SECRET SHARING SECRET SPLITTING

Similar documents
CSE 127: Computer Security Cryptography. Kirill Levchenko

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Secret Sharing With Trusted Third Parties Using Piggy Bank Protocol

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Cryptography. Lecture 03

CS 161 Computer Security

Outline Key Management CS 239 Computer Security February 9, 2004

CPSC 467: Cryptography and Computer Security

Public-Key Cryptography

CS 161 Computer Security

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

PROTECTING CONVERSATIONS

Cryptography. Andreas Hülsing. 6 September 2016

1 Defining Message authentication

Lecture 07: Private-key Encryption. Private-key Encryption

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Secure Multiparty Computation

Lecture 1: Perfect Security

Pass, No Record: An Android Password Manager

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

symmetric cryptography s642 computer security adam everspaugh

CS Computer Networks 1: Authentication

What did we talk about last time? Public key cryptography A little number theory

Network Security. Chapter 4 Symmetric Encryption. Cornelius Diekmann With contributions by Benjamin Hof. Technische Universität München

CS 161 Computer Security

Computer Security 3/23/18

GeoPal: Friend Spam Detection in Social Networks with Private Location Proofs

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Lecture 7 - Applied Cryptography

Applied Cryptography Basic Protocols

Secret Sharing. See: Shamir, How to Share a Secret, CACM, Vol. 22, No. 11, November 1979, pp c Eli Biham - June 2, Secret Sharing

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Computer Security Fall 2006 Joseph/Tygar MT 2 Solutions

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Security: Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Grenzen der Kryptographie

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

CPSC 467: Cryptography and Computer Security

Lecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes

Ref:

CIS 4360 Secure Computer Systems Applied Cryptography

Lecture 1 Applied Cryptography (Part 1)

CPSC 467b: Cryptography and Computer Security

Securing Bitcoin wallets: A new DSA threshold signature scheme that is usable in the real world

DC Networks The Protocol. Immanuel Scholz

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Dawn Song

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Cryptography Functions

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Sharing Several Secrets based on Lagrange s Interpolation formula and Cipher Feedback Mode

CS 161 Computer Security

Applied Cryptography Protocol Building Blocks

ENEE 459-C Computer Security. Security protocols (continued)

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Crypto Background & Concepts SGX Software Attestation

Secret Sharing, Key Escrow

Computational Security, Stream and Block Cipher Functions

2.1 Basic Cryptography Concepts

Unit 8 Review. Secure your network! CS144, Stanford University

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

MTAT Applied Cryptography

FreeMessage Secure Messaging by GMX and WEB.DE

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Introduction to Cryptography Lecture 7

Cryptographic Protocols 1

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Secure Multiparty Computation

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

CS 161 Computer Security

Solving the key exchange problem

Anonymity. Assumption: If we know IP address, we know identity

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Key Establishment and Authentication Protocols EECE 412

CSC 474/574 Information Systems Security

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Computers and Security

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Applied Cryptography and Computer Security CSE 664 Spring 2017

CPSC 467b: Cryptography and Computer Security

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Transcription:

Clemens H. Cap Universität Rostock clemens.cap (at) uni-rostock (dot) de SECRET SHARING SECRET SPLITTING BaSoTI 2012, Tartu

Anecdotal Problem Trent wants to give Alice and Bob access to the safe Trent does not trust one of them alone Trent wants to split the access key Alice alone or Bob alone have NO information Alice and Bob together have the COMPLETE information Solution: Trent generates random bit string R Trent gives A = R + K to Alice and B = R to Bob Alice and Bob regenerate key by A + B Alone, both only have random noise

Secret Splitting with n participants More general problem: More than 2 participants Trent can split a key into n parts A 1,, A n A 1,, A n-1 random A n = K + A 1 + + A n-1 A single participant gets no information Only all participants together can reconstruct the key Problem: What, if one participant loses the key?

Threshold Schemes A (k, n) threshold scheme splits a secret S into n parts k or more parts allow a reconstruction of the secret Less than k parts do not allow a reconstruction Some shares may be lost without problem A threshold scheme is called perfect, if less than k parts provide no information at all on the secret Note: Must be proved mathematically! Parts do not increase chances of guessing secret.

HOW TO SHARE A SECRET? SHAMIR THRESHOLD SCHEME

0.087101032116104 [cm] Will use a finite field and not real numbers!

0.087101116104101 [cm] Wethe Will design similar forms of coding Example 1: Use several blocks of secrets Optional: Block chaining Example 2: Use hybrid schemes

We the People of the United States, in Order to form a more perfect Union

Arbitrary polynomial of degree 6

Pick 9 points 0 1 2 3 4 5 6 7 8 9

Forget polynomial and secret 0 1 2 3 4 5 6 7 8 9

Arbitrary 7 points allow reconstruction of poly of degree 6 0 1 2 3 4 5 6 7 8 9

Arbitrary 7 points allow reconstruction of poly and of corresponding secret 0 1 2 3 4 5 6 7 8 9

(k,n) threshold scheme Construct shares: 1. Pick point (0,S) 2. Draw random poly of degree k-1 through this point 3. Pick n points with x different from 0 Reconstruct secret: 1. From k points construct poly of degree k-1 2. Use Lagrange interpolation formula for this 3. Evaluate poly in x = 0

Verifiable Secret Sharing Assumption thus far: Dealer of the secret is trusted Problem: Dealer might be cheating In (3,7) scheme A, B and C meet and construct secret X C, D and E meet and construct secret Y with Y diff. frm X Obviously: Someone is cheating Is this C? Or B? Or has it been the dealer? Share holders want to check if dealer was cheating Verify: All k shares lead to the same secret But: Should not reconstruct the secret for this purpose Need: Zero knowledge proof of correctness

Proactive Secret Sharing Share Refreshment (1) Problem: One participant loses his laptop Another participant loses his USB stick A threshold scheme of (3,9) is in use If another participant loses the shares we are insecure Idea: Modify all shares according to update protocol Destroy old shares The 2 lost shares are of no value to attacker any more

Proactive Secret Sharing Share Refreshment (2) Diverse scenarios studied in literature: Eg: Assumption that some share holders are liars Eg: Assumption that distributor of secret is a liar This will confuse the share holders since they cannot reconstruct a single, consistent secret Many different (& complicated) protocols One possibility: New possibility: Redistribute fresh set of shares Use an update protocol Do not distribute shares again but use a protocol which modifies existing shares Also helps preparing different applications

Proactive Secret Sharing Update Protocol Idea: Use a polynomial with value P(0)=0 at x=0 The secret is not modified The shares are modified Original dealer constructs such a polynomial and sends its value to the participants Participants destroy the old share

More General Access Schemes Problem: Access to the safe for any 3 employees Or for boss plus 1 employee Solution: Threshold scheme with threshold of 3 Boss gets two shares So called weighted threshold scheme

General access schemes P is a set of persons Eg: P = {A, B, C, D} An access scheme S is a set of sets of persons who are allowed to access the safe Eg: S = { {A, B}, {C, D} } Obvious requirement Every superset of a set in a scheme is in the scheme So S from above is rather: S = { {A, B}, {C, D}, {A, B, C}, {A, B, C, D}, {A, C, D}, {B, C, D} } Or: S generates this S

Example: Access scheme which cannot be realized as weighted threshold S = { {A, B}, {C, D} } Assume threshold scheme with threshold k Participants have a, b, c, d shares Assume a b and c d (otherwise rename variables) a + b k and c + d k due to scheme a + a a + b k so 2a k and a k/2 Similarly show c k/2 Thus a + c k/2 + k/2 k Thus {A, C} may access safe Contradiction to the scheme

Can we realize this scheme at all? Yes and even with a threshold scheme Provided we not only look at share numbers but distribute shares intelligently by reusing the shares Ie: One share is distributed to more than one person Assume a (4,4) scheme with shares e, f, g, h and provide: A with e, g B with f, h C with e, f D with g, h {A, B} and {C, D} can access But {A, C} or {A, D} or {B, C} or {B, D} cannot

Does this work in general? Yes and we will look at another example Access scheme is { {A, B, D}, {A, C, D}, {B, C} } 1. Write down access function ABD + ACD + BC Think of * as and of + as or With appropriate settings of A, B, C, D: Fct true exactly on the correct access structures 2. Write down dual access function (A+B+D)(A+C+D)(B+C) Simplify by multiplication Simplify using idempotence: AA = A Simplify using dominance: ABC + BC = BC Get AB+AC+BC+BD+CD

Does this work in general? (2) 3. Derive the dual access (DA) scheme from the dual access function AB+AC+BC+BD+CD It is: { {A, B}, {A, C}, {B, C}, {B, D}, {C, D} } 4. Take the complement of the sets in the DA scheme It is: { {C, D}, {B, D}, {A, D}, {A, C}, {A, B} } This is the complemental dual access (CDA) scheme Scheme was { {A, B, D}, {A, C, D}, {B, C} } Sets in scheme are minimal allowed sets of persons CDA scheme is { {C, D}, {B, D}, {A, D}, {A, C}, {A, B} } Sets in CDA scheme are maximal not-allowed sets

Interpretation of duality Scheme { {A, B, D}, {A, C, D}, {B, C} } CDA scheme { {C, D}, {B, D}, {A, D}, {A, C}, {A, B} } { C, D} is not allowed Adding a single additional person removes this property Check this for A and for B! This means: Maximal not-allowed persons

Does this work in general? (3) 5. Construct cumulation matrix Rows: The persons Cols: The sets of the dual scheme (equals a share) Entry: A 1 if the row-person is part of the col-set S1 S2 S3 S4 S5 Shares CD BD BC AC AB Dual scheme A 0 0 0 1 1 B 0 1 1 0 1 C 1 0 1 1 0 D 1 1 0 0 0

Does this work in general? (4) 6. Solution is given by the following share distribution A: S4, S5 B: S2, S3, S5 C: S1, S3, S4 D: S1, S2 Where S1, S2, S3, S4, S5 are shares of a (5,5) scheme Check: {A,B,D} and {A,C,D} and {B,C} allowed {C,D} and {B,D} and {A,D} and {A,C} and {A,B} not allowed

HOW TO SECURELY STORE A FILE?

Requirements Encryption: Problem: Problem: Need key(s) to view Single crypto scheme may be broken RSA if quantum computer works Needs trusted hardware Compare: Rootkit attack on TrueCrypt Backup: No single point of failure / crash Management: No need to coordinate backup Deniable: I can deny using such a scheme

Solution How to Securely Store a File? Initially: Distribute: Reconstruct: Attack: Backup: Split a document into n shares Can tolerate some insecurity in shares Over disc, discs, network, cloud Need k shares out of n Need trusted hardware for reconstruction! Less than k shares give 0 bit of doc May lose n k shares

Solution How to Securely Store a File? Distributed security: Several trusted friends not all compromised at same time Several trusted discs rotating them in fixed scheme Kind of "advanced secure distributed RAID"

Example of a Rotation Scheme Have 5 discs and use a (2,3) threshold scheme 1 Site: Always has 3 discs 2 Off-site stores: Always have 1 disc Daily rotation Site: Has files (2 out of 3) Refreshes the third upon swap in Off: Destroy one of the 3 places still secure Need 2 rotations after write to reach this situation

Option: Add 2 Symmetric Keys As One Time Pads Use a Micro SD card with 8 GB random garbage Enough to protect against brute force attack Blow up to 32 TB pseudorandom garbage using AES Enough to protect a digital lifetime Use 2 types of them as cryptographic ignition key Remove 1 to be secure Keep backups (they contain only random garbage)

The problem of deniability (1) Problem 1: Explain, why you use encryption! Explain, why you have a file with random data! Problem 2: Be tortured until you decrypt! Solution 1: Steganogr. Nobody sees u using encryption Solution 2: Recoding pad I just stored mild_secret Nobody knows that in reality I do store big_secret = mild_secret + recoding_pad Problem: How to deny use of recoding_pad Solution: Hide recoding_pad (noise) in errorcoded doc

The problem of deniability (2) Solution 3: Issue: Multiple layers of encryption Is there still another layer? Twist: Alice: Until now, Mallory does not know that I use several layers of encryption. If she finds out, torture will not end, for yet the next layer. I cannot prove the number of enc layers. So it is easier not to tell her in the beginning. Solution 4: Deniable encryption dec (k1, cipher) = harmless_plaintext dec (k2, cipher) = harmful_plaintext Obvious: Works with onetime pad Less obvious: There are also asymmetric, short key algos!

http://www.thinkgeek.com/gadgets/security/b308/ https://tahoe-lafs.org/

WHAT ABOUT THE TRUSTED HARDWARE?

iphone is a completely insecure spy device

Blackberry gives away the decryption keys

Android claims to be Open Source but only within certain limits (backdoors, app kill switch)

No name systems have their flaws not known

Only trusted solution is completely open system

HOW NOT TO SEND EMAIL

Alice

Alice

Bob

Bob

Mailbox Mail Provider or Mail Server "Trusted" Mail System

Alice Bob Provider 1 Provider 2

Provider 1 Decrypt Encrypt Provider 2

HOW TO SEND EMAIL USING SECRET SHARING

Results Mail never gets stored at a single node End-to-end encryption ensures privacy even when all share holders collude No (easy) way of tracking who communicates with whom

How to collect your email Searching in small world networks Collisions in random walks on structured graphs TOR hidden service location mechanism Using distributed hash tables & P2P search mechanisms Others

Node 010 011 wants to find node 101 111 0 bit prefix match 010 011 knows a node 1** *** in its routing table. Let us say this is node 100 001 Node 100 001 wants to find 101 111 1 bit prefix match even 2 bit prefix match 10* 100 001 knows a node 101 *** in its routing table. Let us say this is 101 000 Node 101 000 wants to find 101 111 3 bit prefix match 101 000 knows a node 101 1** in its routing table

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback