1. grid security - carleton universitypeople.scs.carleton.ca/~maheshwa/courses/4109/seminar11/...•...
TRANSCRIPT
Identity-Based Cryptography
for Grid Security
COMP 4109
Cai Yangyang
2011/03/24
Computational grid environment
Definition of Computational Grid
• first used in the mid-1990s to denote a distributed computing infrastructure for advanced science and engineering applications.
• Foster and Kesselman , 1990
– A computational grid is a hardware and software infrastructure that provides dependable, consistent, pervasive and inexpensive access to high-end computational capabilities.
Cousins of Grid Computing
• Parallel Computing
• Distributed Computing
• Peer-to-Peer Computing
• Many others: Cluster Computing, Network
Computing, Client/Server Computing,
Internet Computing, etc...
Grid Security
• Grid security requirements:
– Entity authentication
• several types of entities; e.g. individual users,
resource/service providers.
– Single sign-on
• Logon once but authenticate to multiple resources.
– Delegation
• Achieve unattended authentication, allowing an intermediate
party to act on user’s behalf.
– Others: integration and inter-operability, policy
management, trust relationships, user privacy, etc.
Existing Security Technologies for
Grid
• Public Key Infrastructure (PKI)
• Proxy Certificates
• Transport Layer Security (TLS)
• The RSA Cryptosystem
The RSA Cryptosystem
• In setting up an RSA cryptosystem, each user performs the following steps to generate his public/private key pair: – Generate two large distinct random primes p and q.
– Compute N = pq and Q(N) = (p -1)(q -1).
– Select a random integer e, where 1 < e < Q(N) and gcd(e; Q(N)) = 1, where gcd denotes the greatest common divisor.
– Compute the unique integer d such that ed ≡1 mod Q(N) and 1 < d < Q(N).
– The public key is (N; e) and the private key is d.
The RSA Cryptosystem
• In practical applications, it is common to choose a small public exponent for the public key.
• With the typical modular exponentiation algorithms used to implement the RSA algorithm:
– public key operations take O(k2) steps
– private key operations take O(k3) steps
– key generation takes O(k4) steps
Identity-Based Cryptography (IBC)
A short history:
• Shamir (1984) devised only an ID-based signature scheme.
• Construction of truly practical and secure ID-based encryption scheme an open problem until 2001.
• Sakai, Ohgishi and Kasahara (SCIS, Jan. 2001).
• Boneh and Franklin (CRYPTO, Aug. 2001).– Practical and provably secure.
– Uses elliptic curve cryptography and pairings on elliptic curves.
• Cocks’ scheme (IMA C&C, Dec. 2001).– Scheme based on quadratic residuosity, not bandwidth efficient.
– Research done in mid 1990’s at UK government agency.
Basic idea of IBC
Original idea due to Shamir (1984):
• Public keys derived directly from system identities (e.g. an e-mail address or IP address).
• Private keys generated and distributed to users in by a trusted authority (TA) who has a master key.
• As long as:– Bob is sure of Alice’s identity and
– The TA has given the private key to the right entity,
then Bob can safely encrypt to Alice without consulting a directory and without checking a certificate.
Basic idea of IBC
Reality of IBC
Mathematical Preliminaries
• Let G1 and G2 be two cyclic groups of
large prime order p; e: G1× G1 → G2
• (1) Bilinear Map
– for all x, y ∈ G1 and for all a, b ∈ Zp
e(ax,by) = e(x,y)ab
Math Background
• (2) Non-Degenerate
– There exists an x ∈ G1 such that e(x,x) ≠ 1.
• (3) Computable
– computing e(x,y) for any x,y ∈ G1 is efficient.
The Gentry-Silverberg HIBE &
HIBS• Hierarchical identity-based cryptography
(HIBC) and signature (HIBS).
– Gentry and Silverberg (2002)
– Eases the private key distribution problem
and improves scalability of the Boneh-Franklin
IBE scheme.
– Root Private Key Generator (PKG) is only
required to produce private keys for domain-
level PKGs.
HIBE & HIBS schemes(1)
• ROOT SETUP: The root PKG chooses a generator P0 ∈ G1, picks a random s0 ∈ Zq*, and sets Q0 = s0P0. It also selects cryptographic hash functions H1 : {0,1}* → G1, H2 : G2 → {0,1}n
for some n, and H3 : {0,1}* → G1. The root PKG's master secret key is s0 and the system parameters are <G1;G2; e; P0;Q0;H1;H2;H3>.
• LOWER-LEVEL SETUP: A lower-level entity (lower-level PKG or user) at level t picks a random st ∈ Zq*which will be kept secret.
HIBE & HIBS schemes(2)
• EXTRACT: For an entity at level t with ID-tuple <ID1,…,IDt>, where <ID1,…, IDi>is the ID-tuple of the entity's ancestor at level i (1 ≦ i ≦t), the entity's parent computes Pt = H1(ID1,…,IDt) ∈ G1. sets the secret point st to be ∑t
i=1 Si-1Pi, and defines Q-values as Qi = siP0for 1 ≦ i ≦ t -1.
• ENCRYPT: Given a message m with the ID-tuple <ID1,…,IDt>, the message can be encrypted by first computing Pi = H1(ID1,…,IDt) ∈G1. for 1 ≦ i ≦ t; then choosing a random r ∈ Zq ; and the ciphertext is set to:
where in which its value can be pre-computed.
HIBE & HIBS schemes(3)
• DECRYPT: Given a ciphertext
<U0,U2,…,Ut, V>encrypted using the ID-
tuple <ID1 ,…,IDt>, the ciphertext can be
decrypted by computing:
Design of IKIG(Identity-Based Key
Infrastructure for Grid)
Single sign-on:
• Password unlocks user (level 2) private key.
• User (level 2) can then create private key for user proxy (level 3).
• Level 3 identifier encodes validity period for proxy.
• Level 3 identifiers can be parsed by resources when checking proxy signatures and making access control decisions.
Delegation
• User proxy combines user proxy identifier, resource identifier, validity period and delegated privileges to create identifier for delegated resource (level 4).– Identifier acts as a form of delegation token.
• User proxy transports private key matching identifier to resource, e.g. using a shared session key.
• Resource can now use private key to verify that it has received delegated rights from user proxy.
Delegation
Identity-Based Key Infrastructure
for Grid
Key Generation:
• When a new grid user Alice (A) goes to a nearby
RA, the RA performs the following steps:
– 1. The RA verifies A's identity by checking her
password. Once the check succeeds, the RA
compares A's identity with its global identity list and
subsequently assigns her a distinguished IDA ∈ {0; 1}*.
The identifier is in the form of:
/C=UK/O=eScience/OU=RHUL/CN=Alice/Y=2011
Key Generation
• 2. The RA generates A's long-term private
key as SA = S0PA, where PA = H1(IDA) is
the matching long-term public key. The
long-term credential for A and her TA's
system parameters which have been
signed by the root TA are distributed to her
through a temporary storage medium. i.e.
a floppy disk.
Key Generation
• 3. A performs the LOWER-LEVEL SETUP
algorithm of the Gentry-Silverberg HIBE
(or HIBS) scheme to pick a random sA ∈Zq* which she will keep secret. She then
defines her Q-values as (Q0 = s0P0, QA
=sAP0).
Key update and revocation
Key update:
• User long-term keys can be updated on a yearly basis.– Encode year as part of user identifier.
/C=UK/O=eScience/OU=RHUL/CN=Alice/Y=2011
• Update requires secure channel from TA to user.– Can use existing user public key to encrypt new private key.
Key revocation:
• We can use finer-grained identifiers for more regular automated revocation:/C=UK/O=eScience/OU=RHUL/CN=Alice/Y=2011/A=April
• However, if this is still not sufficient, existing PKI revocation mechanisms such as CRLs, OCSP, can be used.
• Default lifetime for short-term keys in GSI is 12 hours.– Mimic this by including expiry periods in all proxy identifiers.
Performance Analysis
• Assumptions:– CA’s certificates and TA’s system parameters are pre-distributed.
– Size of standard certificate = 1.5 kilobytes(12 kilobits) (RSA public key, modulus, signature, excluding subject, issuer, validity period).
– Size of proxy certificate = 0.8 kilobytes(6.4 kilobits).
– An encrypted or a signed message with a short-term RSA key is 512 bits in size assuming the length of the message is smaller than the 512-bit block size.
– Selection of ID-based components to give roughly same security as 1024-bit RSA.
• Two categories: – Computational costs
– Communication costs
• We will compare the GSI & proposed IKIG systems.
Communication costs
• The communication cost for the GSI is estimatedto be 2(12)+2(6.4)+2(0.512) = 37.8 kilobits since there are two public key certificates, two proxy certificates, one encrypted pre-master secret key and one signed message being transmitted over the network.
Computational costs
• GSI:– Single sign-on: 1 key generation
– Delegation: 1 key generation, 1 modular
exponentiation (encryption), 2 modular
exponentiations (decryption)
• ID-based GSI:– Single sign-on: 1 key generation (point multiplication)
– Delegation: 1 key generation, 1 point multiplication.
Computational costs
• Known optimisation techniques were used, e.g. small RSA public exponent, faster RSA decryption (CRT method) and eta pairing.
Benefits and Drawbacks
Benefits:
• Identity-based replication of existing grid security features.
• Certificate-free
Drawbacks:
• Inherent escrow may be a problem in commercially-oriented grid environments.– But MyProxy already in wide-spread use!
• Distribution of private keys to users/resources
Some Future Works
• Detailed comparison of computation and
bandwidth requirements.
– Pure ID-PKC verus hybrid approach versus pure PKI.
– Can certificateless PKC offer something extra?
• Can we exploit aggregate signatures to make
multiple delegations easier?
– Efficient ID-based aggregate signature scheme?
– Mixed scheme allowing aggregation of ID-based and
short signatures?
References
• I. Foster, C. Kesselman, and S. Tuecke. The anatomy of the Grid: Enabling scalable virtual organizations. International Journal of High Performance Computing Applications, 15(3):200.222, 2001.
• P.S.L.M Barreto, H.Y Kim, B. Lynn, and M. Scott. Efcient algorithms for pairing-based cryptosystems. In M. Yung, editor, Advances in Cryptology – Proceedings of CRYPTO 2002, pages 354.368. Springer-Verlag LNCS 2442, 2002.
• W. Mao. An Identity-based Non-interactive Authentication Framework for Computational Grids. HP Lab, Technical Report HPL-2004-96, June 2004. Available at http://www.hpl.hp.com/techreports/2004/HPL-2004-96.pdf.
• Hoon Wei Lim. On the Application of Identity-Based Cryptography in Grid Security. Information Security Group, 2006.
• I.F. Blake, G. Seroussi, and N.P. Smart, editors. Elliptic Curve Cryptography. Cambridge University Press, LMS 265, Cambridge, 1999.
Quiz
• 1. What are three main grid security requirements?
• 2. With the typical modular exponentiation algorithms used to implement the RSA algorithm, what is the running time of key generation?
• 3. Who was the first person introduced the Identity-Based Cryptography (IBC)?
• 4. What is the equation for Bilinear Map?
• 5. What is the size of proxy certificate when we refer to communication costs?