ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
WebIBCIdentity Based Cryptography for Client Side
Security in Web Applications
Zhi Guan, Zhen Cao, Xuan Zhao, Ruichuan Chen, Zhong Chen, and Xianghao Nan
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Once upon a time ...
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Once upon a time ...
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Once upon a time ...
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Once upon a time ...
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Once upon a time ...
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Once upon a time ...
Strong Cryptography
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Now
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
No Security!
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
No Security!
No Privacy!
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
No Security!
No Privacy!
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Operating System
Web Browser
HTML &JavaScript
WebApp
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Operating System
Web Browser
HTML &JavaScript
WebApp
EFS, PGP
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Operating System
Web Browser
HTML &JavaScript
WebApp
EFS, PGP
Browser Plug-in
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Operating System
Web Browser
HTML &JavaScript
WebApp
EFS, PGP
Browser Plug-in
Here we are
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Challenges
• Private key: JavaScript can not read keys in local file system.
• Public key: acquire other’s public key or certificate is not easy for JavaScript programs in Web browser.
Private Key? Public Key?
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Limited Browser Capability
• HTML, CSS
• JavaScript
• AJAX
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Limited Browser Capability
• HTML, CSS
• JavaScript
• AJAX
Browser Plug-ins?
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Limited Browser Capability
• HTML, CSS
• JavaScript
• AJAX
Browser Plug-ins?
No!
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Our Goal
Strengthen Web Browser Security and PrivacyWithout Changing the Browser.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Target
• Our solution: bring public key cryptography to Web browsers, include public key encryption and signature generation.
• All the cryptography operations and key usage are inside the browser and implemented in JavaScript and HTML only, require no plug-ins and provide “open source” guarantee.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
The first Challenge
Public Key:
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
The first Challenge
Public Key:
Identity-Based Cryptography
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
PKG (Private Key Generator)
Public Params
Setup: generate master secret and public params
Decrypt
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Timeline
2001
20041986
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Timeline
2001
2004
Identity BasedCryptography,the first idea
Shamir
1986
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Timeline
2001
First PracticalIBE scheme
from Weil Pairing
Boneh, Franklin
2004
Identity BasedCryptography,the first idea
Shamir
1986
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Timeline
2001
First PracticalIBE scheme
from Weil Pairing
Boneh, Franklin
CocksIBE,
not bandwidth efficient
2004
Identity BasedCryptography,the first idea
Shamir
1986
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Timeline
2001
First PracticalIBE scheme
from Weil Pairing
Boneh, Franklin
CocksIBE,
not bandwidth efficient
CPKkey
management, IBE, IBS
Nan, Chen
2004
Identity BasedCryptography,the first idea
Shamir
1986
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
CPK Cryptosystem
CPK (Combined Public Key)
Based on generalized Discrete Log Group
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Elliptic Curve Cryptography
y2 = x3 + ax + b (mod p)
G is a point on elliptic curve, n is the order of cyclic group <G>Private key d is random selected integer in [1, n-1]Corresponding public key Q = dG.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Elliptic Curve Cryptography
y2 = x3 + ax + b (mod p)
G is a point on elliptic curve, n is the order of cyclic group <G>Private key d is random selected integer in [1, n-1]Corresponding public key Q = dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Elliptic Curve Cryptography
y2 = x3 + ax + b (mod p)
G is a point on elliptic curve, n is the order of cyclic group <G>Private key d is random selected integer in [1, n-1]Corresponding public key Q = dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Elliptic Curve Cryptography
y2 = x3 + ax + b (mod p)
G is a point on elliptic curve, n is the order of cyclic group <G>Private key d is random selected integer in [1, n-1]Corresponding public key Q = dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
Q = Q1 + Q2 = d1G + d2G = (d1+d2)G
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Elliptic Curve Cryptography
y2 = x3 + ax + b (mod p)
G is a point on elliptic curve, n is the order of cyclic group <G>Private key d is random selected integer in [1, n-1]Corresponding public key Q = dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
Q = Q1 + Q2 = d1G + d2G = (d1+d2)G(d,Q)
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Private Matrix Generation
The trusted authority PKG (Private Key Generator) generates a m×n matrix in which elements are randomly generated ECC private keys (integers in [1, n-1]). The private matrix should be kept secretly in PKG.
RNG
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Private Matrix Generation
The trusted authority PKG (Private Key Generator) generates a m×n matrix in which elements are randomly generated ECC private keys (integers in [1, n-1]). The private matrix should be kept secretly in PKG.
RNGsij !R [1, n" 1]
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
Rand integers
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix GenerationIn PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix Generation
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix Generation
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix Generation
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix Generation
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix Generation
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&
public matrix!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix Generation
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&
public matrix!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
key pair
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Matrix Generation
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&
public matrix!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
key pair
Public Matrix is generated by PKG from the Private Matrix, elements in Public Matrix is the public key of corresponding private key in Private Matrix. The public matrix is publicly available for all users.
In PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Map Algorithm
!h1, h2, . . . , hn" # H(ID)
Map algorithm H(ID) is a cryptographic hash algorithm, maps an arbitrary string ID to column indexes of private matrix and public matrix.
hi is the index of i-th column of public/private matrix.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Private Key Extraction
Input user’s identity ID
Map identity to indexes of matrix
Select one element through each column of the private matrix by the index
Add selected private keys,the result is user’s private key corresponding to his identity ID.
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
dID =n!1!
i=0
shi,i (mod p)
!h1, h2, . . . , hn" # H(ID)
IDIn PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Public Key Extraction
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&
QID =n!1!
i=0
shiiG
!h1, h2, . . . , hn" # H(ID)
ID
Input user’s identity ID
Map identity to indexes of matrix
Select one element through each column of the Public matrix by the index
Add (elliptic curve point add) selected private keys, the result is user’s public key corresponding to his identity ID.
In User
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Identity Based Signature
CPK-Sign (Message, PrivateKey) {ECDSA-Sign (Message, PrivateKey) -> Signature}
CPK-Verify (Message, PublicMatrix, SignerID, Signature) {CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKeyECDSA-Verify(Message, Signature, PublicKey);}
ECDSA: Elliptic Curve Digital Signature Algorithm
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Big Picture
!h1, h2, . . . , hn" # H(ID)
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&QID =
n!1!
i=0
shiiG
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&dID =
n!1!
i=0
shi,i (mod p)H(ID)
H(ID)
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
The second Challenge: Private Key
• The private key can be access by the javascript program
• The private key should never leave the browser
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
URI Fragment Identifier
http://www.domain.com/#skey=72bc845b9592b79...
fragment identifier starts from a # (number sign)
fragment identifier
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Fragment Identifier
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Fragment Identifier
<div id="menu"> <a href="#section1">section 1</a> <a href="#section2">section 2</a> <a href="#section3">section 3</a> <a href="#ref">reference</a> </div>
<h1>Section1</h1><a name=”#section1” id=”section1”>
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Fragment Identifier as Key Store
• Utilize fragment identifier in bookmark URL as the private key storage. The fragment identifier in URL will never be transfered through the Internet.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Retrieve Private Key From URL
<script type=”text/javascript>var URL = window.location;var fragid_start = URL.substring(URL.indexOf(‘#’));
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Workflow
Browser
PKG
WebApp
! ID
" skey
# m
pk.js
$ URL
% setup
& save
' message
( webibc.js, mpk.js
) do
* forward
Secure Channel
Public Channel
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❶ setup
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008❷
mp
k.js
❶ setup
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❷ m
pk.
js
❶ setup
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❹ skey
❷ m
pk.
js
❶ setup
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❹ skey
❷ m
pk.
js
❶ setup
❺ save
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❹ skey
❷ m
pk.
js
❻ URL
❶ setup
❺ save
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❹ skey
❷ m
pk.
js
❻ URL
❶ setup
❺ save
❼ webibc.js, mpk.js
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❹ skey
❷ m
pk.
js
❻ URL
❶ setup
❺ save
❽ do❼ webibc.js, mpk.js
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❹ skey
❷ m
pk.
js
❻ URL
❶ setup
❺ save
❾ message
❽ do❼ webibc.js, mpk.js
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
❸ ID
❹ skey
❷ m
pk.
js
❻ URL
❶ setup
❺ save
❾ message
❽ do
❿ forward
❼ webibc.js, mpk.js
WebApp
Browser
PKG
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Workflow
1. The authority trusted by Alice and Bob establishes a PKG, which will generate the system parameters including the public matrix.
2. Web application embeds WebIBC into these systems together with the public system parameters released by the PKG.
3. Alice registers to the PKG with her ID.
4. PKG returns Alice’s private key.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Workflow
5. Alice can append the private key as an fragment identifier to the Web application’s URL, then save it as a bookmark into the browser.
6. Now Alice can use this bookmark to log into the web application. It should be noted that the browser will send the URL without the fragment identifier, so the private key is secure.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Workflow
7. The WebIBC JavaScript files will also be downloaded from the server, including the public matrix of system.
8. Alice uses this web application as normal, entering Bob’s email address and message content into the form. When Alice presses the send button, WebIBC JavaScript programs will get the email address from the form as public key and get private key from URL, encrypt and sign the message.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Workflow
9. Then message will be sent to the server.
10. Because the message has been protected, the Web application can do no evil to the message but only forward it to Bob. Bob can also login into his web application and decrypt the message by his private key in the fragment identifier and verify the message through the public matrix, similar to Alice.
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Performance0.5KB 2KB 10KB
Safari
Firefox
IE
Opera
1383.7 1,492 2,071
1,523 1,661 2,401
1,459 1,698 2,791
2,110 2,349 3,628
0
1000
2000
3000
4000
Safari Firefox IE Opera
0.5 KB2 KB10 KB
ms
ms
ms
ms
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Future Work
• Web based PRNG
• Other Identity based cryptography
• Local storage in HTML5
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Thank you!
ICDCS 2008Network and Information Security Lab, Peking UniversityJun. 19, 2008
Questions?