Sec final project
A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks
90321019 王怡君
Outline
Introduction Methods for Message
Authentication A key transport scheme for
message authentication
1.Introduction
Four important objective of information security Authentication Confidentiality ( 可靠度 ) Data integrity ( 資料完整 ) Non-repudiation
Message ProtocolA B
Message Protocol
Message M
Communication channel
Figure1. Two-party communication
Party A is sender of message M,and party B is receiver.
B would require one or more of the message:1. Authentication of the message
2. Integrity of the data include in the message
3. Authentication of sender A
Authentication method can be in two group Message authentication
– Provides assurance of the identity of A– Includes an evidence of data integrity
Entity authentication– To avoid replay attacks , time-variant
data (ex : time stamps) can be added to the message.
2.Method for Message Authentication
arbitrary length fixed length(use hash function)
In cryptographic applications, the hash value is consider to be a shorter representation of the actual message.
Hash function are classified into two groups : Unkeyed hash function(only input=>message) Keyed hash function(two input=>message&secr
et key)
The keyed hash functions that are used for message authentication are grouped underMessage Authentication Codes (MACs)( 訊息認證碼 )
Unkeyed hash function =>Manipulation Detection Codes (MDCs)
( 轉換探測碼 ) MACs can be customize, constructed using
block ciphers.
h(M) : hashing of message M with an MDC
hk(M) : hashing of message M with an MAC with key K
M1||M2 : Concatenation of message
M1 with message M2 Ek(M) : Encryption of massage M with key K Skprivate : Signing of message M with private key Kprivate
Method 1. Using a MAC
M||hk(M)
Method 2. Encrypting the message
Method 3. Signing the message
disadvantage
Potential cryptographic weakness
Lack of capability to authenticate message with different keys
Potential cryptographic weakness(1)
MACs : Attack on the key space
For a key size of t bits and a fixed input,the probability of finding correct n-bit MAC is about 2^t
Attack on MAC value If hacker can determine the MACs key,
he can create a MAC value for any message.
Potential cryptographic weakness(2)
Encryption : If encryption is used along for message
authentication, it is vulnerable to brute-force attacks.
In the recent years,several powerful attacks have been developed against modern ciphers.(More attack like linear or differential cryptanalysis allow key recovery with less processor time.)
Potential cryptographic weakness(3)
Digital signatures Form a theoretical viewpoint, no
popular public-key signature algorithm is proven to be secure.
Their security is base on the difficulty of computing discrete logarithm or factoring large number.
With a fixed public/private key pair,attacks are possible using the public key of signatures on message.
Lack of capability to authenticate message with different key
In some applications, there may be a need to send a message to a specific group of receiver.
We would like to have a scheme that makes it possible to used a new key for each new message and to generate different keys for different group of receiver.
3. A key transport scheme for message authentication
Threshold schemes A Preposition Secret Sharing
Scheme for key transport Security analysis
Threshold schemes
A (t,n) threshold scheme (t<=n) is the method by which n secret sharing Si (1<= i <= n),are computed from S in such a way that least t shares are required to reconstruct S.
Ex: Bank manager divide combination of the bank safe among his five teller in such a way that any two tellers can open the safe.
In Shamir’s (t,n) threshold scheme
) )GF( FieldGaloisover used be (
)( 01
11
1
p
axaxaxf tt
1. Choose a prime p large than n and the secret S
2. Define S to be the constant a0
3. Construct f(x) by selecting (t-1) random coefficients a1,…,at-1
4. Compute the shares by evaluate f(x) at n distinct point, and distribute them to n user
Useful Group signatures Key recovery
Discussing the application of threshold scheme to key distribution in broadcast network.
If (t-1) shares are broadcast, the secret can be constructed by any receiver using the (t-1) shares and its distinct shares .
Form a security viewpoint, the hacker needs to know only a signal share to brake the system. Use Shamir’s threshold in new way…
A Preposition Secret Sharing Scheme for key transport
Simple example Three levels
Activating share Level1 : one common share Level2 : an additional common share Level3 : a unique additional share
Let p = 31
31 mod (28,4,10))S,S,(S 107x1327(x)f
45x21(x)f
waysame the
288x(x)f (30,20) 5)using(10,1, bax(x)flet
32123
3
22
11
xx
x
3.3 security analysis
In the scheme , the shared is used to generate a message authenticator which is broadcast with the message and the activating share.
For small value of t (low polynomials),the system may be exposed to brute-force attacks.
t = 2 The system is most vulnerable if first degr
ee polynomials are used. t > 2
The security is based on the difficulty of estimating the prepositioned information in the receiver.
Several modifications are possible to increase the robustness Define the authentication key as a
function of shared secret. Make t a time-dependent secret
system parameter “Mask” the activating share before
distribution Add redundant activating shares.