Direct Anonymous Attestation

Similar documents
A Decade of Direct Anonymous Attestation

Cryptography 4 Privacy

Covert Identity Information in Direct Anonymous Attestation (DAA)

Trusted Computing: Introduction & Applications

DYNAMIC PRIVACY PROTECTING SHORT GROUP SIGNATURE SCHEME

Anonymous Attestation with Subverted TPMs

Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

Cryptography for People

STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS

Cloud-Based Commissioning of Constrained Devices using Permissioned Blockchains

DAA: Fixing the pairing based protocols

FORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Attribute-based Credentials on Smart Cards

An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation

Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018

Vulnerabilities in Anonymous Credential Systems

Enhanced Privacy ID from Bilinear Pairing

Cryptographic protocols

An improved proxy blind signature scheme based on ECDLP

Direct Anonymous Attestation (DAA): Ensuring Privacy with Corrupt Administrators,

Formal analysis of privacy in Direct Anonymous Attestation schemes

Verifiable Anonymous Identities and Access Control in Permissioned Blockchains

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

Privacy Privacy Preserving Authentication Schemes: Theory and Applications

A Direct Anonymous Attestation Scheme for Embedded Devices

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Anonymous Credentials and e-cash

A Novel Identity-based Group Signature Scheme from Bilinear Maps

On the Security of a Certificateless Public-Key Encryption

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Direct Anonymous Attestation (DAA): Ensuring privacy with corrupt administrators (Extended version)

Signatures and Efficient Proofs on Committed Graphs and NP-Statements

DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Lecture Embedded System Security Trusted Platform Module

Privacy-Preserving & User-Auditable Pseudonym Systems. Jan Camenisch, Anja Lehmann IBM Research Zurich

COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY

Cryptographic dimensions of Privacy

An Identity Escrow Scheme with Appointed Verifiers

COMPUTING SCIENCE. Abstract:

Lecture Notes 14 : Public-Key Infrastructure

Security Remarks on a Convertible Nominative Signature Scheme

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

A Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity

Formal analysis of privacy in Direct Anonymous Attestation schemes

Verifying Real-World Security Protocols from finding attacks to proving security theorems

On the Revocation of U-Prove Tokens

CSC 5930/9010 Modern Cryptography: Digital Signatures

Privacy-preserving PKI design based on group signature

On the security of a certificateless signature scheme in the standard model

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Construction of Trusted Computing Platform Based on Android System

Structure-Preserving Certificateless Encryption and Its Application

Digital Cash Systems

Efficient identity-based GQ multisignatures

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Practical backward unlinkable revocation in FIDO, German e-id, Idemix and U-Prove

Digital Multi Signature Schemes Premalatha A Grandhi

ALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs

Implementation Aspects of Anonymous Credential Systems for Mobile Trusted Platforms

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

A Protocol for Property-Based Attestation

Analysis of a Redactable Signature Scheme on Data with Dependencies

Digital Signatures. Sven Laur University of Tartu

Cryptography: More Primitives

An Implementation of a Pairing-Based Anonymous Credential System with Constant Complexity

Decentralized Blacklistable Anonymous Credentials with Reputation

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

Secure digital certificates with a blockchain protocol

Signature Schemes and Anonymous Credentials from Bilinear Maps

Anonymous Client Authentication for Transport Layer Security

A privacy-preserving authentication service using mobile devices

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

An Introduction to Trusted Platform Technology

Solving Revocation with Efficient Update of Anonymous Credentials

Trusted Computing Group

Cryptography 4 People

Portable reputation: Proving ownership of reputations across portals

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

(12) Patent Application Publication (10) Pub. No.: US 2007/ A1

Lightweight Anonymous Authentication with TLS and DAA for Embedded Mobile Devices

An IBE Scheme to Exchange Authenticated Secret Keys

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther

Secure Multiparty Computation

Security Protections for Mobile Agents

TRUSTED COMPUTING TECHNOLOGIES

Karim El Defrawy Donald Bren School of Information and Computer Science University of California, Irvine

Secure Multiparty Computation

Publicly-verifiable proof of storage: a modular construction. Federico Giacon

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

BNymble (a short paper)

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

A New ID-based Group Signature Scheme from Bilinear Pairings

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

A Short Certificate-based Signature Scheme with Provable Security

Transcription:

Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch

Direct Anonymous Attestation What is it? Protocol standardized by TCG (trusted computing group) " Attestation of computer state by TPM (root of trust) " TPM measures boot sequence " TPM attest boot sequence to third party " Attestation based on cryptographic keys Strong authentication of TPM with privacy Use cases apart from attestation: " secure access to networks, services, any resources of devices " can be extended to user of device

Direct Anonymous Attestation Brief History " TCPA 0.44 July 2000 until TCPA 1.1b February 2002 " w/out DAA, but used Privacy CA " Privacy groups criticized Privacy CA solution " TPM 1.2 July 2003 until Aug 2009 (revision 116) " DAA introduced as alternative to Privacy CA, goal to make privacy groups happy " DAA based on RSA " Host part specified in TSS (Trusted Software Stack) " Implementation on chips very slow (arithmetic co-processor) " TPM 2.0 October 2014 " Elliptic curve-based DAA " ISO standard in 2015 (ISO/IEC 11889) " Today: Interest in TPM revived " Security of mobile devices " FIDO authentication

Attestation Scenario Issuer (TPM or Platform Manufacturer) Problem: using traditional certificates, all transactions of the same platform become linkable :-( Verifier (Bank, eshop, Tax authority, )

Security Requirements for Attestation Unforgeability: No adversary can create signatures on messages that were never signed by a certified TPM. Non-frameability: One cannot create a signature on a message that links to an honest platform s signature when the platform never signed this message. Anonymity: signatures by an honest platform are unlinkable (without basename or different basenames). Revocation: If a TPM is compromised, signatures from the compromised keys must no longer be accepted.

Attestation Privacy CA Solution (Traditional Credentials) EK,CertE Issuer Problem: Privacy CA does not exist " operate 24/7 " security needs to be high a contradiction to 24/7 " no business model (trust relationship w/ users and verifiers) " can link transactions! other security requirements would be fulfilled AIK,CertA AIK, CertA, Sig AIK (m) Privacy CA Verifier

Direct Anonymous Attestation (Brickell, Camenisch, Chen - 2003) Issuer DAA credentials are randomizable : " TPM can transform original credential into new credentials that looks like a fresh credential different randomize credentials cannot be linked (anonymity) still credentials are unforgeable Verifier

Direct Anonymous Attestation Rogue TPMs " TPM has been broken and keys have leaked " Need to be able to distinguish those keys despite signatures are anonymous " Solution: Nym = f(daa-secret) = ζ DAA-secret mod p, where " if ζ is random: published keys can be detected, protocol is still anonymous " if ζ is fixed per verifier, e.g., derived from verifier's name (so-called basename): verifier can also make frequency analysis signature by the same platform w.r.t. same basename can be linked! protocol is still pseudonymous

Realization of Direct Anonymous Attestation in TPM V1.2

Signature Scheme used to Issue Certificate to TPM Public key of signer: RSA modulus n and a i, b, d Є QR n, Secret key: factors of n To sign k messages m1,..., mk Є {0,1} l : choose random prime 2 l+2 > e > 2 l+1 and integer s n compute c : c = (d / (a 1 m1... ak mk b s )) 1/e mod n signature is (c,e,s) Verification: mi Є {0,1} l, e > 2 l+1, and d = c e a 1 m1... ak mk b s mod n

Signature Scheme used to Issue Certificate to TPM Observe: d = c e a 1 m1... ak mk b s mod n Let c' = c b t mod n with randomly chosen t then d = c' e a 1 m1... ak mk b s-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1,..., mk To prove ownership of a signature (c',e, s*) on some on m1,..., mk randomize and provide c' execute proof protocol PK{(ε, µ1,...µk, σ) : d := c' ε a 1 µ1... ak µk b σ µ Є {0,1} l ε > 2 l+1 }

How the TPM signs Schnorr Signatures Given a group <g> and an element y Є <g>. Prover wants to convince verifier that she knows x1, x2 s.t. y = g x1 h x2 such that verifier only learns y, g and h. Prover: random r1,r2 t := g r1 h r2 s1 := r1 cx1 s2 := r2 - cx2 PK{(α,β): y = g α h β } t c s1, s2 Verifier: random c t = y c g s1 h s2

How the TPM signs Schnorr Signatures From Protocol PK{(α): y = g α } to Signature SPK{(α): y = g α }(m): Signing a message m: - chose random r1,r2 Є Zq and - compute (c,s1,s2) := (H(g r1 h r2 m), r1 - cx1, r2 - cx2 ) Verifying a signature (c,s1,s2) on a message m: - check c = H(y c g s1 h s2 m)? Security: - Discrete Logarithm Assumption holds - Hash function H(.) behaves as a random oracle.

How the TPM and the Host Sign Jointly PK{ (x, m) :y = g x h m (mod n) } PK{ (x) : y' = g x }

How the TPM and the Host Sign Jointly PK{ (x, m) :y = g x h m (mod n) } PK{ (x) : y' = g x } random r1 t' random r2 t' = g r1 t = t'h r2 t

How the TPM and the Host Sign Jointly PK{ (x, m) :y = g x h m (mod n) } PK{ (x) : y' = g x } random r1 t' = g r1 t' c random r2 t = t'h r2 t c random c

How the TPM and the Host Sign Jointly PK{ (x, m) :y = g x h m (mod n) } PK{ (x) : y' = g x } random r1 t' = g r1 t' c random r2 t = t'h r2 t c random c s1= r1 - c x s1 s2= r2 - c m s1, s2 t = y c g s1 h s2?

How the TPM and the Host Sign Jointly PK{ (x, m) :y = g x h m (mod n) } PK{ (x) : y' = g x } random r1 t' = g r1 t' c random r2 t = t'h r2 t c random c s1= r1 - c x s1 s2= r2 - c m s1, s2 t = y c g s1 h s2? TPM spec TSS spec

Direct Anonymous Attestation in TPM V2.0

Overview of Changes from TPM 1.2 to TPM 2.0 " From RSA groups to elliptic curve groups (faster, smaller keys) " TPM V1.2 : DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs. For TPM V2.0, there is not TSS spec. PK{(x) : y' = g x } " On the positive side: supports many different credential signature schemes (CL, q-sdh, ) " On the negative side: " no full specification Chen & Li 2013 paper hard to match to TPM spec " no security proof Chen & Li 2013 security proof broken, current spec. not provable secure

Difficulty in Security Definitions and Proofs " 4 parties & 4 protocols complex protocol and thus security definition becomes complex " After initial DAA paper (Brickell et al. 2004), a number of improved security definitions where published. " All of them have issues, some of them severe, allowing for insecure schemes :-( Need for complete security model & provably secure schemes

Simulation-Based Security Definitions Interaction with environment cryptographic protocols are run between parties secure if environment cannot tell apart Interaction with environment Functionality (ideal specification)

Existing Simulation-Based Models for DAA Brickell, Camenisch, Chen (2004) " Does not output any signature values " Prohibits working with signature values in practice Chen, Morrissey, Smart (2009) " Outputs signatures " Signature generation too simplistically modeled to be realizable

Property-Based Security Definitions Interaction with environment cryptographic protocols Defines security when interacting with cryptographic protocol for each property separately. E.g., Non-frameability: One cannot create a signature on a message that links to an honest platform s signature when the platform never signed this message.

Existing Property-Based Models for DAA Brickell, Chen, Li (2009) " Unforgeability not captured: trivially forgeable scheme can be proven secure " No property for non-frameability Chen (2010) " Extends BCL 09 with non-frameability " Same flaws as BCL 09 Bernard et al. (2013) " Discusses flaws in all previous models " TPM + Host one party " Does not cover honest TPM in corrupt Host " Security Proof of Pre-DAA does not work for full DAA

Do we need all these definitions? (1, 1, 1, 1) is a valid credential on any key in Chen, Page, Smart 2010 " ISO 20008 standardized! TPM2 spec contains static DH oracle " Larger groups and keys required (Xi et al., 2014) TPM2 should make zero-knowledge proof " Problem in hash computation " Proof not zero-knowledge

Comprehensive Model and Secure Protocol Camenisch, Drijvers, Lehmann 2016 (ia.cr/2015/1246) Comprehensive security model in UC framework " Allows composition by composition theorem " Signatures modeled as concrete values that are sent as output " TPM and Host separate parties " Extensive explanation on why this definition properly captures the security requirements Provide scheme that realize the functionality " Provably secure instantiation (based on CL signatures, but q-sdh seems feasible, too) " As efficient as existing DAA schemes essentially just doing a few details right

Next Steps TPM 2.0 " working on fixing security problems " trying to unify different schemes " spec of full schemes, i.e., also issuer, host, verifier parts. FIDO anonymous authenticator spec " with our without TPM 2.0 " reference implementation underway (aim at open sourcing it)

Conclusions " Device authentication more relevant than ever " Provably security matters a number of standards have issues " It often takes far longer than one would expect & still not done

Thanks! Questions? ia.cr/2015/1246 jca@zurich.ibm.com @JanCamenisch

References Bernhard, D., Fuchsbauer, G., Ghadafi, E., Smart, N., Warinschi, B.: Anonymous attestation with user-controlled linkability. International Journal of Information Security 12(3), (2013) Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. ACM CCS 2004. Brickell, E., Chen, L., Li, J.: Simplified security notions of direct anonymous attestation and a concrete scheme from pairings. International Journal of Information Security 8(5), (2009) Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. CRYPTO 2004. Chen, L., Morrissey, P., Smart, N.: DAA: Fixing the pairing based protocols. eprint Archive, Report 2009/198. Chen, L.: A DAA scheme requiring less tpm resources. Information Security and Cryptology 2010. Chen, L., Morrissey, P., Smart, N.: On proofs of security for DAA schemes. Provable Security 2008. Chen, L., Page, D., Smart, N.: On the design and implementation of an efficient DAA scheme. Smart Card Research and Advanced Application 2010. Chen, L., Li, J.: Flexible and scalable digital signatures in TPM 2.0. ACM CCS 2013. Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. SAC 1999. Xi, L., Yang, K., Zhang, Z., Feng, D.: DAA-related APIs in TPM 2.0 revisited. Trust and Trustworthy Computing 2014

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback