. Security threats for private keys on a smart card Two-Head Dragon Protocol P . Kubiak Main concerns: Introduction keys generated on the card: quality of randomness on Two-Head Dragon a smart card might be insufficient, Signatures An Exemplary keys generated by the service provider: key copies out Realization of control of a signer, key leakage by side channel analysis, malicious implementation (e.g. kleptographic leakage of private keys via signatures or public keys).

  3. Smart cards certification: Two-Head Dragon Protocol P . Kubiak Introduction Two-Head Certification of the product Dragon Signatures increasingly complex and costly, An Exemplary Realization users must trust certification bodies, are the certified and the delivered products the same? (it is infeasible to inspect tamper-proof devices)

  4. Another approach Two-Head Dragon Protocol Make evaluation of the product easier for the end-user. P . Kubiak Move responsibility and internal tests to the Introduction manufacturer. Two-Head Dragon Signatures An Exemplary Realization

  5. Another approach Two-Head Dragon Protocol Make evaluation of the product easier for the end-user. P . Kubiak Move responsibility and internal tests to the Introduction manufacturer. Two-Head Dragon Signatures Thus An Exemplary Realization Verify behavior also at the protocol level (examples: tamper evidence protocols, e-voting systems). At least two mechanisms possible: detection of misbehavior (e.g. a central server periodically changing internal state of smart cards) imposing penalty on the card manufacturer (Two-Head Dragon),

  6. Assumptions: Two-Head Dragon Protocol P . Kubiak We assume that an adversary is able to get all secret Introduction keys present on the smart-card (unlike for fail-stop Two-Head Dragon protocols). Signatures If the signature keys are used by the adversary, then An Exemplary Realization they should become publicly known and the owner of the smart card may effectively deny all signatures made. Hence, there is no reason to forge a signature by an adversary .

  7. Two-Head Dragon Protocol P . Kubiak Introduction Two-Head Dragon Signatures An Exemplary The Idea of Two-Head Dragon Realization

  8. The Main Idea: Two-Head Dragon Protocol Some magic .. P . Kubiak We ask a dragon to execute all cryptographic Introduction operations on the smart-card. Two-Head Dragon Signatures An Exemplary Realization

  9. The Main Idea: Two-Head Dragon Protocol Some magic .. P . Kubiak We ask a dragon to execute all cryptographic Introduction operations on the smart-card. Two-Head Dragon Apart from creating signatures, a dragon is guarding Signatures fair use of signature keys. An Exemplary Realization

  10. The Main Idea: Two-Head Dragon Protocol Some magic .. P . Kubiak We ask a dragon to execute all cryptographic Introduction operations on the smart-card. Two-Head Dragon Apart from creating signatures, a dragon is guarding Signatures fair use of signature keys. An Exemplary Realization A dragon has two heads.

  11. The Main Idea: Two-Head Dragon Protocol Some magic .. P . Kubiak We ask a dragon to execute all cryptographic Introduction operations on the smart-card. Two-Head Dragon Apart from creating signatures, a dragon is guarding Signatures fair use of signature keys. An Exemplary Realization A dragon has two heads. Each time when we ask for a signature, one of the heads responds.

  12. The Main Idea: Two-Head Dragon Protocol Some magic .. P . Kubiak We ask a dragon to execute all cryptographic Introduction operations on the smart-card. Two-Head Dragon Apart from creating signatures, a dragon is guarding Signatures fair use of signature keys. An Exemplary Realization A dragon has two heads. Each time when we ask for a signature, one of the heads responds. The answer is not only a signature, but also a half of some incantation related to the signature.

  13. The Main Idea: Two-Head Dragon Protocol Some magic .. P . Kubiak We ask a dragon to execute all cryptographic Introduction operations on the smart-card. Two-Head Dragon Apart from creating signatures, a dragon is guarding Signatures fair use of signature keys. An Exemplary Realization A dragon has two heads. Each time when we ask for a signature, one of the heads responds. The answer is not only a signature, but also a half of some incantation related to the signature. A half of an incantation has no magical effect.

  14. The Main Idea: Two-Head Dragon Protocol .. Some magic P . Kubiak The situation changes if two dragons get the same Introduction cryptographic keys. Two-Head Dragon Signatures An Exemplary Realization

  15. The Main Idea: Two-Head Dragon Protocol .. Some magic P . Kubiak The situation changes if two dragons get the same Introduction cryptographic keys. Two-Head Dragon In fact, as long as only one dragon is asked, nothing Signatures happens. An Exemplary Realization

  16. The Main Idea: Two-Head Dragon Protocol .. Some magic P . Kubiak The situation changes if two dragons get the same Introduction cryptographic keys. Two-Head Dragon In fact, as long as only one dragon is asked, nothing Signatures happens. An Exemplary Realization If two dragons are asked the same question, then it might happen that one dragon says the left side of the incantation and the another dragon says the right side of the incantation.

  17. The Main Idea: Two-Head Dragon Protocol .. Some magic P . Kubiak The situation changes if two dragons get the same Introduction cryptographic keys. Two-Head Dragon In fact, as long as only one dragon is asked, nothing Signatures happens. An Exemplary Realization If two dragons are asked the same question, then it might happen that one dragon says the left side of the incantation and the another dragon says the right side of the incantation. If both parts of the incantation are said the magic starts to work: all signatures created with these keys get burned.

  18. Two-Head Dragon Protocol P . Kubiak Introduction Example Realization Two-Head Dragon Signatures An Exemplary Realization not in the pre-proceedings

  19. System components Two-Head Dragon Protocol P . Kubiak Probabilistic signature scheme C Prob (for signing Introduction messages). Two-Head Dragon Signatures Rabin-Williams signatures RW (for incantations). An Exemplary Incantations are square roots: two square roots from Realization the same value having different Jacobi symbol reveal the private key, i.e. factorization of the modulus. A one-way counter (for asking questions to the dragon). The counter might be implemented as a hash-chain.

  20. Setup phase Two-Head Dragon Protocol P . Kubiak During deployment, apart from generating the public and Introduction Two-Head private keys for the two signature schemes and generating Dragon Signatures a hash chain, the ID-card is bounded to make the following An Exemplary dependence: Realization If the secret key of RW-signature scheme is revealed, then the secret key of the probabilistic scheme becomes publicly known as well.

  21. Signature generation .. Two-Head Dragon Creating a signature for a message M .. Protocol P . Kubiak 1 In order to sign a message M the card receives a next portion of consecutive counter values (say 100 values) Introduction Two-Head t 1 , . . . , t 100 . (We have t i − 1 = h ( t i ) , and the card checks Dragon Signatures correctness of values t i ). An Exemplary Realization

  22. Signature generation .. Two-Head Dragon Creating a signature for a message M .. Protocol P . Kubiak 1 In order to sign a message M the card receives a next portion of consecutive counter values (say 100 values) Introduction Two-Head t 1 , . . . , t 100 . (We have t i − 1 = h ( t i ) , and the card checks Dragon Signatures correctness of values t i ). An Exemplary 2 Hash value H ( M ) of M is calculated, let b 1 , . . . , b 100 be Realization the last 100 bits of the hash.

  23. Signature generation .. Two-Head Dragon Creating a signature for a message M .. Protocol P . Kubiak 1 In order to sign a message M the card receives a next portion of consecutive counter values (say 100 values) Introduction Two-Head t 1 , . . . , t 100 . (We have t i − 1 = h ( t i ) , and the card checks Dragon Signatures correctness of values t i ). An Exemplary 2 Hash value H ( M ) of M is calculated, let b 1 , . . . , b 100 be Realization the last 100 bits of the hash. 3 For each value t 1 , . . . , t 100 its square root s i , i.e. its RW signature, is calculated by the ID-card. Required value of Jacobi symbol of the square root s i is indicated by b i (i.e. for each t i half of incantation is indicated by the message M ). (This step is costly).

  24. .. Signature generation Two-Head Dragon Protocol P . Kubiak Introduction .. creating a signature for a message M Two-Head Dragon Signatures 4 Concatenation of H ( M ) , value t 100 , and sequence An Exemplary S = s 1 , . . . , s 100 is signed with the probabilistic scheme Realization C Prob . The signature is: C Prob ( H ( M ) || t 100 || S ) , t 100 , S

Recommend


More recommend