an attack on the proactive rsa signature scheme in the ursa ad hoc network access control protocol
DESCRIPTION
An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol. Stanislaw Jarecki, Nitesh Saxena , Jeong Hyun Yi School of Information and Computer Science University of California, Irvine. Outline. Introduction: Access control in ad hoc groups - PowerPoint PPT PresentationTRANSCRIPT
10/25/04 Security of Ad Hoc and Sensor Networks Security of Ad Hoc and Sensor Networks (SASN)(SASN)
1/22
An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network
Access Control Protocol
Stanislaw Jarecki, Stanislaw Jarecki, Nitesh SaxenaNitesh Saxena, Jeong Hyun Yi, Jeong Hyun Yi
School of Information and Computer ScienceSchool of Information and Computer ScienceUniversity of California, IrvineUniversity of California, Irvine
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
2/22
Outline Introduction: Access control in ad hoc
groups Threshold cryptography Proactive signatures URSA proactive RSA scheme Our attack: efficient key recovery Discussion: Insecurity of URSA Open issues
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
3/22
Access Control in Ad Hoc Groups Access control is required to
prevent unauthorized entities from joining the group bootstrap other security services, e.g., secure routing remove misbehaving members in general, make group decisions
However, ad hoc group has no infrastructure no trusted group authority dynamic membership
Challenge:How to provide secure access control in a such a decentralized and dynamic environment?
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
4/22
Zhou and Haas [IEEE Comm. Mag’99] (t+1,n) secret sharing of group secret;
Shamir [ACM COMM.’79]
Threshold signatures any set of t+1 members can sign messages on behalf of the
group tolerate up to t corruptions in the lifetime of the system
Proactive Signatures threshold signatures with increased resilience, lifetime is divided into intervals secret shares are updated tolerate up to t corruptions in every interval
Distribution of Trust using Threshold Cryptography
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
5/22
Access Control using Proactive Signatures
Step 1: Certification request
Step 2: Join commit (Signed Vote)
Step 3: Certificate acquisitionMnewMnew
New member (Mnew) wants to join the group If a quorum of t+1 current members approve, Mnew is
issued a signed certificate via proactive signing protocol If no quorum found, membership is denied
Vote1 Vote2
Vote2Vote2
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
6/22
Provably Secure Proactive Signatures RSA based
Frankel, et al. [FOCS’97] [Crypto’97], Rabin [Crypto’98]
DSA based; Gennaro, et al. [EC’96] [IANDC’01]
Schnorr based Gennaro, et al. [RSA Security’03]
BLS based Boldyreva [PKC’03]
None applicable for access
control in ad hoc groups
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
7/22
Recent Access Control Schemes URSAURSA: Ubiquitous and Robust Access Control
Luo, et al. [ICNP’01, ISCC’02, WCMC’02, ToN’04] Proposes a new proactive RSA scheme
Others Based on proactive DSA; Narasimha, et al.
[ICNP’03], Saxena, et al. [SASN’03] Based on proactive BLS; Saxena, et al.
[ICISC’04]
Under scrutiny in this work
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
8/22
URSA Proactive RSA Scheme (1/3) SetupSetup
Dealer generates RSA private key d and public key (e, N) Randomly picks polynomial f(x) of degree t
Member Mj is issued a secret share:
f(x) = d + a1x + a2x2 + … + atxt (mod N)
Signature generationSignature generation (signing group G, |G|=t+1) Polynomial interpolation:
, , where partial key:
Mj outputs partial signature: )N(modms jd
j
ssj = f(j) (mod N)
)N(modddGj
j
)Nmod( lssd jjj
Recall: RSA signature
s = md (mod N)
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
9/22
URSA Proactive RSA Scheme (2/3)Signature reconstructionSignature reconstruction:
Since
Try all (t+1) values of α , s.t. se = m (mod N)
Ndeach and )N(moddd jGj
j
}t,...,0{ somefor integers),(over NddGj
j
]t,...,0[ somefor ),N(modm)s(ms N
Gjj
d
Note: α is revealed
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
10/22
Problems with URSA Proactive RSA Robustness; Narasimha, et al. [ICNP’03]
Shares are computed mod N Regular verifiability mechanisms fail No verifiability No robustness
Fix Share secret d modulo a large prime q Use special purpose zero-knowledge proofs;
Boudot [EC’00] & Camenisch and Michels [Crypto’99]
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
11/22
Problems with URSA Proactive RSA
Is this scheme (modified with the robustness fix) secure in the presence of
a coalition of t corrupt members?
The answer is: negative
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
12/22
Our Attack (example): Binary Search t=1, n=2 Players M1, M2 , Signing group G={1,2} Adversary A corrupts M1
Recall: d = d1 + d2 – αN Signing protocol reveals α
If α = 0, d = d1 + d2 d ≥ d1 o/w if α = 1, d = d1 + (d2 - N) d < d1
During proactive updates, A can choose ss1 s.t.
With every update round, the search interval is halved Binary search recovers d in log2(N) rounds
0 d1 N
Recall d1 = ss1l1 (mod N)
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
13/22
Our Attack: (t+1)-ary Search Adversary A corrupts M1, M2, …,Mt (w.l.o.g) Signing group Gp={1,2,…,t, p}, where p > t A learns if d ≥ Dp or d < Dp, where
During proactive updates, A can choose ss1,
ss2,…, sst s.t.
Every round reveals log2(t+1) MSBs of d (t+1)-ary search recovers d in rounds
pj,Gj
)G(jjp
p
p )N(modlssD
0 Dp1 Dp2 Dpt N
)1t(log|N|
2
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
14/22
Optimal Choice of New Shares Solve following set of deterministic
equations for ss1, ss2, …, sst
)N(modDlss...lsslss
......
)N(modDlss...lsslss
)N(modDlss...lsslss
ttptptp
22p2p2p
11p1p1p
p)G(
tt)G(
22)G(
11
p)G(
tt)G(
22)G(
11
p)G(
tt)G(
22)G(
11
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
15/22
URSA Proactive Update Simplified Classic protocol; Herzberg et al.
[Crypto’95] Update the shares but keep the same group secret d A set of at least t+1 members update the
polynomials Each M i chooses random poly. δi(z) of degree t
s.t. δi(0) = 0 Mj gives δj(i) to Mi
Mi’s new share becomes ssi (old share was ssi‘)
ssi’ is deleted
)N(mod )i('ssssn
1jjii
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
16/22
Adversarial Behavior in Share Update B : t members corrupted by A Mb B : member who “speaks last ” Update polynomial New shares are computed as
Mb waits until it receives all other shares and chooses its polynomial δb(z) s.t.
This sets A’s share to be ss1, ss2,…,sst
)N)(modz()z()z( b}M\{jj
b
)N(mod )i('ssss ii
)N(mod)i('ssss)i(}M\{jjiib
b
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
17/22
Speeding-up the Attack Attack requires r = rounds Recover last 40-bits of d by brute-force given
RSA public key (e,N) r = Apply known results on RSA partial key
exposure; Boneh, et al. [AC’01], Blomer-May [Crypto’03],
Thm1: log2(e) MSBs of d determine 512-MSBs
r = e.g., for t = 7, |N|=1024, e = 65537 r = 163
e = 3 r = 158
)1t(log|N|
2
)1t(log40|N|
2
)1t(log402/|N|)e(log
2
2
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
18/22
Speeding-up the Attack
Number of proactive update rounds required for a given logN(e) value, for t=7 & |N|=1024
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
19/22
Attack Assumptions1. Adversary corrupts t members of the
update group Ω, one of whom “speaks last ”
2. In every round, t runs of the signing protocol are executed, the signing groups consisting of all bad and one (distinct) good player.
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
20/22
Insecurity of URSA For a modest threshold t=7, |N|=1024 and
e=65537, the attack requires 163 proactive update rounds and a total of 1148 runs of the signing protocol
The leakage is very fast e.g. in just 34 rounds, 600 MSBs of d are revealed
Other faster attacks are possible with signing group consisting of less than t bad players
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
21/22
Positive Result in a Related Work
Jarecki and Saxena [in submission] URSA proactive RSA scheme (plus robustness
fix) with additive-secret sharing is provably secure
2-4 times faster than the state-of-the-art Rabin’s proactive RSA [Crypto’98]
However, not applicable for access control in ad hoc groups
Open Problem: to design a provably secure proactive RSA scheme that yields an efficient access control mechanism for ad hoc groups!!
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
22/22
Thank You!
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
23/22
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
24/22
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
25/22
Speeding-up the AttackThm2: For prime e ε [2m, 2m+1], with m ε
[|N|/4,|N|/2], m MSBs of d determine dThm3: For e ε [2m, 2m+1] and product of at most r primes, with m ε [|N|/4,|N|/2], m MSBs determine d given factorization of e Thm4: For e ε [N0.5, N0.25], MSBs of d determine d, where α = logN(e)
)1t(log2
|N|r)1t(log4
|N|
22
151236238
|N| 2
15123623)1t(log8
|N|r 2
2
10/25/04 Security of Ad Hoc and Sensor Networks (SASN)
26/22
Our Attack: (t+1)-ary search Adversary A corrupts M1, M2, …,Mt (w.l.o.g) Signing group Gp={1,2,…,t, p}, where p ε [t+1,..2t] Recall
Signing protocol reveals α(Gp)
Compute
If Sp ≥ α(Gp)N , A learns d ≥ Dp o/w if Sp < α(Gp)N , A learns d < Dp
During proactive updates, A chooses ss1, ss2,…, sst such that
Every round reveals log2(t+1) MSBs of d (t+1)-ary search recovers d in rounds
pj,Gj
)G()G(p
)(Gj
p
ppp Nddd
)N(modSD ,integers) over(dS pppj,Gj
)G(jp
p
p
0 Dt+1 Dt+2 D2t N-1
)1t(log|N|
2