© information security group, icu1 identification & zkip
TRANSCRIPT
1 © Information Security Group, ICU
Identification & ZKIPIdentification & ZKIP
2 © Information Security Group, ICU
Contents
IntroductionPasswordsChallenge-ResponseZKIP
3 © Information Security Group, ICU
Why do need Identification ?
1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine)
2. In store credit card purchases3. Prepaid calling card : Asking a service
by telephone card or membership cards4. Remote login: Remote access to host
under Client /Server environment
5. Access to restricted areas, etc.
4 © Information Security Group, ICU
Identification by personal information
Method Examples Reliability Security Cost
What youRemember(know)
PasswordTelephone # Reg. #
M/LM(theft)L(imperso- nation)
Cheap
What you have
Registered SealMagnetic Card IC Card
ML(theft)M(imperso-nation)
Reason-able
What you are
Bio-metric(Fingerprint,Eye, DNA, face,Voice, etc)
HH(theft)H(Imperso- nation)
Reasonable
Expensive
5 © Information Security Group, ICU
Biometric Information
Extracted from A. Jail’s presentation in SCIS2006, Japan
6 © Information Security Group, ICU
Way of Identification
Password-based scheme (weak authentication) crypt passwd under UNIX one-time password
Challenge-Response scheme (strong authentication) Symmetric cryptosystem MAC(keyed-hash) function Asymmetric cryptosystem
Cryptographic Protocols Fiat-Shamir identification protocol Schnorr identification protocol, etc
7 © Information Security Group, ICU
Identification by Password
passwd,Apasswd table
A h(passwd)
Prover Verifier
passwd h =
A
yaccept
n
reject
8 © Information Security Group, ICU
Attack against Fixed PWDs
Replay fixed pwds Observe pwd as it is typed in Eavesdrop the data in cleartext Not suitable over open communication networks
Exhaustive pwd search Let E(c) be the entropy of 8-char pwds from choices E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6
Pwd guessing and dictionary attacks A large dictionary contains 250,000 words Dictionary attack: order lists and compared to entries in the encr
ypted dictionary Combine numerical and alphabetical characters.
9 © Information Security Group, ICU
crypt passwd in UNIX
truncate to 8ASCII chars; 0-pad if necessary
userpasswd DES*
Repack 76 bitsinto 11 7-bitcharacters
encrypted passwd
/etc/passwd
user salt
I1= 0…0next input Ii
2 i 25
output, Oi
O25
56
64
64
12
12
salt : 12-bit random from system clock when select passwd.DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations,
10 © Information Security Group, ICU
Challenge-Response Protocol
AssumptionSecret Key : known to only P and VRandom Challenge : P and V have perfect ra
ndom number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions
MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)
11 © Information Security Group, ICU
Challenge-Response Scheme(I)
Using Symmetric Cryptosystem
P Vrandom challenge,x
x
y=eK(x)y
y’=eK(x)y=y’ ?
K
Vulnerable to parallel session attack (man-in-the-middle). Need to change x to be ID(V)||r
12 © Information Security Group, ICU
Challenge-Response Scheme(II)Using Asymmetric Cryptosystem P can prove to have secret information in either
way :(1) P decrypts a challenge encrypted under P’s public key.(2) P digitally signs a challenge.
P Vrandom challenge,x
x
y=e[sK,x]y
y’= d[pk ,x]y = y’ ?
PK
13 © Information Security Group, ICU
Zero-Knowledge Interactive Proof
GMR(Goldwasser, Micali, Rackoff) 1. “The knowledge complexity of interactive-proof systems”, Pr
oc. of 17th ACM Sym. on Theory of Computation, pp.291-304, 1985
2. “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp.186-208, 1989 (revised version)
ZKIP (Zero Knowledge Interactive Proof) : between P and V Completeness : Only true P can prove V. Soundness : False P’ can’t prove V. 0-Knowledge : No knowledge transfer to V.
14 © Information Security Group, ICU
Concept of ZKIP
By Quisquater and Guillou
P knows the secret, but doesn’t want to reveal his secret.
1. V stands at point A.
2. P walks all the way into the cave, either C or D.
3. After P disappeared into the cave, V walks to point B.
4. V shouts to P asking him either to:
(a) come out of the left passage or (b) come out of the right passage
5. P complies, using the magic words to open secret door if he has to.
6. P and V repeat steps (1) -(5) t times
P knows the magic words (secret)to open the door betweenC and D.
Fig. 0-knowledge cave
A
B
C D
15 © Information Security Group, ICU
Classification of ZKIPs
1P/1V
Interactive
Non-interactive
ZK
GMR Model * P:infinite, V: poly
BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly)
0-KMinimum Know.Oracle ZKIP
WH
PerfectComputationalStatistical
MembershipKnowledgeComputational power
Property
Object
Model
MP
MV
*AM-game : GMR model and V has random coin.
16 © Information Security Group, ICU
F-S Identification (I)
(Preparation)
(TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization.
(P) (1) private key: choose random value S, s.t. gcd(S,n)=1.(1 < S <
n) (2) public key : P computes I=S2 mod n, and publishes (I,n) as pub
lic
Goal P has to convince V that he knows his private key S and its corres
ponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.
17 © Information Security Group, ICU
F-S Identification (III)
V Ppublic : I,n n=pq, I=S2 mod n
1. generate unique random,r x=r2 mod n
2.ei={0,1}
x
ei
Repeat t-times 3. If ei=0, send y=r
If ei=1, send y=rS
y
4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n?
* commitment-witness-challenge-response-verification and repeat
18 © Information Security Group, ICU
F-S Identification (II)
1. P chooses random value r (1<r<n) and computes x=r2mod n.
then sends x to V.
2. V requests from P one of the following request at random
(a) r or (b) rS mod n
3. P sends the requested information to V.
4. V verifies that he received the right answer by checking whether
(a) r2 = x mod n or (b) (rS)2 = xI mod n
5. If verification fails, V concludes that P does not know S, and thus he is not the claimed party.
6. This protocol is repeated t (usually 20 or 30) times, and if in all of them t
he verification succeeds, V concludes that P is the claimed party.
19 © Information Security Group, ICU
Security of F-S scheme
(1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n.
(2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance.
(3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t. (t=20 or 30)
(4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information : he learns that I is a quadratic residue
20 © Information Security Group, ICU
Other Identification schemes
Schnorr Identification scheme (p.371)Okamoto Identification scheme (p.378)Guillou-Quisquarter Identification scheme (p. 3
83)ID-based identificationOthers
21 © Information Security Group, ICU
Schnorr Identification (I)
Based on DLP under Trusted Authority (TA) TA decides public parameters
p : large prime (1024 bit) q : large prime divisor of p-1 (160 bit) α Zp
* has order q
t : security parameter s.t. q > 2t Public parameters : p, q, α, t
Prover choose private key : a ( 1 ≤ a ≤ q-1) public key v = α–a mod p
Honest Verifier (choose r at random by the scheme) ZKIP
22 © Information Security Group, ICU
Schnorr Identification (II)
1 1 mod qkpktr 21
?(*) mod pvry
private key : a, public key: v
1. Select random k V P
Public par. : p,q,α,t
r
3. y = k + ar mod qy
2. Verify P’s public key generate random challenge
4. Verify
, cert(P)
mod (*) pvv kararkrarkry
23 © Information Security Group, ICU
Schnorr Identification (III)
(TA) p=88667, q=1031, t=10, α=70322 has order q in Zp
*
(P) private key a = 755 public key v = α-a mod p = 703221031-755 mod 88667 = 13136
P: random k = 543, αk mod p = 70322543 mod 88667 = 84109, commit V: random challenge r =1000 P: y= k + ar mod q = 543 + 755x1000 mod 1031= 851 V: on receiving y, verify that 84109 = 70322851 131361000
mod 88667. If equals, accept