Privacy in Encrypted Content Distribution Using Private Broadcast Encryption - PowerPoint PPT Presentation

About This Presentation
Title:

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Description:

Privacy in Encrypted Content Distribution Using Private ... Hushmail. EudoraGPG 2.0. GPGshell 3.42. Outlook Web Access. Apple Mail.app 2.622. Outlook 2003 ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 26
Provided by: adam225
Category:

less

Transcript and Presenter's Notes

Title: Privacy in Encrypted Content Distribution Using Private Broadcast Encryption


1
Privacy in Encrypted Content Distribution Using
Private Broadcast Encryption
  • Adam Barth
  • Dan Boneh
  • Brent Waters

2
Private Broadcast Encryption
  • Make data available to select principals
  • Encrypt the data to those principals
  • Often important to hide the set of principals
  • BCC recipients in encrypted email
  • Customer list (hide from competitors)
  • Promotion committee can read evaluations
  • Private broadcast encryption
  • Recipient privacy against active attackers

3
Related Work
  • Key privacy in public-key setting BBDP01
  • IK-CCA Ciphertext does not leak public key
  • Attacker viewing ciphertext encrypted under one
    of two public keys cannot guess which key was
    used
  • Cramer-Shoup is IK-CCA (with common prime)
  • Important building block for recipient privacy
  • Previous broadcast encryption systems
  • Increasing collusion resistance
  • Reducing ciphertext overhead
  • We focus on hiding recipient set

4
Our Results
  • Generic construction (standard model)
  • Achieves CCA recipient privacy
  • Uses generic IK-CCA public-key system
  • Decryption time is linear in number of recipients
  • Efficient construction (random oracle)
  • Achieves CCA recipient privacy
  • Assumes CDH is hard
  • Decryption in O(1) cryptographic operations

5
Broadcast Systems in Practice
  • Microsoft Outlook
  • Encrypted email as a broadcast system
  • Outlook completely reveals BCC recipients
  • issuerAndSerialNumber
  • BCC recipients names can appear in the clear
  • Could send separate message for email
  • Windows Encrypted File System
  • Pretty Good Privacy (PGP)
  • GnuPG as an example implementation

6
Pretty Good Privacy?
  • Message encrypted with symmetric key, K
  • K encrypted for each recipient
  • To speed decryption, components labeled with
    KeyIDs
  • Hash of public key
  • User identities completely revealed

Kpk(A) Kpk(B) Kpk(C)
A B C
7
Recipient Privacy in PGP
  • PGP labels encryptions using a KeyID
  • C\gpggtgpg --verbose -d message.txt
  • gpg armor header Version GnuPG v1.2.2
    (MingW32)
  • gpg public key is 3CF61C7B
  • gpg public key is 028EAE1C
  • KeyIDs easily translated into names and email
    addresses using a public key server
  • GPG includes option to withhold KeyIDs
  • Vulnerable to passive recipient privacy attack

8
Security Model
9
Private Broadcast Encryption
  • I ? Setup(?)
  • Generates global parameters I
  • (pk, sk) ? Keygen(I)
  • Generates public-private key pairs
  • C ? Encrypt(S, M)
  • Encrypts plaintext M for recipient set S
  • M ? Decrypt(sk, C)
  • Decrypts ciphertext C with private key sk

10
CPA Recipient Privacy Defined
Adversary
Challenger
Global Parameter
S0 and S1 subsets of 1, , n such that S0
S1
S0 and S1
All public keys
Some schemes vulnerable with large overlap,
whereas others are vulnerable with small overlap
Secret keys for S0 ? S1
b ?R 0,1
M encrypted for Sb as C
Guess b
Adversary wins if b b
11
Simple CPA Recipient Privacy
  • Remove labels
  • Use key-private scheme
  • Reorder components
  • O(n) decrypt time
  • CPA recipient privacy
  • But, active attack
  • Even with IK-CCA

Kpk(A) Kpk(B) Kpk(C)
Kpk(B) Kpk(A) Kpk(C)
A B C
B A C
12
Active Attack on Simple Scheme
  • Attacker a recipient
  • Learns K
  • Replaces message with something alluring
  • Forwards malicious message to Alice
  • Waits for response
  • Receives response only if Alice was a recipient

Kpk(B) Kpk(A) Kpk(C)
K
13
CCA Recipient Privacy Defined
Adversary
Challenger
Global Parameter
S0 and S1 subsets of 1, , n such that S0
S1
S0 and S1
All public keys
Secret keys for S0 ? S1
Decrypt query on (u, C)
b ?R 0,1
M encrypted for Sb as C
Decrypt query on (u, C)
(C ? C)
Guess b
Adversary wins if b b
14
Constructions
15
Primitives Used in Constructions
  • Strong correctness
  • Decrypting with wrong key results in ?
  • Strong signatures
  • Attacker cannot create a new signature
  • Even on a previously signed message
  • Example RSA full-domain hash
  • CCA key private (IK-CCA) cryptosystem
  • Ciphertext does not leak public key

16
Generic CCA Construction
?
  • Start with CPA scheme
  • Generate a fresh signing key pair (vk, sk)
  • Include verification key, vk, in each component
  • Sign the ciphertext
  • Thm CCA recipient private
  • O(n) decryption time

, Kpk(B) , Kpk(A) , Kpk(C)
vk vk vk
K
17
Added Primitives for Efficiency
  • A group G where CDH is hard
  • Extend public keys with ga, private keys with a
  • Model hash function as a random oracle
  • Use extraction property to break CDH
  • Use DH self-corrector Shoup97

18
Ciphertext Component Labels
  • Speed decryption with private labels
  • To make labels for every component
  • Pick a single fresh exponent r
  • Include gr in the ciphertext
  • Label component for (pk, ga) with H(gar)
  • Each recipient computes own label with gr and a
  • Attacker can not associate H(gar) with ga
  • Still need to tie labels to verification key
  • Include gar in ciphertext components

19
Efficient CCA Construction
?
, gr
vk, , Kpk(B) vk, , Kpk(A) vk, ,
Kpk(C)
H(gbr) H(gar) H(gcr)
gbr gar gcr
MK
  • Thm CCA recipient private (in RO model)
  • O(1) cryptographic operations for decryption

20
Conclusions
  • Many widely-deployed content distribution systems
    lack recipient privacy
  • Email and encrypted file systems
  • Introduced private broadcast encryption
  • Recipient privacy against an active attacker
  • Performance similar to non-private schemes
  • Open problem private broadcast encryption with
    shorter ciphertext

21
Questions?
22
Broadcast Semantics of Email
23
BCC privacy in S/MIME
  • S/MIME label is the RecipientInfo field.
  • Label consists of the issuer and serial number of
    the recipients certificate
  • Self-signed certificate
  • Full name and email address in the clear
  • 444d9 hl2 l 3 prim OBJECT
    commonName
  • 449d9 hl2 l 11 prim PRINTABLESTRING
    Henry Kyser
  • 462d7 hl2 l 32 cons SET
  • 464d8 hl2 l 30 cons SEQUENCE
  • 466d9 hl2 l 9 prim OBJECT
    emailAddress
  • 477d9 hl2 l 17 prim IA5STRING
    h9565_at_hotmail.com
  • VeriSign certificate identity at verisign.com

24
BCC Privacy by User Agent
Completely Exposes Partially Reveals Protects Identity
Apple Mail.app 2.622 Outlook 2003 Outlook Express 6 Thunderbird 1.02 Outlook Web Access
EudoraGPG 2.0 GPGshell 3.42 Hushmail KMail 1.8 PGP Desktop 9.0 Turnpike 6.04
S/MIME-based
PGP-based
25
Sending Separate Encryptions
  • Sending separate encryptions provides BCC privacy
  • Advantages of separate encryptions
  • Can be deployed immediately and unilaterally
  • Conceals the number (and existence of) BCC
    recipients
  • Disadvantages of separate encryptions
  • Difficult to implement for MUA plug-ins such as
    EudoraGPG
  • Increases MTA workload and network traffic
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Privacy in Encrypted Content Distribution Using Private Broadcast Encryption" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!