Sec final project

A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks

90321019 王怡君

Outline

Introduction Methods for Message

Authentication A key transport scheme for

message authentication

1.Introduction

Four important objective of information security Authentication Confidentiality ( 可靠度 ) Data integrity ( 資料完整 ) Non-repudiation

Message ProtocolA B

Message Protocol

Message M

Communication channel

Figure1. Two-party communication

Party A is sender of message M,and party B is receiver.

B would require one or more of the message：1. Authentication of the message

2. Integrity of the data include in the message

3. Authentication of sender A

Authentication method can be in two group Message authentication

– Provides assurance of the identity of A– Includes an evidence of data integrity

Entity authentication– To avoid replay attacks , time-variant

data (ex : time stamps) can be added to the message.

2.Method for Message Authentication

arbitrary length fixed length(use hash function)

In cryptographic applications, the hash value is consider to be a shorter representation of the actual message.

Hash function are classified into two groups ： Unkeyed hash function(only input=>message) Keyed hash function(two input=>message&secr

et key)

The keyed hash functions that are used for message authentication are grouped underMessage Authentication Codes (MACs)( 訊息認證碼 )

Unkeyed hash function =>Manipulation Detection Codes (MDCs)

( 轉換探測碼 ) MACs can be customize, constructed using

block ciphers.

h(M) : hashing of message M with an MDC

hk(M) : hashing of message M with an MAC with key K

M1||M2 : Concatenation of message

M1 with message M2 Ek(M) : Encryption of massage M with key K Skprivate : Signing of message M with private key Kprivate

Method 1. Using a MAC

M||hk(M)

Method 2. Encrypting the message

Method 3. Signing the message

disadvantage

Potential cryptographic weakness

Lack of capability to authenticate message with different keys

Potential cryptographic weakness(1)

MACs : Attack on the key space

For a key size of t bits and a fixed input,the probability of finding correct n-bit MAC is about 2^t

Attack on MAC value If hacker can determine the MACs key,

he can create a MAC value for any message.

Potential cryptographic weakness(2)

Encryption : If encryption is used along for message

authentication, it is vulnerable to brute-force attacks.

In the recent years,several powerful attacks have been developed against modern ciphers.(More attack like linear or differential cryptanalysis allow key recovery with less processor time.)

Potential cryptographic weakness(3)

Digital signatures Form a theoretical viewpoint, no

popular public-key signature algorithm is proven to be secure.

Their security is base on the difficulty of computing discrete logarithm or factoring large number.

With a fixed public/private key pair,attacks are possible using the public key of signatures on message.

Lack of capability to authenticate message with different key

In some applications, there may be a need to send a message to a specific group of receiver.

We would like to have a scheme that makes it possible to used a new key for each new message and to generate different keys for different group of receiver.

3. A key transport scheme for message authentication

Threshold schemes A Preposition Secret Sharing

Scheme for key transport Security analysis

Threshold schemes

A (t,n) threshold scheme (t<=n) is the method by which n secret sharing Si (1<= i <= n),are computed from S in such a way that least t shares are required to reconstruct S.

Ex: Bank manager divide combination of the bank safe among his five teller in such a way that any two tellers can open the safe.

In Shamir’s (t,n) threshold scheme

) )GF( FieldGaloisover used be (

)( 01

11

1

p

axaxaxf tt

1. Choose a prime p large than n and the secret S

2. Define S to be the constant a0

3. Construct f(x) by selecting (t-1) random coefficients a1,…,at-1

4. Compute the shares by evaluate f(x) at n distinct point, and distribute them to n user

Useful Group signatures Key recovery

Discussing the application of threshold scheme to key distribution in broadcast network.

If (t-1) shares are broadcast, the secret can be constructed by any receiver using the (t-1) shares and its distinct shares .

Form a security viewpoint, the hacker needs to know only a signal share to brake the system. Use Shamir’s threshold in new way…

A Preposition Secret Sharing Scheme for key transport

Simple example Three levels

Activating share Level1 : one common share Level2 : an additional common share Level3 : a unique additional share

Let p = 31

31 mod (28,4,10))S,S,(S 107x1327(x)f

45x21(x)f

waysame the

288x(x)f (30,20) 5)using(10,1, bax(x)flet

32123

3

22

11

xx

x

3.3 security analysis

In the scheme , the shared is used to generate a message authenticator which is broadcast with the message and the activating share.

For small value of t (low polynomials),the system may be exposed to brute-force attacks.

t = 2 The system is most vulnerable if first degr

ee polynomials are used. t > 2

The security is based on the difficulty of estimating the prepositioned information in the receiver.

Several modifications are possible to increase the robustness Define the authentication key as a

function of shared secret. Make t a time-dependent secret

system parameter “Mask” the activating share before

distribution Add redundant activating shares.