Lightweight Signatures for (A Defense Against Phishing)

Transcription

1

2 Lightweight Signatures for (A Defense Against Phishing) Ben Adida Cryptography and Information Security Group CSAIL, MIT December 7th, 2005 (joint with David Chau, Susan Hohenberger and Ronald L. Rivest)

3 This Talk The evolution of phishing Privacy concerns Some Cool Crypto The authentication problem Building an authentication architecture Assembling Techniques into Security Solutions

4

5

6

7

8

9

10 Fax Attack

11

12 Cost of Phishing Some say > $1B/year Others say < $200M/year But the real cost of phishing is...

13 We cannot trust Never click on a link provided in an asking for personal information. American Banking Association (Dec. 2004) Do be wary of clicking on links in messages. Microsoft (Feb. 2005) Don't automatically assume that any is from the From address. Bruce Schneier (Dec. 2004)

14 Wall Street Journal August 29th, 2005 Fear of phishing corrodes trust [...] in as a vehicle Don't click on links in s from financial institutions and other organizations that have your personal information Don't trust phone numbers in s. These can be faked, too. We hate to say that, because such communications are supposed to make life easier.

15 Phishing Everywhere!

16

17 Phishing reveals a serious problem with We need to fix the platform

18 SMTP Today 2 MX DNS foo.com MX Record mail.foo.com wonderland.com outgoing mail server 3 mail.foo.com incoming mail server 1 4 Alice Bob

19 No Proof of Origin phish.com wonderland.com outgoing mail server? mail.foo.com incoming mail server Alice Bob

20 Many Proposals Web-based solutions: checking links, better passwords, DSS,... Spam-like filtering identify bad s by content Sender ID / Sender Policy Framework declaring authorized outgoing mail servers DomainKeys outgoing mail server signs all s

21 A Platform of Trust User Interface Indicators Reputation Management Automatic Filtering Reputation Management SSL Light Sigs We want to provide Just Enough Trust

22 Raising the Bar Spoof Outgoing connect to port 25 of Bob s mail server, send data. Intercept Incoming crack Bob s IMAP/POP authentication or sniff Bob s network consistently Alice Bob

23 Building Lightweight Signatures

24 Basic Signatures Authority Wonderland SK wonderland PK wonderland PK alice SK alice Alice sign wonderland (PK alice, )

25 DNS to distribute Component Domain-Level Keys DNS Publish wonderland.com PK wonderland.com foo.com PK foo.com wonderland.com SK wonderland.com [DomainKeys]

26 Scenario Authentication Authority wonderland SK wonderland DNS wonderland.com PK wonderland PK alice From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... SK alice Alice alice@wonderland.com Alice sign alice (message) PK alice sign wonderland (PK alice, alice@wonderland.com ) Bob bob@foo.com

27 Scenario Authentication Authority wonderland SK wonderland PK alice certifying a user s public key can add significant overhead. distributing the secret key to all user access points is tricky. SK alice Alice alice@wonderland.com... unless we rethink the security requirements a bit.

28 -Based Component Authentication [Gar2003] wonderland.com keyserver SK wonderland.com SK SK SK SK certificate(pk ) wonderland.com incoming mail server Alice

29 Server-Managed User Keys Scenario wonderland.com incoming mail server Authority wonderland SK wonderland SK alice PK alice From: Alice To: Bob Subject: DNS wonderland.com PK wonderland I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Alice Alice alice@wonderland.com sign alice (message) PK alice sign wonderland (PK alice, alice@wonderland.com ) Bob bob@foo.com

30 Scenario DomainKeys Authority wonderland SK wonderland DNS wonderland.com PK wonderland From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Alice From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Alice Alice alice@wonderland.com Bob bob@foo.com

31 Scenario DomainKeys From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Authority wonderland SK wonderland intra-domain authentication? SK must be online mail forwarding services? Alice Alice alice@wonderland.com... can we do better?

32 Can we get the benefits of both user keys and domain keys?

33 Component ID-Based Crypto P K bob MP K keyserver MSK SK bob Alice Bob

34 Component ID-based Domains MP K wonderland.com MP K foo.com wonderland.com keyserver MSK wonderland.com foo.com keyserver MSK foo.com SK alice@wonderland.com SK bob@foo.com Alice Bob

35 DNS to distribute Master Public Keys DNS Publish wonderland.com MP K wonderland.com foo.com MP K foo.com wonderland.com key server MSK wonderland.com

36 -Based Authentication for User Secret Keys wonderland.com keyserver MSK wonderland.com wonderland.com incoming mail server Alice

37 Our Scenario Lightweight Signatures DNS 1 PUBLISH PUBLISH 1 wonderland.com MP K wonderland wonderland.com key server SK A 2 From: Alice To: Bob Subject: 6.857! I've decided Matt is cooler. foo.com MPK foo 4 5 MP K wonderland alice@wonderland.com foo.com key server Alice Wonderland.com Network Signed: Alice 3 6 Bob foo.com Network

38 Realistic Deployment Incremental Protection Each domain can implement Lightweight Sigs when it wants to protect its users from spoofing. Minimized User Intervention With domain policies, there is no grey area: s are either good or bad and require no user judgment.

39 Deployment Flexibility Upgrade the Mail Client & Deploy an Internal Keyserver mail client performs sign & verify keyserver distributes user secret keys Upgrade the Mail Server sign at outgoing mail server verify at incoming mail server

40 Origin of Lightweight Sigs Classic PGP or S/MIME Domain-Managed User Keys Domain-Level Key Lightweight Signatures

41 Privacy Concern! Every is now publicly verifiable.

42 So What? Alice likes Bob Eve likes Bob Alice Bob Bob likes to gloat. bob.blogspot.com Eve December 7th, 2005 Check out what Alice sent me! Who knew!... This changes the nature of .

43 Ring Signatures From: Alice To: Bob Subject: Coffee? Hey Bob, Wanna meet for coffee? I'd love to get to know you better. Signed: Alice or Bob [RiShTa2001]

44 Identity-Based Sigs, again Public Keys are available before user has generated them. Public Keys are available using only the domain-based master public key in the DNS. If a domain has an MPK, then it can be used for repudiation.

45 A Bit of Crypto

46 Schnorr ID Protocol Z p, generator g Prover x c t = g r R Z p Verifier y = g x s = xc + r g s? = y c t

47 Schnorr is a PoK Proof of Knowledge: Extraction t = g r c 1 c 2 s 1 = xc 1 + r s 2 = xc 2 + r x = s 1 s 2 c 1 c 2

48 Schnorr Zero-Knowledge c t = g r R Z p s = xc + r g s? = y c t t = gs y c 1) Pick a random c 2) Pick a random s 3) compute t to solve the above equation (t,c,s) is correctly distributed.

49 Prover Fiat-Shamir Building a Signature Scheme from a Proof of Knowledge t c c = H(t m) s Verifier If the protocol is a PoK of a secret key, then (t,c,s) = sign(m)

50 Guillou-Quisquater Signatures MP K = (n, e) MSK = d P K ID = H(ID) Z n SK ID = H(ID) d Z n Prover t = r e Verifier SK ID c R Z n P K ID s = rsk c ID s e? = tp K c ID

51 GQ Properties (I) Zero-Knowledge: Simulation s e? = tp K c ID 1) Pick a random c 2) Pick a random s 3) compute t to solve the above equation (t,c,s) is correctly distributed.

52 GQ Properties (II) Proof of Knowledge: Extraction t = r e c 1 c 2 s 1 = rsk c 1 ID s 2 = rsk c 2 ID SK ID = ( ) s1 (c1 c2) 1 s 2

53 Bilinear Maps G 1, G 2, both of order q e : G 1 G 1 G 2 g, h generate G 1 Z = e(g, h) generates G 2 h b e(g a, h b ) = e(g, h) ab G 1 G 2 e(ug, h) = e(u, h)e(g, h) g a e Z ab

54 Boneh-Franklin Keys Public Parameters: G 1, G 2, q, g, H MSK = s Z q MP K = g s G 1 P K ID = H(ID) SK ID = H(ID) s Note that: e(p K ID, MP K) = e(sk ID, g)

55 HVZK PoK of Bilinear Map Pre-Image given Q G 2, x G 1 α G 1, e(α, x) = Q x α? e Q G 1 G 2

56 Is that Interesting? g a g b e Q g, g a, g b G 1 Q = e(g a, g b ) g g ab G 1 G 2 What is the BM preimage of Q with respect to g? e(α, g) = Q α = g ab

57 HVZK PoK BMPI Prover(Q, α, x) Q = e(α, x) Verifier(Q, x) r R Z q t = e(g r, x) c c R Z q s = α c g r e(s, x)? = Q c t e(α c g r, x)? = e(α, x) c e(g r, x)

58 PoK: Extraction Prover(Q, α, x) r Q = e(α, x) R Z q t = e(g r, x) Verifier(Q, x) c 1 c 2 s 1 = α c 1 g r s 2 = α c 2 g r α = s 1 (c 1 c 2 ) 1 s 2

59 ZK: Simulation t = e(g r, x) c c R Z q s = α c g r s R G e(s, x) =? Q c t 1 t = e(s, x) Q c (t, c, s) is correctly distributed

60 Fiat-Shamir PoBMPI Prover(Q, α, x) r Q = e(α, x) R Z q t = e(g r, x) Verifier(Q, x) c c c= R H(t m) Z q s = α c g r e(s, x)? = Q c t e(α c g r, x)? = e(α, x) c e(g r, x)

61 Signing with BF Keys MSK = s Z q MP K = g s G 1 P K ID = H(ID) SK ID = H(ID) s Q = e(p K ID, MP K) Q = e(sk ID, g) [Hess2002] Prove knowledge of pre-image of Q with respect to g.

62 Applying CDS PoK of PK prove knowledge of SK ben or SK shafi generate (t 1, c 1, s 1 ) for SK shafi t 1 t 1, t 2 t 2 c 1 c c 2 s 1 s 1, s 2, c 1, c 2, s.t. c = c 1 c 2 s 2 (t 2, c 2, s 2 ) must have been generated correctly

63 Crypto Summary Identity-Based Signatures are well understood. Signatures can be thought of as Proofs of Knowledge of a Secret Key, made noninteractive with Fiat-Shamir. Proofs of Partial Knowledge: I know Alice s secret key OR I know Bob s secret key.

64 Implementation Working prototype using a web-based key distribution, simple DNS server, and Emacs Rmail client. More involved usability study in the next few months, multiple domains, real mail client.

65 Summary Phishing reveals an trust problem Lightweight Signatures is one interesting approach end-to-end support of all apps Don t forget about privacy! client-side or server-side computation Assembling crypto tools to solve real problems is fun!

66 Questions?