Cryptography for People

Transcription

1 CySeP2015 Winter School on Cyber Security & Privacy KTH Stockholm Cryptography for People Dr. Jan Camenisch Cryptography & Privacy Principal Research Staff Member Member, IBM Academy of ibm.biz/jancamenisch

2 Facts 33% of cyber crimes, including identity theft, take less time than making a cup of coffee. 2

3 Facts 10 Years ago your personal data on the black market was worth $150. Today. 3

4 We all increasing amount of data and many are personal 1$ for much more data 4

5 use them with different devices, store them anywhere 5

6 use and generate them in interaction with other entities leave collateral data while doing so to make things worse: it's en vogue to let users manage their data :-( 6

7 how can we protect all these data????? 7

8 Houston, we have a problem! ﾩ Information Security Summer School - Bilbao

9 Houston, we have a problem! ﾩ Buzz Aldrin's footprints are still up there (Robin Wilton) Information Security Summer School - Bilbao

10 Computers don't forget Data storage ever cheaper store by default also collateral collection, surveillance cameras, Google Street View with wireless traffic, Apple location history,... Data mining ever better self-training algorithms cleverer than their designers not just trend detection, even prediction, e.g., flu pandemics, ad clicks, purchases, what about health insurance, criminal behavior? The world as we know it Humans forget most things too quickly Paper collects dust in drawers We build apps with the paper-based world in mind :-( if it works it works security too often still an afterthought implementors too often have no crypto education Information Security Summer School - Bilbao

11 You have no privacy, get over it...?!? I have nothing to hide! The intelligence agencies have all my data anyway Huge security problem! Millions of hacked passwords (100'000 followers $ ) Stolen identities ($ , $ , $5 2013) Difficult to put figures down Credit card fraud Spam & marketing Manipulating stock ratings, etc.. (Industrial) espionage We know that 3 letter orgs can do it easily, but they are not the only ones however, this is not about homeland security and of course there are limits to the degree of protection that one can achieve Last but not least: data are the new money, so they need to be protected! 11

12 Privacy is not a lost cause! We need paradigm shift & build stuff for the moon rather than the sandy beach! 12

13 What does that mean? Apply Data Minimization Privacy & Security by Design Require (users to reveal) only the data that are really needed Do not design with the sandy beach beach in mind Encrypt every bit Data should never ever be in the clear process it in the encrypted domain still need to manage keys carefully Needs to support switching of cryptographic algorithms symmetric key crypto gets broken at times beware of quantum computers Attach usage & access control policy to every bit enforce need to know honest but curious probably good enough Information Security Summer School - Bilbao

14 What does it mean: the electronic gap Strong security requires strong cryptographic authentication Humans rarely can remember cryptographic keys let alone compute with them From Humans to Keys the electronic gap Smart cards, HW tokens: a nuisance! Passwords: are dead?! Biometrics: cannot change them, too easily fooled?? Information Security Summer School - Bilbao

15 The Privacy & Security Paradox We do have the technology/crypto, but it is hardly used Deemed too expensive Too hard to manage all the keys, fear of loosing keys Protecting data is considered futile Often required by law, but these are w/out teeth Debate about legality of encryption V2.0 On the positive side Importance of security and privacy increasingly recognized Laws are revised Information Security Summer School - Bilbao

16 Cryptography to the Aid Information Security Summer School - Bilbao

17 Today: two solutions Identity mixer: privacy protecting authentication Password-based security: from humans to cryptographic keys?? 17

18 Identity Mixer 18

19 Alice wants to watch a movie at Movie Streaming Service I wish to see Alice in Wonderland Alice Movie Streaming Service 19

20 Alice wants to watch a movie at Movie Streaming Service You need: - subscription - be older than 12 Alice Movie Streaming Service 20

21 Watching the movie with the traditional solution Using digital equivalent of paper world, e.g., with X.509 Certificates ok, here's - my eid - my subscription Alice Movie Streaming Service 21

22 Watching the movie with the traditional solution...with X.509 Certificates Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 22

23 Watching the movie with the traditional solution This is a privacy and security problem! - identity theft - discrimination - profiling, possibly in connection with other services Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 23

24 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Alice Movie Streaming Service 24

25 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Alice Movie Streaming Service 25

26 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Aha, you are - Alice@facebook.com Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 26

27 Identity Mixer solves this. When Alice authenticates to the Movie Streaming Service with Identity Mixer, all the services learns is that Alice has a subscription is older than 12 and no more! 27

28 Privacy-protecting authentication with Privacy ABCs Like PKI, but better: One secret Identity (secret key) Many Public Pseudonyms (public keys) 28

29 Privacy-protecting authentication with Privacy ABCs Like PKI, but better: Issuing a credential Name = Alice Doe Birth date = April 3,

30 Privacy-protecting authentication with Privacy ABCs I wish to see Alice in Wonderland You need: - subscription - be older than 12 Alice Movie Streaming Service 30

31 Privacy-protecting authentication with Privacy ABCs Alice Movie Streaming Service 31

32 Privacy-protecting authentication with Privacy ABCs Alice Movie Streaming Service 32

33 Privacy-protecting authentication with Privacy ABCs I wish to see Alice in Wonderland You need: - subscription - be older than 12 Alice Movie Streaming Service Concept: presentation policy 33

34 Privacy-protecting authentication with Privacy ABCs Like PKI but does not send credential only minimal disclosure Alice - valid subscription - eid with age 12 Movie Streaming Service 34

35 Privacy-protecting authentication with Privacy ABCs Like PKI but does not send credential only minimal disclosure (Public Verification Key of issuer) Aha, you are - older than 12 - have a subscription Alice Movie Streaming Service 35

36 Minimal Disclosure 36 Alice Doe Age: 12+ Hauptstr 7, Zurich CH single Exp. Valid ve r ID ified ve r ID ified Alice Doe Dec 12, 1998 Hauptstr. 7, Zurich CH single Exp. Aug 4, 2018

37 So, let's watch a movie! idemixdemo.mybluemix.net idemixdemo.zurich.ibm.com 37 October 20, 2015

38 Identity Mixer status Scientific foundation laid 15 years ago, well studied & award winning Successful real-world pilots in series of EU projects You can have identity mixer, too! Open-source implementation: Idemix-as-a-Service on IBM Bluemix Web-based demo to try for everyone Coming soon: Idemix on mobile 38

39 A glimpse at the underlying cryptography 39 October 20, 2015

40 A Glimpse at the technical realization Signature scheme compatible with ZKP Commitment scheme compatible with ZKP & sig. scheme Zero knowledge proof of knowledge 40 October 20, 2015

41 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Given group <g> and element y Є <g>. Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g. Prover: random r t := gr PK{(α): y = gα } t c s := r - cx Verifier : random c s t = gs yc 41 October 20, 2015

42 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = gα z = gβ u = gβhα } PK{(α,β): y = gα z = gβ } Intervals and groups of different order (under SRSA): PK{(α): y = gα α Є [A,B] } PK{(α): y = gα z = gα α Є [0,min{ord(g),ord(g)}] } Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): PK{(α): y = gα }(m) 42 October 20, 2015

43 RSA Signature Scheme Rivest, Shamir, and Adlemann 1978 Secret Key: two random primes p and q Public Key: n := pq, prime e, and collision-free hash function H: {0,1}* -> {0,1}ℓ Computing signature on a message m Є {0,1}* d := 1/e mod (p-1)(q-1) s := H(m) d mod n Verification of signature s on a message m Є {0,1}* se = H(m) Correctness: se = (H(m)d)e = H(m)d e = H(m) 43 October 20, 2015 (mod n) (mod n)

44 RSA Signature Scheme Verification signature on a message m Є {0,1}* se := H(m) (mod n) Wanna do proof of knowledge of signature on a message, e.g., PK{ (m,s): se = H(m) (mod n) } But this is not a valid proof expression!!!! :-( 44 October 20, 2015

45 CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1,..., mk Є {0,1}ℓ : choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s n compute c : c = (d / (a m1... a mk bs ))1/e mod n 1 45 k signature is (c,e,s) October 20, 2015

46 CL-Signature Scheme To verify a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 d = ce a 1 m1... a k mk bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 46 October 20, 2015

47 Proving Knowledge of a CL-signature Observe: d = ce am bs mod n Let c' = c btmod n with randomly chosen t then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1 provide c' PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ µ Є {0,1}ℓ ε > 2ℓ+1 } 47 October 20, 2015

48 Password-based Security 48

49 Password are insecure, aren't they? username-password the most prominent form of user authentication Passwords inherently insecure? No! We re just using them incorrectly 49

50 The problem with passwords password salted PW hash correct? correct? correct? correct? correct? correct!! Passwords are symmetric secrets need protection on server & user Password (hashes) useless against offline attacks Human-memorizable passwords are inherently weak NIST: 16-character passwords have 30 bits of entropy 1 billion possibilities Rig of 25 GPUs tests 350 billion possibilities / second, so 3ms for 16 chars 60% of LinkedIn passwords cracked within 24h More expensive hash functions provide very little help only increases verification time as well does not work for short passwords such as pins etc Single-server solutions inherently vulnerable to offline attacks Server / administrator / hacker can always guess & test Information Security Summer School - Bilbao

51 The solution: distributed password verification Setup: Open account w/ password p p1 p p= 51 p1 p2 p2

52 The solution: distributed password verification Login to account with password p' p1 p' p' no server alone can test password? = p1 p2 p2 passwords safe as long as not all servers are hacked off-line attacks no longer possible on-line attacks can be throttled pro-active re-sharing possible First server web-server replaces hash-data files user's computer secure against loss or theft of user device 52

53 How it works in a nutshell [CLN12,CEN15] Servers share encryption secret key x1 and x2 for PK X fpr homomorphic scheme At setup: user encrypts p under X: E= EncX(p) Password verification: check for encryption of 1 E= EncX(p) x1 E' p' = p? DecX(E') = 1? p' r E' = (EncX(1/p') E) r = EncX( (p/p') ) E' E=EncX(p) x2 Servers do not learn anything 1 if passwords match, random number otherwise User could even be talking to the wrong servers Information Security Summer School - Bilbao

54 From password to cryptographic keys [CLN12,CLLN14,CEN15] p1 k1 p2 k2 One of the servers could be your smart phone, laptop, Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud, etc) 54

55 From password to cryptographic keys [CLN12,CLLN14,CEN15] p1 k1 p' p'? = p1 p2 k p2 k2 One of the servers could be your smart phone, laptop, Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud, etc) 55

56 Further Research Needed! Securing the infrastructure & IoT ad-hoc establishment of secure authentication and communication audit-ability & privacy (where is my information, crime traces) security services, e.g., better CA, oblivious TTPs, anon. routing, Usability HCI Infrastructure (setup, use, changes by end users) Provably secure protocols Properly modeling protocols (UC, realistic attacks models,...) Verifiable security proofs Retaining efficiency Information Security Summer School - Bilbao

57 Further Research Needed! Quantum Computers Lots of new crypto needed still Build apps algorithm agnostic Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog Information Security Summer School - Bilbao

58 Conclusion Let engage in some rocket science! Much of the needed technology exists need to use them & build apps for the moon and make apps usable & secure for end users Thank you! Joint work w/ Maria Dubovitskaya, Anja Lehmann, Anna Lysyanskaya, Gregory Neven, and many many more Information Security Summer School - Bilbao ibm.biz/jancamenisch