ICDCS‘08 WebIBC

ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008

WebIBCIdentity Based Cryptography for Client Side

Security in Web Applications

Zhi Guan, Zhen Cao, Xuan Zhao, Ruichuan Chen, Zhong Chen, and Xianghao Nan


Once upon a time ...











Strong Cryptography


Now


Now


Now


Now


Now


Now


Now


Now


Web App Security & Privacy?

• User authentication

• SSL/TLS link encryption





What if servers do evil ?






No Security!






No Security!

No Privacy!






No Security!

No Privacy!


Operating System

Web Browser

HTML &JavaScript

WebApp


Operating System

Web Browser

HTML &JavaScript

WebApp

EFS, PGP


Operating System

Web Browser

HTML &JavaScript

WebApp

EFS, PGP

Browser Plug-in


Operating System

Web Browser

HTML &JavaScript

WebApp

EFS, PGP

Browser Plug-in

Here we are


Challenges

• Private key: JavaScript can not read keys in local file system.

• Public key: acquire other’s public key or certificate is not easy for JavaScript programs in Web browser.

Private Key? Public Key?


Limited Browser Capability

• HTML, CSS

• JavaScript

• AJAX



• HTML, CSS

• JavaScript

• AJAX

Browser Plug-ins?



• HTML, CSS

• JavaScript

• AJAX

Browser Plug-ins?

No!


Our Goal

Strengthen Web Browser Security and PrivacyWithout Changing the Browser.


Target

• Our solution: bring public key cryptography to Web browsers, include public key encryption and signature generation.

• All the cryptography operations and key usage are inside the browser and implemented in JavaScript and HTML only, require no plug-ins and provide “open source” guarantee.


The first Challenge

Public Key:


The first Challenge

Public Key:

Identity-Based Cryptography


PKG (Private Key Generator)



Setup: generate master secret and public params



Public Params




Public Params




Public Params

[email protected]


mailto:[email protected]




Public Params

[email protected]






Public Params

[email protected]






Public Params

[email protected]






Public Params

[email protected]






Public Params

[email protected]


Decrypt




Timeline

2001

20041986


Timeline

2001

2004

Identity BasedCryptography,the first idea

Shamir

1986


Timeline

2001

First PracticalIBE scheme

from Weil Pairing

Boneh, Franklin

2004


Shamir

1986


Timeline

2001


from Weil Pairing

Boneh, Franklin

CocksIBE,

not bandwidth efficient

2004


Shamir

1986


Timeline

2001


from Weil Pairing

Boneh, Franklin

CocksIBE,

not bandwidth efficient

CPKkey

management, IBE, IBS

Nan, Chen

2004


Shamir

1986


CPK Cryptosystem

CPK (Combined Public Key)

Based on generalized Discrete Log Group


Elliptic Curve Cryptography

y2 = x3 + ax + b (mod p)

G is a point on elliptic curve, n is the order of cyclic group <G>Private key d is random selected integer in [1, n-1]Corresponding public key Q = dG.



y2 = x3 + ax + b (mod p)


(d1, Q1 = d1G), (d2, Q2 = d2G)



y2 = x3 + ax + b (mod p)


(d1, Q1 = d1G), (d2, Q2 = d2G)

d = d1 + d2



y2 = x3 + ax + b (mod p)


(d1, Q1 = d1G), (d2, Q2 = d2G)

d = d1 + d2

Q = Q1 + Q2 = d1G + d2G = (d1+d2)G



y2 = x3 + ax + b (mod p)


(d1, Q1 = d1G), (d2, Q2 = d2G)

d = d1 + d2

Q = Q1 + Q2 = d1G + d2G = (d1+d2)G(d,Q)


Private Matrix Generation

The trusted authority PKG (Private Key Generator) generates a m×n matrix in which elements are randomly generated ECC private keys (integers in [1, n-1]). The private matrix should be kept secretly in PKG.

RNG

In PKG


Private Matrix Generation

The trusted authority PKG (Private Key Generator) generates a m×n matrix in which elements are randomly generated ECC private keys (integers in [1, n-1]). The private matrix should be kept secretly in PKG.

RNGsij !R [1, n" 1]

!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

Rand integers

In PKG


Public Matrix GenerationIn PKG


Public Matrix Generation

!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

In PKG



!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

In PKG



!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

In PKG



!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

In PKG



!

"""#

s11G s12G · · · s1nGs21G s22G · · · s2nG

......

. . ....

sm1G sm2G · · · smnG

$

%%%&

public matrix!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

In PKG



!

"""#

s11G s12G · · · s1nGs21G s22G · · · s2nG

......

. . ....


$

%%%&

public matrix!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

key pair

In PKG



!

"""#

s11G s12G · · · s1nGs21G s22G · · · s2nG

......

. . ....


$

%%%&

public matrix!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

private matrix

key pair

Public Matrix is generated by PKG from the Private Matrix, elements in Public Matrix is the public key of corresponding private key in Private Matrix. The public matrix is publicly available for all users.

In PKG


Map Algorithm

!h1, h2, . . . , hn" # H(ID)

Map algorithm H(ID) is a cryptographic hash algorithm, maps an arbitrary string ID to column indexes of private matrix and public matrix.

hi is the index of i-th column of public/private matrix.


Private Key Extraction

Input user’s identity ID

Map identity to indexes of matrix

Select one element through each column of the private matrix by the index

Add selected private keys,the result is user’s private key corresponding to his identity ID.

!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&

dID =n!1!

i=0

shi,i (mod p)

!h1, h2, . . . , hn" # H(ID)

IDIn PKG


Public Key Extraction

!

"""#

s11G s12G · · · s1nGs21G s22G · · · s2nG

......

. . ....


$

%%%&

QID =n!1!

i=0

shiiG

!h1, h2, . . . , hn" # H(ID)

ID

Input user’s identity ID

Map identity to indexes of matrix

Select one element through each column of the Public matrix by the index

Add (elliptic curve point add) selected private keys, the result is user’s public key corresponding to his identity ID.

In User


Identity Based Signature

CPK-Sign (Message, PrivateKey) {ECDSA-Sign (Message, PrivateKey) -> Signature}

CPK-Verify (Message, PublicMatrix, SignerID, Signature) {CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKeyECDSA-Verify(Message, Signature, PublicKey);}

ECDSA: Elliptic Curve Digital Signature Algorithm


Big Picture

!h1, h2, . . . , hn" # H(ID)

!

"""#

s11G s12G · · · s1nGs21G s22G · · · s2nG

......

. . ....


$

%%%&QID =

n!1!

i=0

shiiG

!

"""#

s11 s12 · · · s1n

s21 s22 · · · s2n...

.... . .

...sm1 sm2 · · · smn

$

%%%&dID =

n!1!

i=0

shi,i (mod p)H(ID)

H(ID)


The second Challenge: Private Key

• The private key can be access by the javascript program

• The private key should never leave the browser


URI Fragment Identifier

http://www.domain.com/#skey=72bc845b9592b79...

fragment identifier starts from a # (number sign)

fragment identifier

http://www.domain.com/hello.html#





Fragment Identifier


Fragment Identifier

<div id="menu"> <a href="#section1">section 1</a> <a href="#section2">section 2</a> <a href="#section3">section 3</a> <a href="#ref">reference</a> </div>

<h1>Section1</h1><a name=”#section1” id=”section1”>


Fragment Identifier as Key Store

• Utilize fragment identifier in bookmark URL as the private key storage. The fragment identifier in URL will never be transfered through the Internet.


Retrieve Private Key From URL

<script type=”text/javascript>var URL = window.location;var fragid_start = URL.substring(URL.indexOf(‘#’));




Workflow

Browser

PKG

WebApp

! ID

" skey

# m

pk.js

$ URL

% setup

& save

' message

( webibc.js, mpk.js

) do

* forward

Secure Channel

Public Channel


WebApp

Browser

PKG


❶ setup

WebApp

Browser

PKG

ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008❷

mp

k.js

❶ setup

WebApp

Browser

PKG


❸ ID

❷ m

pk.

js

❶ setup

WebApp

Browser

PKG


❸ ID

❹ skey

❷ m

pk.

js

❶ setup

WebApp

Browser

PKG


❸ ID

❹ skey

❷ m

pk.

js

❶ setup

❺ save

WebApp

Browser

PKG


❸ ID

❹ skey

❷ m

pk.

js

❻ URL

❶ setup

❺ save

WebApp

Browser

PKG


❸ ID

❹ skey

❷ m

pk.

js

❻ URL

❶ setup

❺ save

❼ webibc.js, mpk.js

WebApp

Browser

PKG


❸ ID

❹ skey

❷ m

pk.

js

❻ URL

❶ setup

❺ save

❽ do❼ webibc.js, mpk.js

WebApp

Browser

PKG


❸ ID

❹ skey

❷ m

pk.

js

❻ URL

❶ setup

❺ save

❾ message

❽ do❼ webibc.js, mpk.js

WebApp

Browser

PKG


❸ ID

❹ skey

❷ m

pk.

js

❻ URL

❶ setup

❺ save

❾ message

❽ do

❿ forward

❼ webibc.js, mpk.js

WebApp

Browser

PKG


Workflow

1. The authority trusted by Alice and Bob establishes a PKG, which will generate the system parameters including the public matrix.

2. Web application embeds WebIBC into these systems together with the public system parameters released by the PKG.

3. Alice registers to the PKG with her ID.

4. PKG returns Alice’s private key.


Workflow

5. Alice can append the private key as an fragment identifier to the Web application’s URL, then save it as a bookmark into the browser.

6. Now Alice can use this bookmark to log into the web application. It should be noted that the browser will send the URL without the fragment identifier, so the private key is secure.


Workflow

7. The WebIBC JavaScript files will also be downloaded from the server, including the public matrix of system.

8. Alice uses this web application as normal, entering Bob’s email address and message content into the form. When Alice presses the send button, WebIBC JavaScript programs will get the email address from the form as public key and get private key from URL, encrypt and sign the message.


Workflow

9. Then message will be sent to the server.

10. Because the message has been protected, the Web application can do no evil to the message but only forward it to Bob. Bob can also login into his web application and decrypt the message by his private key in the fragment identifier and verify the message through the public matrix, similar to Alice.


Performance0.5KB 2KB 10KB

Safari

Firefox

IE

Opera

1383.7 1,492 2,071

1,523 1,661 2,401

1,459 1,698 2,791

2,110 2,349 3,628

0

1000

2000

3000

4000

Safari Firefox IE Opera

0.5 KB2 KB10 KB

ms

ms

ms

ms


Future Work

• Web based PRNG

• Other Identity based cryptography

• Local storage in HTML5


Thank you!


Questions?

ICDCS‘08 WebIBC

Technology

information security

peking university icdcs

web browser security

peking universityicdcs

web app security privacy

public key encryption

public key cryptography

web browsers