Sunday, December 20, 2015 ARCHITECTURE OF A SERVER- AIDED SIGNATURE SERVICE (SASS) FOR MOBILE NETWORKS Source: P. Lorenz and P. Dini (Eds.): ICN 2005,

Friday, April 21, 2023

ARCHITECTURE OF A SERVER-AIDED SIGNATURE SERVICE(SASS) FOR MOBILE NETWORKS

Source: P. Lorenz and P. Dini (Eds.): ICN 2005, LNCS 3421, pp. 819 – 826, 2005.

Author: Liang Cai, Xiaohu Yang, and Chun ChenPresenter: Li-Tzu Chang


Outline Introduction Background Architecture of SASS Service

Overall Architecture Key Interfaces of SASS Service

Performance Analysis Conclusion


Introduction Traditionally

Asymmetric cryptographic techniques. Computationally expensive.

Currently Limited computational capabilities. Equally limited power(batteries). The RSA cryptosystems is the most widely used PKI cryptosystem for

key exchange and digital signatures. SSL commonly uses RSA-based key exchange, most PKI products use RSA

certificates. On PalmPilot

1024 bit RSA signature - 30 seconds. 1024 bit RSA key - 15 minutes.


Introduction Instead of every mobile device performing computationally

intensive cryptographic operations, we designed a Server-aided Signature Service (SASS) to offload work from clients in mobile networks.

SASS The encryption. Key exchange capabilities of Modadugu's protocol. The digital signature generation capability of the S3 protocol .


Introduction Use of SASS benefits mobile clients

Cryptographic hardware capable of performing single cryptographic operations faster than they can be performed by the client.

Offloading cryptographic operations from the client CPU to these remote accelerators can free the client for other operations.






Background Typical message flow between mobile client and server.


Background In order to reduce the computational load of the mobile clients,

only the server side has the RSA key pair (public key & private key), thus can generate the non-repudiation digital signatures.

The client side can only use the symmetric DES algorithm to achieve information privacy, but not non-repudiation.






Architecture of SASS Service


Architecture of SASS Service Key interfaces

ISASS_KeyGen( ) Help mobile client generate the key used for encryption and key exchange.

ISASS_Cert( ) Help mobile client initialize the key used for generating the digital signature.

ISASS_Sign( ) Help mobile client sign a message.

11






Overall Architecture The overall architecture is made up of three components:

CA

SASS service

Client

13


Overall Architecture Efficient generation of RSA keys on a low power mobile client

with the help of SASS service works as follows.

1.The client must hide the modulus p and the exponent p-1. To hide the modulus p the client intends to multiply it by a random number R and send the resulting N = p ⋅ R to the servers.

14

p is a 512-bit prime R is a 4096-bit random number


Overall Architecture Efficient generation of RSA keys on a low power mobile client

with the help of SASS service works as follows.

2. The server will perform computations modulo N = p ⋅ R .

3. The client will run a probabilistic test to verify that p is prime. This is done to ensure that the servers returned correct values.

15


Overall Architecture SASS based signature could be computed as follows:

16

使用者呼叫 API

1

API- 提供資料進行簽章- 一次性的票券

2



17

要求 Policy 授權 Alice 操作

3

Policy 決定授權 Aoperation rights revocation status and billing status

3

如果決定授權就會計算資料的half-signature 和其他參數，傳回給 Aliice

3



18

A 驗證 own half-signature 和SASS’s half-signature 。如果放在一起，兩者符合，驗證成功。產生 SASS 和 Alice 共有的憑證。

4


Overall Architecture Verifying a SASS signature :

Verifier obtains the signature and verifies the two halves using the accompanying certificates.

19






Key Interfaces of SASS Service ISASS_KeyGen(N, g, s) :X

It helps mobile clients offload the expensive exponentiation to SASS Server.

To do that, It calculates X = gs mod N , and returns X.

21


Key Interfaces of SASS Service ISASS_Cert(O, n, PKo , S) :

O choose a SASS server that shall be responsible for generating signatures on O's behalf.

generates a random secret key KO .

Constructs the hash chainKo

n=SHAo(SHAo(···SHAo(Ko) ···))

O submits the root public key PKo = Kon to CA.

CA return the certificate for O's root public key:(O,n, PK , S)SKCA .

22

Mobile client OSASS server S


Key Interfaces of SASS Service ISASS_Sign(O, MD5(m), i, Ko

i ) : (O, MD5(m), i, Koi )SKS

S verifies the received public key based on O's root public key.Checks SHAo

n-i (Koi) = Pko

S has to ensure that only one signature can be created for a given (O, i, Ko

i ).

If a message on behalf of O containing Koi has not yet been

signed, S signs (O, MD5(m), i, Ko

i ), records Koi as consumed, and

sends the signature (O, MD5(m), i, Koi )SKS back to O.

23

Koi is O's current public key.






Performance Analysis

25


Performance Analysis

26






Conclusion A secure “cell phone-banking” application has been

implemented on SASS architecture in CDMA-1X mobile network.

SASS can significantly improve the performance of mobile client's cryptographicoperation;

SASS is a highly scalable service suitable for variant mobileapplications and future critical applications which require longer key length.

28

Sunday, December 20, 2015 ARCHITECTURE OF A SERVER- AIDED SIGNATURE SERVICE (SASS) FOR MOBILE NETWORKS Source: P. Lorenz and P. Dini (Eds.): ICN 2005,

Documents