Introduction to Cybersecurity Digital Signatures · Digital Signatures •Basic Definitions ... - NSA’s Prism Program ... - High Traffic-Analysis Resistance

Introduction to CybersecurityDigital Signatures

Lecture Summary

Digital Signatures

• Basic Definitions

• RSA-based Signatures

• Attacks

Foundations of Cybersecurity 2016 1

Digital signatures

Goal of digital signatures:

Only the secret key allows for creating signatures Everybody can verify the validity of signatures using the

respective public key Signatures serve as undisputable evidence that the respective

person signed the message

Sign

Plaintext

Verify

Alice’s privatekey

Alice’s publickey

Plaintextwith signature

Plaintext

Alice Bob


Definition of digital signatures

The message space ℳ𝑝𝑘 for a public key 𝑝𝑘 is the set of all 𝑚 such that 𝑆(𝑠𝑘,𝑚) does not output a distinguished error symbol ↓ for all 𝑠𝑘 with 𝑝𝑘, 𝑠𝑘 ← [𝐾].

Definition: Digital Signatures

A digital signature scheme is a triple of algorithms (𝐾, 𝑆, 𝑉) such that:

The randomized key generation algorithm 𝐾 takes no input and returns a key (𝑝𝑘, 𝑠𝑘).

The (randomized or stateful) signing algorithm 𝑆 takes a secret key 𝑠𝑘 and a message 𝑚 and returns a tag 𝑡.

The deterministic verification algorithm 𝑉 takes a public key 𝑝𝑘, a message 𝑚 and a tag 𝑡 and returns a bit 𝑏 ∈ 0,1 .

Correctness:

The above algorithms have to satisfy the following property: For any key pair (𝑝𝑘, 𝑠𝑘) ∈ [𝐾], any message 𝑚 ∈ ℳ𝑝𝑘, and any tag𝑡 ∈ [𝑆 𝑠𝑘,𝑚 ], we have that 𝑉 𝑝𝑘,𝑚, 𝑡 = 1.


Definition of Digital Signatures

Foundations of Cybersecurity 2016

Technical difference to public-key encryption:Signature schemes often maintain state

Differences to MACs and consequences: Key transmission has to be authentic but not

necessarily secret

Non-repudiation! (Can use signatures as evidence at a third party)

4

CMA Game (for digital signatures)

Challenger(n)

(𝑝𝑘, 𝑠𝑘) ← 𝐾

𝑡𝑖 ← 𝑆(𝑠𝑘,𝑚𝑖)

Adversary(n)

𝑚𝑖 ∈ ℳ𝑝𝑘

𝑡𝑖

(𝑚∗, 𝑡∗)

Output 1 if 𝑉 𝑝𝑘,𝑚∗, 𝑡∗ = 1 and

𝑚∗, 𝑡∗ ∉ { 𝑚1, 𝑡1 , … , 𝑚𝑞 , 𝑡𝑞 }

Exp𝐼𝑛,𝐴𝑛CMA

Definition: CMA-Security of digital signatures

A sequence of signature schemes 𝐼 = 𝐼𝑛 𝑛∈ℕ = 𝐾𝑛, 𝑆𝑛, 𝑉𝑛 𝑛∈ℕ is secure against existential forgery under chosen-message attack (CMA) if for all efficient

adversaries 𝐴 = 𝐴𝑛 𝑛∈ℕ, we have that Pr[Exp𝐼𝑛,𝐴𝑛CMA = 1] is negligible.

𝑝𝑘


Naïve RSA-based signatures

Set 𝑁 ≔ 𝑝𝑞

Pick random 𝑒, with1 ≤ 𝑒 ≤ 𝜙 𝑁 and

gcd 𝑒, 𝜙 𝑁 = 1

Set 𝑝𝑘 ≔ (𝑁, 𝑒)Set 𝑠𝑘 ≔ 𝑑

Output (𝑝𝑘, 𝑠𝑘)

Key Generation as for RSA encryption for primes 𝑝, 𝑞:

Can be publicly known}

Naïve use:

Set 𝑑 ≡ 𝑒−1 mod 𝜙(𝑁)


Signing 𝑆(𝑠𝑘,𝑚)

Set 𝑡 ≔𝑚𝑑 mod 𝑁

Output 𝑡

Naïve RSA-based signatures

Verifying 𝑉 𝑝𝑘,𝑚, 𝑡

Test if 𝑡𝑒 ≡ 𝑚mod 𝑁

Output 𝑏 ∈ {0,1}

Correctness:𝑡𝑒

≡ 𝑚𝑒𝑑

≡ 𝑚mod 𝑁

Naïve use:


Attacks on Naïve RSA-based Signatures


Existential forgery under passive attacks:

Given (𝑁, 𝑒), adversary has to find (𝑚, 𝑡) such that𝑡𝑒 ≡ 𝑚mod 𝑁

Idea: Pick arbitrary 𝑡, and output𝑡𝑒 , 𝑡

Forgery on the message 𝑡𝑒 mod 𝑁.

8



Selective forgery under active attacks, blinding attack: Adversary wants signature on 𝑚 Pick random 𝑟 ∈ ℤ𝑁

∗ and compute 𝑚∗ ≡ 𝑚 ⋅ 𝑟𝑒 mod 𝑁 Ask signer to sign 𝑚∗. Result: 𝑚∗, 𝑡∗ where 𝑡∗ 𝑒 ≡ 𝑚∗ mod 𝑁

Compute 𝑡 ≡𝑡∗

𝑟mod 𝑁

Indeed we have

𝑡𝑒 ≡𝑡∗ 𝑒

𝑟𝑒≡𝑚∗

𝑟𝑒≡𝑚 ⋅ 𝑟𝑒

𝑟𝑒≡ 𝑚mod 𝑁

Originally attack against RSA signature schemes

Now special primitive (blind signature), used in anonymous digital cash, election systems, etc.

9



Countermeasures:

1. Add redundancy to the message

2. Hash message before signing Hash-then-sign general concept, often even

introduced as “the only way to sign” in books Advantage: Allows for signing arbitrarily long

messages Required properties for hash to make the system

secure?

10

Introduction to CybersecurityAnonymity and Privacy

Lecture Summary

Introduction to Privacy

• Motivation

• Example: Browser Cookies

• Basic Principles of Data Protection

Network Anonymity

• Dining Cryptographers

• Mix-Networks

Low Latency Anonymous Communication

• VPNs, Onion Routing and Tor

• Tor Vulnerabilities

12Foundations of Cybersecurity 2016

Motivation – What is privacy?

Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.

When something is private to a person, it usually means that something is inherently special or sensitive to them.

The domain of privacy partially overlaps security, which can include the concepts of appropriate use, as well as protection of information.

Wikipedia (2014)


Motivation – Privacy in the internet

Alice shares her opinion in an Online Social Network.

As a consequence, her employer, who dislikes that opinion, fires Alice.


I like cats, but I hate dogs.Alice insults my

dog! Time to get rid of her…

Examples of Privacy Breaches

Online Advertisement – Cookie Tracking

What is a cookie?


HTTP/1.0 200 OK

Date: Sun, 21 Apr 1996 02:20:42 GMT

Server: Microsoft-Internet-Information-Server/5.0

Connection: keep-alive

Content-Type: text/html

Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT

Set-Cookie: …

Content-Length: 2543

<HTML> Some data... blah, blah, blah </HTML>

Refresher: What is a Cookie?


HTTP Request

HTTP Response

www.example.com

GET /index.html HTTP/1.1

Accept: image/gif, image/x-bitmap, image/jpeg, */*

Accept-Language: en

Connection: Keep-Alive

User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)

Host: www.example.com

Referer: http://www.google.com?q=dingbats

www.example.com

HTTP/1.0 200 OK

Date: Sun, 21 Apr 1996 02:20:42 GMT

Server: Microsoft-Internet-Information-Server/5.0

Connection: keep-alive

Content-Type: text/html

Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT

Set-Cookie: …

Content-Length: 2543

<HTML> Some data... blah, blah, blah </HTML>

Refresher: What is a Cookie?


HTTP Request

HTTP Response

Always sent back to this server (during time to live).

www.example.com

GET /index.html HTTP/1.1

Accept: image/gif, image/x-bitmap, image/jpeg, */*

Accept-Language: en

Connection: Keep-Alive

User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)

Host: www.example.com

Referer: http://www.google.com?q=dingbats

Cookie: …

www.example.com

Examples of Privacy Breaches


www.economist.com www.sportsnews.com www.pcworld.com ad.doubleclick.net

HTTP request for ad images,

passing cookies + referrer

to doubleclick.net

Bob just visited pcworld.com

Online Advertisement – Cookie Tracking

Bob just visited economist.com

Tradeoff Utility-Privacy

The doctor needs private information about you in order to make a qualified diagnosis.

If you hide relevant – but private – information, this may lead to a false diagnosis.


My symptoms include feverand headache.

Maybe you have the flu.

Tradeoff Utility-Privacy

The doctor needs private information about you in order to make a qualified diagnosis.

If you hide relevant – but private – information, this may lead to a false diagnosis.


Last week, I was in a tropical region and now I suffer from

fever and headache.

To be sure, we need to test you for Malaria.

Differences to other Security goals

A large part of privacy is about what other parties actually do with your data.

Even, if you are sure that only your doctor knows about your private data, what does he do with this information?

Does he use your data only for the intended purpose without further distributing it to other parties?


Basic Principles of Data Protection Law in Germany

Prohibition of conditional permission:

Collecting personal data is forbidden, unless

- explicitly permitted by the law

- or the person concerned gave explicit consent.

Principle of immediacy:

The personal data have to be collected directly from the person concerned.

Principle of data avoidance and data economy.

Data processing system should strive to use no (or as little as possible) personally identifiable data.


Basic Principles of Data Protection Law in Germany

Principle of Transparency:

A person whose data are collected has to be informed about the purposes of collection, processing and use.

Principle of Earmarking (purpose bound):

If data can collected for a particular purpose, processing it is strictly bound to this purpose.


Lecture Summary


• Motivation



Network Anonymity


• Mix-Networks





Anonymity

It is a state of being not identifiablewithin a set of subjects/individuals

Internet is designed to be public place

- Routing information is public

- IP packet headers identify source and destination

Even a passive observer can easily figure out who is talking to whom

Encryption does not and cannot hide identities

- Encryption hides payload, but not routing information


Anonymity in the Digital Era

Positive aspects

- Avoiding from detection, retribution, and embarrassment

- Freedom of expression

- Whistle-blowing...

Negative aspects (Illegal activity)

- Anonymous bribery

- Copyright infringement

- Harassment and financial scams

- Disclosure of trade secrets...


Anonymity vs. Privacy

Privacy

- Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others

Anonymity

- The state of being not identifiable within a set of subjects/individuals

- It is a property exclusively of individuals

Privacy != Anonymity

- Anonymity is a way to maintain privacy, and sometimes it is not necessary


Anonymity vs. Privacy

Privacy preserving protocols are not pervasively used

- Reasons: Efficiency, Overhead, Law, Surveillance

The Internet has become a mass surveillance system

- NSA’s Prism Program http://prism-break.org/

Global heat map of thePrism program


(Credit: The Guardian)

28

http://prism-break.org/

Anonymous Communication – A simple Example


Three cryptographers are having dinner.

Either NSA is paying for the dinner, or

One of them is paying, but wishes to remain anonymous.

1. Each diner flips a coin and shows it to his left neighbor.

- Every diner will see two coins: his own and his right neighbor’s

2. Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite).

3. Odd number of “same” NSA is paying;even number of “same” one of them is paying

- But a non-payer cannot tell which of the other two is paying!

29

Dining Cryptographers


?

31

?

“different” “different”- Share secret coin with left diner

- Can you infer who pays?

NSA pays

Dining Cryptographers


?

32

?

“same” “different”

Without knowing the coin tossbetween the other two, non-payercannot tell which of them is lying

payerpayer

- Share secret coin with left diner

- Can you infer who pays?

Anonymous Network Communication


Entities (subjects and objects) and Actions

Subjects execute actions on objects

Subjects called senders send objects called messages to subjects called recipients using a communication network

Communication Network

Messages

SendersRecipients

34

Network Adversary


The attacker uses all information available to him to infer (probabilities of) his items of interest (IOIs)

Attacker capabilities

- He controls some communication lines and a few subjects

- He is not able to get information on the sender or recipient from the message content

Communication Network

Messages

SendersRecipients

Attacker

35

Anonymity Notions

various notions of anonymity:

- Subject Anonymity

• Sender Anonymity

• Recipient Anonymity

- Relationship Anonymity

- Unlinkability


=?

36

Anonymous Communication (AC) Protocols

Various AC protocols with different goals:

- Low Latency Overhead

- Low Communication Overhead

- High Traffic-Analysis Resistance

Typically categorized by latency overhead:

- low-latency AC protcolse.g. Tor, DC Nets, Crowds

- high-latency AC protocolse.g. Mix networks


Latency

Traffic-AnalysisResistance

CommunicationComplexity

37

Anonymous Email

“Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms”-Chaum, 1981

Proposes solution to the cryptographictraffic analysis problem:“keeping confidential who converses with whom, and when they converse”

Idea: Use Public-Key Crypto and special communication network

Shuffle all messages before forwarding to recipients!


Senders “Shuffler” Recipients

?

38

Mix-Server: Basics

𝑁 senders 𝑆1, … , 𝑆𝑁 with messages 𝑚1, … ,𝑚𝑁

senders want to publish messages anonymously


MS

𝑆1

𝑆2

𝑆𝑁

…

publish public key 𝑝𝑘𝐸𝑝𝑘(𝑚1)

𝐸𝑝𝑘(𝑚2)

𝐸𝑝𝑘(𝑚𝑁)

𝑚𝜋(1)

𝑚𝜋(2)

𝑚𝜋(𝑁)

……

collect 𝑁 messages

decrypt and output messages as permutation

39

Definition: Mix Network

But: What if mix server is compromised?

Mix Network:A group of mix servers that operate sequentially

distribute trust to protect against compromised mix servers


Server 1 Server 2 Server 3

Inputs Outputs

? ? ?

40

Mix Networks - Requirements

Correctness: Output is a permutation of the inputs.

Privacy: if at least one Mix-Server conceals his mixing the senders cannot be linked to their respective output.

Public Verifiability: Honesty of Mix-Servers can be verified publicly

Soundness: public verification guarantees correctness.

Robustness: Mix Network still works correctly under restricted failure conditions


Mix Networks – De-cryption Networks (Chaum Mixes)

use layered encryption that is decrypted layer by layer

Requirements:

- Correctness - Public Verifiability

- Privacy - Soundness

- Robustness


𝑚1


Decryp

tSh

uffle

Decryp

tSh

uffle

Decryp

tSh

uffle

𝑚2

𝑚𝑁

…

𝑚𝜋1(1)

𝑚𝜋1(2)

𝑚𝜋1(𝑁)

…

𝑚𝜋2(𝜋1(1))

𝑚𝜋2(𝜋1(2))

𝑚𝜋2(𝜋1(𝑁))

…

𝑚𝜋3(𝜋2(𝜋1(1)))

𝑚𝜋3(𝜋2(𝜋1(2)))

𝑚𝜋3(𝜋2(𝜋1(𝑁)))

…

Question:Are all mix network requirements fulfilled?

Not Robust!

42

Mix Networks – Re-encryption networks

ElGamal allows for Re-encryption of ciphertexts!

Threshold Decryption that only relies on a fraction of themix servers to work correctly


𝑚1


Re-en

crypt

Shu

ffle

Re-en

crypt

Shu

ffle

Re-en

crypt

Shu

ffle

𝑚2

𝑚𝑁

…

𝑚𝜋1(1)

𝑚𝜋1(2)

𝑚𝜋1(𝑁)

…

𝑚𝜋2(𝜋1(1))

𝑚𝜋2(𝜋1(2))

𝑚𝜋2(𝜋1(𝑁))

…

𝑚𝜋3(𝜋2(𝜋1(1)))

𝑚𝜋3(𝜋2(𝜋1(2)))

𝑚𝜋3(𝜋2(𝜋1(𝑁)))

…

43

Lecture Summary


• Motivation



Network Anonymity


• Mix-Networks





High vs. Low Latency

Mix servers need to wait for at least 𝑁 messages

Incur high latency overhead in real network communication

Low Latency AC Protocols

Aim: To keep latency/delay due to the AC protocol small such that its existence/usage is transparent to the user

Useful for applications such as

- web browsing

- instant messaging, tele-conferencing

- web services such as internet banking


VPNs (e.g. anonymizer.com)

Idea: use intermediate server to serve as proxy for user’s actions-> Proxy Server

Problem:

- Requires trust in proxy server


Question:What happens if proxy is compromised?

Sender RecipientProxies

46

Towards Onion Routing

Similar to mix networks, distribute trust across various servers

Problem:

- Single compromised proxy sufficientto break anonymity!


Sender RecipientProxies

Question:What happens if a proxy is compromised?

47

Onion Routing – Circuit Construction

Establish symmetric keys between the sender and proxy nodes such that

- only the sender and a proxy node knows the key, and

- a proxy node does not know entities other than its neighbors on the path (or circuit)


Sender

RecipientOnion Routers

48

Onion Routing – Onion Transfer

The sender creates a layered encryption of message (onion) and send it to the first node in her circuit

Each proxy decrypts one layer of the onion and forwards to next proxy


2

3

1

Sender

RecipientOnion Routers

m

m

m

m

49

Intermezzo: Diffie-Hellman key exchange


Alice

𝑔, 𝑝Bob

𝑔, 𝑝

𝑔𝑥 𝑚𝑜𝑑 𝑝

𝑔𝑦𝑚𝑜𝑑 𝑝

𝑔𝑥𝑦 𝑚𝑜𝑑 𝑝𝑔𝑥𝑦 𝑚𝑜𝑑 𝑝

𝑥 ←𝑅 𝐺

y←𝑅 𝐺

shared secret

Computational Diffie-Hellman Assumption:Given the triple (𝑔, 𝑔𝑎, 𝑔𝑏), it is computationally infeasible to determine thevalue of 𝑔𝑎𝑏.

Publicly known: p large prime number, g generator for group of order p

50

Second Generation Onion Routing

Idea: use telescope construction together with Diffie-Hellmann key exchange to generate ephemeral, symmetric session keys!


2

3

1

Sender Recipient

Onion Routers

51

Second Generation Onion Routing


Key ExchangeBrowsing Webpage

Example: 2 hop circuit construction to surf a webpage

52

Tor

Tor (https://www.torproject.org)

- Intended to provide anonymity over the Internet

- Running since October 2003

- Implements 2nd Generation OR

Tremendously successful!

- > 2,000,000 users all over the world

- > 7000 OR (volunteers) nodes/proxies/router

The second most employed privacy enhancing technology after the TLS protocol


metrics.torproject.org

53

Tor Vulnerabilities – Traffic Analysis

adversary can observe traffic at different locations in the network

If traffic looks similar it likely belongs to the same user!


Tor Vulnerabilities – Traffic Analysis

low communication overhead results in low traffic analysis resistance

alternatives with high traffic-analysis resistance

- e.g. Crowds, DC nets etc.

- cause high communication overhead

low traffic analysis resistance one of thebiggest problem of today’s AC networks!


Latency

Traffic-Analysis

Resistance

Communication

Complexity

55

Tor Vulnerabilities – DNS Leaks

DNS requests not sent through Tor network by default

Attacker could see what websites are being visited byexamining DNS requests

external software such as Foxyproxyand Privoxy can be used to route DNS requests through tor network, but this is _not_ default behavior


Lecture Summary


• Motivation



Network Anonymity


• Mix-Networks





Introduction to Cybersecurity Digital Signatures · Digital Signatures •Basic Definitions ... - NSA’s Prism Program ... - High Traffic-Analysis Resistance

Documents