Forschungsrichtungen in der IT-Sicherheit

Transcription

1 Forschungsrichtungen in der IT-Sicherheit Dr. Jan Camenisch Principle Researcher; Member, IBM Academy of Technology IBM Research ibm.biz/jancamenisch

2 Facts 33% of cyber crimes, including identity theft, take less time than to make a cup of tea.

3 Facts 10 Years ago, your identity information on the black market was worth $150. Today.

4 Facts $15'000'000'000 cost of identity theft worldwide (2015)

5 Attackers hide easily in the vast of cyberspace

6 ﾩ Houston, we have a problem!

7 The problem is this

8 computers never forget Data is stored by default Data mining gets ever better Apps built to use & generate (too much) data New (ways of) businesses using personal data Humans forget most things too quickly Paper collects dust in drawers But that s how we design and build applications!

9 You have no privacy, get over it! Huge security problem! Millions of hacked passwords (100'000 followers $ ) Stolen credit card number ($5 2013, <10$ ) Stolen identity ($ , $ , $5-2013, $1-2016) Stolen accounts (ebay, PayPal $2-2016) Lots of not reported issues (industrial espionage, stock manipulation, ) Data is the new money so we better protect it and we have not event discussed social issues such as democracy etc 9

10 Learnings from Snowden Very Short Summary Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (e.g., Google), Industrial collaborations, industrial espionage But also from underwater cables Technical sophistication (hardly a surprise) Rigged equipment, chips; subverted standards (PRG); Control of CAs control of network Not by breaking encryption schemes! But using insecurity of systems, etc. However, Snowden had limited access to docs (no crypt-analysis reports)

11 Learnings from Snowden Take Aways Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest Other things require large budget and organization FPGA, ASICS Deliberate weakening of infrastructure (PRG standards, etc) - very bad idea All hope is lost no chance against three letter orgs & no real harm done! Really??

12 So it seems our environment is even nastier...

13 Security & Privacy is not a lost cause! We need paradigm shift: build things for use on the moon rather than the sandy beach!

14 Security & Privacy is not a lost cause! That means: Use only minimal data necessary Encrypt every bit and keep it like that Attach usage policies to each bit Good news: Cryptography allows for that!

15 Cryptography to the Aid! Mix Networks Oblivious Transfer Searchable Encryption Onion Routing Confirmer signatures Anonymous Credentials OT with Access Control Pseudonym Systems Priced OT e-voting Blind signatures Private information retrieval Group signatures Secret Handshakes Homomorphic Encryption

16 Cryptography to the Aid a few examples of rocket science Multi Party Computation Cryptographic 4 People - IFIP SEC ROME 2017 IBM Corporation

17 Data Protection f(data)

18 Secure Multi Party Computation for Data Protection f(data) Can be done for any function typically not considered efficient. Two or three parties protocols today can be very efficient e.g., computing AES in 100ms 3PC with one party corrupt

19 Multi Party Computation Basic Principles Evaluate Circuit gate per gate with distributed protocol data f(data)

20 Multi Party Computation Basic Principles Computation of gates typically for free requires protocols Encrypted data under shared key + + (Fully) homomorphic encryption... Secret-share data, compute with shares + Main approaches:

21 Dedicated MPC Protocol Today: Getting Rid of Password Databases password Paper-world approach: - store password - better, store hash of password

22 Dedicated MPC Protocol Today: Getting Rid of Password Databases password salted PW hash Paper-world approach: - store password - better, store hash of password Password (hashes) useless against offline attacks correct? correct? correct? correct? correct? correct? correct!! Human-memorizable passwords are inherently weak NIST: 16-character passwords have 30 bits of entropy 1 billion possibilities Rig of 25 GPUs tests 350 billion possibilities / second, so 3ms for 16 chars 60% of LinkedIn passwords cracked within 24h

23 Homomorphic Encryption Encryption scheme KGen(l)-> (PK,SK) C = EncPK(m) m = DecSK(c) Plaintext homomorphism EncPK(m1) EncPK(m2) EncPK(m) EncPK(m) = EncPK(m) 2 <=> EncPK(m1 m2) <=> EncPK(m ) 2 Secret key homomorphism SK = SK1 SK2 => DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

24 Dedicated MPC Protocol Today: Getting Rid of Password Databases Account Setup p Uid, E=EncPK(p)

25 Dedicated MPC Protocol Today: Getting Rid of Password Databases Login E' p (Uid, E) E = (EncPK(1/p ) E) r1 = EncPK( (p/p ) ) r1

26 Dedicated MPC Protocol Today: Getting Rid of Password Databases Login r2 E' p D (Uid, E) E = (EncPK(1/p ) E) r1 = EncPK( (p/p ) ) r1 E = E D = Decsk2(E )

27 Dedicated MPC Protocol Today: Getting Rid of Password Databases Login r2 E' p D D (Uid, E) E = E D = Decsk2(E ) r3 E = (EncPK(1/p ) E) r1 = EncPK( (p/p ) ) r1 E = D D = Decsk3(E )

28 Dedicated MPC Protocol Today: Getting Rid of Password Databases Login r2 E' p D (Uid, E) 1 =? decsk1(d )! Result 1 if password match, random otherwise With ElGamal, each server makes two exponentiations only! Passwords safe as long as not all servers are hacked off-line attacks no longer possible on-line attacks can be throttled D E = E D = Decsk2(E ) r3 E = D D = Decsk3(E )

29 From password to cryptographic keys [CLN12,CLLN14,CEN15] EncPK(p) One of the servers could be your smart phone, laptop, Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud, etc)

30 From password to cryptographic keys [CLN12,CLLN14,CEN15] p' p = p? One of the servers could be your smart phone, laptop, Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud, etc)

31 Cryptography to the Aid an example of rocket science Authentication without Identification

32 Alice wants to watch a movie at Mplex I wish to see Alice in Wonderland I need proof of: - be older than 12 Alice Movie Streaming Service

33 Alice wants to watch a movie at Mplex Name = Alice Doe Birth date = April 3, 1997 Alice Movie Streaming Service

34 Alice wants to watch a movie at Mplex Aha, you are Alice Doe, born April 3, 1997 Alice Movie Streaming Service

35 Privacy-protecting authentication with Anonymous Credentials Like PKI, but better: One secret Identity (secret key) Many Public Pseudonyms (public keys)

36 Privacy-protecting authentication with Anonymous Credentials Like PKI, but better: Issuing a credential Name = Alice Doe Birth date = April 3, 1997

37 Privacy-protecting authentication with Anonymous Credentials I wish to see Alice in Wonderland I need proof of: - be older than 12 Alice Movie Streaming Service

38 Privacy-protecting authentication with Anonymous Credentials Like PKI but does not send credential only minimal disclosure Alice - valid subscription - eid with age 12 Movie Streaming Service

39 Privacy-protecting authentication with Anonymous Credentials Like PKI but does not send credential only minimal disclosure (Public Verification Key of issuer) Aha, you are - older than 12 Alice Movie Streaming Service

40 Data Minimizing Authorization w/ ABCs (Public Verification Key) Are you > 12? Only minimally necessary information is revealed!

41 Research Directions 2017 IBM Corporation

42 Crypto research is done since late '90 We know how to sign and encrypt, so just need to use what we have But wait, we have blockchain and crypto can do magic! In truth, more research needed than ever 42

43 Crypto can do magic but how? Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with 43 Security model Craft protocol Prove protocol secure Example: look at an arbitrary blockchain use case

44 Provable Security scheme specification Does realization behave as the specification? scheme realization

45 Provable Security Research Directions scheme specification hard problem security Proof scheme realization

46 Provable Security Research Directions Is this implied?

47 Provable Security Research Directions Composable security framework (Canetti, Maurer, Küsters...), but Properly modeling protocols (UC, realistic attacks models,...) Verifiable security proofs - humans and computers Tools to tame the complexity Modular proofs, templates for proof parts, helper theorems Computer aided verification all cases covered, etc Retaining efficiency Modeling and implementing setup assumptions (CRS, RO,...) Realistic threat models (power analysis, virtual machines,...)

48 Quantum Computers are Coming! Quantum computers can factor and solve DL 48

49 Quantum Computers are Coming! Quantum computers can factor and solve DL Use Quantum resistant assumptions! 49

50 Quantum Computers are Coming! Quantum computers can factor and solve DL Use Quantum resistant assumptions! But classical definitions and proofs consider ITM only! 50

51 Quantum Computers are Coming! Security Models adversary Interaction w/ scheme honest parties QS0 Classical security C C C QS1 Post-quantum security Q C C QS2 Superposition-based quantum security Q Q C QS3 All quantum security Q Q Q 51

52 Quantum Computers are Coming! A broader view Mind the gap! Ciphertexts put on a blockchain now might not be safe in the near future Classical crypto that resists quantum computers New security models and schemes are needed! Efficient signature and encryption schemes known use them now! More complex primitives still not efficient enough for practical use 52 Hybrid schemes might be a midterm solution Crypto for quantum computers: How to encrypt/sign quantum states

53 Building a Crypto Toolbox Goal: Library of cryptographic primitives beyond encryption and signatures Multiparty computation Zero-knowledge proofs (Schnorr-proofs, SNARKS, circuit based) Signatures & encryption with protocols Research Challenges Defining good API not too low level, yet not too specific Enable security proof of application using the primitives (plus formal analysis) 53

54 Building a Crypto Toolbox An Example: ZKLang Are you > 12? 54

55 Building a Crypto Toolbox An Example Proof of Knowledge of a signature on messages m1,..., mk: Cryptographer: Signature (A,r,s) with A := (g h s h m1... h mk )1/(x+r) where public key y = gx 0 PoK {(m1,..., mk, r, s) : 1 k e(a, y gr) = e( g, g h s h m1... h mk ) } 0 1 k Software Engineer: NIZK{(m1,m2,m3): Credential(PKissuer, m1,m2,m3,m4) AND Enc(PKauditor, ciphertext, m3) } Emerging activities: 55 ZKProof.org Hyperledger crypto lib

56 Research Directions Securing the infrastructure & IoT ad-hoc establishment of secure authentication and communication audit-ability & privacy (where is my information, crime traces) security services, e.g., better CA, oblivious TTPs, anon. routing, Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog 56

57 Conclusion Much of the needed technology exists need to use them & build apps for the moon and make apps usable & secure for end users Still lots of research to be done! Let engage in some rocket science! 57

58 Thank you! Joint work w/ Maria Dubovitskaya, Anja Lehmann, Anna Lysyanskaya, Gregory Neven, and many many more. ibm.biz/jancamenisch