direct anonymous attestation - ibm · 2016-04-14 · direct anonymous attestation – what is it?...
TRANSCRIPT
Jan CamenischIBM Research ndash Zurich
Joint work with Ernie Brickell Liqun Chen Manu Drivers Anja Lehmann
jcazurichibmcom JanCamenisch ibmbizjancamenisch
Direct Anonymous AttestationRevisited
Direct Anonymous Attestation ndash What is it
Protocol standardized by TCG (trusted computing group) Attestation of computer state by TPM (root of trust) TPM measures boot sequence TPM attest boot sequence to third party Attestation based on cryptographic keys
rarr Strong authentication of TPM with privacy
Use cases apart from attestation secure access to networks services any resources of devices can be extended to user of device
Direct Anonymous Attestation ndash Brief History TCPA 044 ndash July 2000 until TCPA 11b ndash February 2002
wout DAA but used Privacy CA Privacy groups criticized Privacy CA solution
TPM 12 ndash July 2003 until Aug 2009 (revision 116) DAA introduced as alternative to Privacy CA goal to make privacy groups happy DAA based on RSA Host part specified in TSS (Trusted Software Stack) Implementation on chips very slow (arithmetic co-processor)
TPM 20 ndash October 2014 Elliptic curve-based DAA ISO standard in 2015 (ISOIEC 11889)
Today Interest in TPM revived Security of mobile devices FIDO authentication
Attestation Scenario
Issuer
(TPM or Platform Manufacturer)
Verifier
(Bank eShop Tax authority hellip)
Problem using traditional certificates all transactions of the same platform become linkable -(
Security Requirements for Attestation
Unforgeability No adversary can create signatures on messages that were never signed by a certified TPMNon-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this messageAnonymity signatures by an honest platform are unlinkable (without basename or different basenames)Revocation If a TPM is compromised signatures from the compromised keys must no longer be accepted
Attestation ndash Privacy CA Solution (Traditional Credentials)
Issuer
Verifier
Problem Privacy CA does not exist operate 247 security needs to be high ndash a contradiction to 247 no business model (trust relationship w users and verifiers) can link transactions other security requirements would be fulfilled
Privacy CAAIKCertA
EKCertE
AIK CertA SigAIK(m)
Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)
Issuer
VerifierDAA credentials are ldquorandomizablerdquo TPM can transform original credential into new credentials that ldquolooks
likerdquo a fresh credential rarr different randomize credentials cannot be linked (anonymity) rarr still credentials are unforgeable
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Direct Anonymous Attestation ndash What is it
Protocol standardized by TCG (trusted computing group) Attestation of computer state by TPM (root of trust) TPM measures boot sequence TPM attest boot sequence to third party Attestation based on cryptographic keys
rarr Strong authentication of TPM with privacy
Use cases apart from attestation secure access to networks services any resources of devices can be extended to user of device
Direct Anonymous Attestation ndash Brief History TCPA 044 ndash July 2000 until TCPA 11b ndash February 2002
wout DAA but used Privacy CA Privacy groups criticized Privacy CA solution
TPM 12 ndash July 2003 until Aug 2009 (revision 116) DAA introduced as alternative to Privacy CA goal to make privacy groups happy DAA based on RSA Host part specified in TSS (Trusted Software Stack) Implementation on chips very slow (arithmetic co-processor)
TPM 20 ndash October 2014 Elliptic curve-based DAA ISO standard in 2015 (ISOIEC 11889)
Today Interest in TPM revived Security of mobile devices FIDO authentication
Attestation Scenario
Issuer
(TPM or Platform Manufacturer)
Verifier
(Bank eShop Tax authority hellip)
Problem using traditional certificates all transactions of the same platform become linkable -(
Security Requirements for Attestation
Unforgeability No adversary can create signatures on messages that were never signed by a certified TPMNon-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this messageAnonymity signatures by an honest platform are unlinkable (without basename or different basenames)Revocation If a TPM is compromised signatures from the compromised keys must no longer be accepted
Attestation ndash Privacy CA Solution (Traditional Credentials)
Issuer
Verifier
Problem Privacy CA does not exist operate 247 security needs to be high ndash a contradiction to 247 no business model (trust relationship w users and verifiers) can link transactions other security requirements would be fulfilled
Privacy CAAIKCertA
EKCertE
AIK CertA SigAIK(m)
Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)
Issuer
VerifierDAA credentials are ldquorandomizablerdquo TPM can transform original credential into new credentials that ldquolooks
likerdquo a fresh credential rarr different randomize credentials cannot be linked (anonymity) rarr still credentials are unforgeable
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Direct Anonymous Attestation ndash Brief History TCPA 044 ndash July 2000 until TCPA 11b ndash February 2002
wout DAA but used Privacy CA Privacy groups criticized Privacy CA solution
TPM 12 ndash July 2003 until Aug 2009 (revision 116) DAA introduced as alternative to Privacy CA goal to make privacy groups happy DAA based on RSA Host part specified in TSS (Trusted Software Stack) Implementation on chips very slow (arithmetic co-processor)
TPM 20 ndash October 2014 Elliptic curve-based DAA ISO standard in 2015 (ISOIEC 11889)
Today Interest in TPM revived Security of mobile devices FIDO authentication
Attestation Scenario
Issuer
(TPM or Platform Manufacturer)
Verifier
(Bank eShop Tax authority hellip)
Problem using traditional certificates all transactions of the same platform become linkable -(
Security Requirements for Attestation
Unforgeability No adversary can create signatures on messages that were never signed by a certified TPMNon-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this messageAnonymity signatures by an honest platform are unlinkable (without basename or different basenames)Revocation If a TPM is compromised signatures from the compromised keys must no longer be accepted
Attestation ndash Privacy CA Solution (Traditional Credentials)
Issuer
Verifier
Problem Privacy CA does not exist operate 247 security needs to be high ndash a contradiction to 247 no business model (trust relationship w users and verifiers) can link transactions other security requirements would be fulfilled
Privacy CAAIKCertA
EKCertE
AIK CertA SigAIK(m)
Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)
Issuer
VerifierDAA credentials are ldquorandomizablerdquo TPM can transform original credential into new credentials that ldquolooks
likerdquo a fresh credential rarr different randomize credentials cannot be linked (anonymity) rarr still credentials are unforgeable
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Attestation Scenario
Issuer
(TPM or Platform Manufacturer)
Verifier
(Bank eShop Tax authority hellip)
Problem using traditional certificates all transactions of the same platform become linkable -(
Security Requirements for Attestation
Unforgeability No adversary can create signatures on messages that were never signed by a certified TPMNon-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this messageAnonymity signatures by an honest platform are unlinkable (without basename or different basenames)Revocation If a TPM is compromised signatures from the compromised keys must no longer be accepted
Attestation ndash Privacy CA Solution (Traditional Credentials)
Issuer
Verifier
Problem Privacy CA does not exist operate 247 security needs to be high ndash a contradiction to 247 no business model (trust relationship w users and verifiers) can link transactions other security requirements would be fulfilled
Privacy CAAIKCertA
EKCertE
AIK CertA SigAIK(m)
Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)
Issuer
VerifierDAA credentials are ldquorandomizablerdquo TPM can transform original credential into new credentials that ldquolooks
likerdquo a fresh credential rarr different randomize credentials cannot be linked (anonymity) rarr still credentials are unforgeable
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Security Requirements for Attestation
Unforgeability No adversary can create signatures on messages that were never signed by a certified TPMNon-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this messageAnonymity signatures by an honest platform are unlinkable (without basename or different basenames)Revocation If a TPM is compromised signatures from the compromised keys must no longer be accepted
Attestation ndash Privacy CA Solution (Traditional Credentials)
Issuer
Verifier
Problem Privacy CA does not exist operate 247 security needs to be high ndash a contradiction to 247 no business model (trust relationship w users and verifiers) can link transactions other security requirements would be fulfilled
Privacy CAAIKCertA
EKCertE
AIK CertA SigAIK(m)
Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)
Issuer
VerifierDAA credentials are ldquorandomizablerdquo TPM can transform original credential into new credentials that ldquolooks
likerdquo a fresh credential rarr different randomize credentials cannot be linked (anonymity) rarr still credentials are unforgeable
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Attestation ndash Privacy CA Solution (Traditional Credentials)
Issuer
Verifier
Problem Privacy CA does not exist operate 247 security needs to be high ndash a contradiction to 247 no business model (trust relationship w users and verifiers) can link transactions other security requirements would be fulfilled
Privacy CAAIKCertA
EKCertE
AIK CertA SigAIK(m)
Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)
Issuer
VerifierDAA credentials are ldquorandomizablerdquo TPM can transform original credential into new credentials that ldquolooks
likerdquo a fresh credential rarr different randomize credentials cannot be linked (anonymity) rarr still credentials are unforgeable
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)
Issuer
VerifierDAA credentials are ldquorandomizablerdquo TPM can transform original credential into new credentials that ldquolooks
likerdquo a fresh credential rarr different randomize credentials cannot be linked (anonymity) rarr still credentials are unforgeable
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Direct Anonymous Attestation ndash Rogue TPMs
TPM has been broken and keys have leaked Need to be able to distinguish those keys despite signatures are anonymous
Solution Nym = f(DAA-secret) = ζ DAA-secret mod p where if ζ is random published keys can be detected
protocol is still anonymous if ζ is fixed per verifier eg derived from verifiers name (so-called basename)
verifier can also make frequency analysis rarr signature by the same platform wrt same basename can be linked
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Realization of Direct Anonymous Attestation in TPM V12
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
Signature Scheme used to Issue Certificate to TPM
Verification mi Є 01ℓ e gt 2ℓ+1 and d = ce a1m1 ak
mk bs mod n
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Signature Scheme used to Issue Certificate to TPM
Observe
d = ce a1m1 ak
mk bs mod n
Let c = c btmod n with randomly chosen t
then d = ce a1m1 ak
mk bs-et (mod n) ie (ce s = s-et) is also signature on m1 mk
To prove ownership of a signature (ce s) on some on m1 mk
randomize and provide c execute proof protocol PK(ε micro1microk σ) d = cε a1
micro1 akmicrok b σ and micro Є 01ℓ and ε gt 2ℓ+1
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
How the TPM signs ndash Schnorr Signatures
Given a group ltggt and an element y Є ltggt
Prover wants to convince verifier that she knows x1 x2 st y = gx1 hx2 such that verifier only learns y g and h
t = yc gs1 hs2
Prover
random r1r2
t = gr1 hr2
Verifier
random c
s1 = r1 ndash cx1s2 = r2 - cx2
t
s1 s2
c
PK(αβ) y = gα hβ
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
How the TPM signs ndash Schnorr Signatures
Signing a message m- chose random r1r2 Є Zq and - compute (cs1s2) = (H(gr1 hr2||m) r1 - cx1 r2 - cx2 )
Verifying a signature (cs1s2) on a message m- check c = H(ycgs1hs2||m)
Security- Discrete Logarithm Assumption holds- Hash function H() behaves as a ldquorandom oraclerdquo
From Protocol PK(α) y = gα to Signature SPK(α) y = gα (m)
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
How the TPM and the Host Sign Jointly
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
How the TPM and the Host Sign Jointly
random r1
t = gr1 t random r2
t = thr2t
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random cc
random r2
t = thr2t
c
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
How the TPM and the Host Sign Jointly
random r1
t = gr1 t
random c
s1
c
s1= r1 - c x
random r2
t = thr2t
s1 s2
c
s2= r2 - c m
t = ycgs1hs2
PK (x) y = gx
PK (x m) y = gxhm (mod n)
TPM spec TSS spec
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Direct Anonymous Attestation in TPM V20
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Overview of Changes from TPM 12 to TPM 20
From RSA groups to elliptic curve groups (faster smaller keys)
TPM V12 DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs For TPM V20 there is not TSS spec
On the positive side supports many different credential signature schemes (CL q-SDH hellip)
On the negative side
no full specification ndash Chen amp Li 2013 paper hard to match to TPM spec no security proof ndash Chen amp Li 2013 security proof broken current spec not provable secure
PK(x) y = gx
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Difficulty in Security Definitions and Proofs
4 parties amp 4 protocols complex protocol and thus security definition becomes complexrarr
After initial DAA paper (Brickell et al 2004) a number of improved security definitions where published
All of them have issues some of them severe allowing for insecure schemes -(
rarr Need for complete security model amp provably secure schemes
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Simulation-Based Security DefinitionsInteractionwith environment
Interactionwith environment
Functionality (ideal specification)
cryptographic protocolsare run between parties secure if environment
cannot tell apart
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Existing Simulation-Based Models for DAA
Brickell Camenisch Chen (2004) Does not output any signature values Prohibits working with signature values in practice
Chen Morrissey Smart (2009) Outputs signatures Signature generation too simplistically modeled to be realizable
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Property-Based Security DefinitionsInteractionwith environment
cryptographic protocols
Defines security when interacting with cryptographic protocol for each property separately
Eg Non-frameability One cannot create a signature on a message that links to an honest platformrsquos signature when the platform never signed this message
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Existing Property-Based Models for DAA
Brickell Chen Li (2009) Unforgeability not captured trivially forgeable scheme can be proven secure No property for non-frameability
Chen (2010) Extends BCLrsquo09 with non-frameability Same flaws as BCLrsquo09
Bernard et al (2013) Discusses flaws in all previous models TPM + Host one party Does not cover honest TPM in corrupt Host Security Proof of ldquoPre-DAArdquo does not work for full DAA
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Do we need all these definitions
(1 1 1 1) is a valid credential on any key in Chen Page Smart 2010 ISO 20008 standardized
TPM2 spec contains static DH oracle Larger groups and keys required (Xi et al 2014)
TPM2 should make zero-knowledge proof Problem in hash computation Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Comprehensive Model and Secure Protocol
Comprehensive security model in UC framework Allows composition by composition theorem Signatures modeled as concrete values that are sent as output TPM and Host separate parties Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality Provably secure instantiation (based on CL signatures but q-SDH seems feasible too) As efficient as existing DAA schemes ndash essentially just doing a few details right
Camenisch Drijvers Lehmann 2016 (iacr20151246)
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Next Steps
TPM 20 working on fixing security problems trying to unify different schemes spec of full schemes ie also issuer host verifier parts
FIDO anonymous authenticator spec with our without TPM 20 reference implementation underway (aim at open sourcing it)
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Conclusions
Device authentication more relevant than ever
Provably security matters ndash a number of standards have issues It often takes far longer than one would expect amp still not done
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
Thanks Questions
iacr20151246jcazurichibmcomJanCamenisch
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-
ReferencesBernhard D Fuchsbauer G Ghadafi E Smart N Warinschi B Anonymous attestation with user-controlled linkability International Journal of Information Security 12(3) (2013)Brickell E Camenisch J Chen L Direct anonymous attestation ACM CCS 2004
Brickell E Chen L Li J Simplified security notions of direct anonymous attestation and a concrete scheme from pairings International Journal of Information Security 8(5) (2009)
Camenisch J Lysyanskaya A Signature schemes and anonymous credentials from bilinear maps CRYPTO 2004Chen L Morrissey P Smart N DAA Fixing the pairing based protocols ePrint Archive Report 2009198
Chen L A DAA scheme requiring less tpm resources Information Security and Cryptology 2010Chen L Morrissey P Smart N On proofs of security for DAA schemes Provable Security 2008Chen L Page D Smart N On the design and implementation of an efficient DAA scheme Smart Card Research and Advanced Application 2010 Chen L Li J Flexible and scalable digital signatures in TPM 20 ACM CCS 2013Lysyanskaya A Rivest RL Sahai A Wolf S Pseudonym systems SAC 1999
Xi L Yang K Zhang Z Feng D DAA-related APIs in TPM 20 revisited Trust and Trustworthy Computing 2014
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
-