Identity-Based Cryptography

for Grid Security

COMP 4109

Cai Yangyang

2011/03/24

Computational grid environment

Definition of Computational Grid

• first used in the mid-1990s to denote a distributed computing infrastructure for advanced science and engineering applications.

• Foster and Kesselman , 1990

– A computational grid is a hardware and software infrastructure that provides dependable, consistent, pervasive and inexpensive access to high-end computational capabilities.

Cousins of Grid Computing

• Parallel Computing

• Distributed Computing

• Peer-to-Peer Computing

• Many others: Cluster Computing, Network

Computing, Client/Server Computing,

Internet Computing, etc...

Grid Security

• Grid security requirements:

– Entity authentication

• several types of entities; e.g. individual users,

resource/service providers.

– Single sign-on

• Logon once but authenticate to multiple resources.

– Delegation

• Achieve unattended authentication, allowing an intermediate

party to act on user’s behalf.

– Others: integration and inter-operability, policy

management, trust relationships, user privacy, etc.

Existing Security Technologies for

Grid

• Public Key Infrastructure (PKI)

• Proxy Certificates

• Transport Layer Security (TLS)

• The RSA Cryptosystem

The RSA Cryptosystem

• In setting up an RSA cryptosystem, each user performs the following steps to generate his public/private key pair: – Generate two large distinct random primes p and q.

– Compute N = pq and Q(N) = (p -1)(q -1).

– Select a random integer e, where 1 < e < Q(N) and gcd(e; Q(N)) = 1, where gcd denotes the greatest common divisor.

– Compute the unique integer d such that ed ≡1 mod Q(N) and 1 < d < Q(N).

– The public key is (N; e) and the private key is d.

The RSA Cryptosystem

• In practical applications, it is common to choose a small public exponent for the public key.

• With the typical modular exponentiation algorithms used to implement the RSA algorithm:

– public key operations take O(k2) steps

– private key operations take O(k3) steps

– key generation takes O(k4) steps

Identity-Based Cryptography (IBC)

A short history:

• Shamir (1984) devised only an ID-based signature scheme.

• Construction of truly practical and secure ID-based encryption scheme an open problem until 2001.

• Sakai, Ohgishi and Kasahara (SCIS, Jan. 2001).

• Boneh and Franklin (CRYPTO, Aug. 2001).– Practical and provably secure.

– Uses elliptic curve cryptography and pairings on elliptic curves.

• Cocks’ scheme (IMA C&C, Dec. 2001).– Scheme based on quadratic residuosity, not bandwidth efficient.

– Research done in mid 1990’s at UK government agency.

Basic idea of IBC

Original idea due to Shamir (1984):

• Public keys derived directly from system identities (e.g. an e-mail address or IP address).

• Private keys generated and distributed to users in by a trusted authority (TA) who has a master key.

• As long as:– Bob is sure of Alice’s identity and

– The TA has given the private key to the right entity,

then Bob can safely encrypt to Alice without consulting a directory and without checking a certificate.

Basic idea of IBC

Reality of IBC

Mathematical Preliminaries

• Let G1 and G2 be two cyclic groups of

large prime order p; e: G1× G1 → G2

• (1) Bilinear Map

– for all x, y ∈ G1 and for all a, b ∈ Zp

e(ax,by) = e(x,y)ab

Math Background

• (2) Non-Degenerate

– There exists an x ∈ G1 such that e(x,x) ≠ 1.

• (3) Computable

– computing e(x,y) for any x,y ∈ G1 is efficient.

The Gentry-Silverberg HIBE &

HIBS• Hierarchical identity-based cryptography

(HIBC) and signature (HIBS).

– Gentry and Silverberg (2002)

– Eases the private key distribution problem

and improves scalability of the Boneh-Franklin

IBE scheme.

– Root Private Key Generator (PKG) is only

required to produce private keys for domain-

level PKGs.

HIBE & HIBS schemes(1)

• ROOT SETUP: The root PKG chooses a generator P0 ∈ G1, picks a random s0 ∈ Zq*, and sets Q0 = s0P0. It also selects cryptographic hash functions H1 : {0,1}* → G1, H2 : G2 → {0,1}n

for some n, and H3 : {0,1}* → G1. The root PKG's master secret key is s0 and the system parameters are <G1;G2; e; P0;Q0;H1;H2;H3>.

• LOWER-LEVEL SETUP: A lower-level entity (lower-level PKG or user) at level t picks a random st ∈ Zq*which will be kept secret.

HIBE & HIBS schemes(2)

• EXTRACT: For an entity at level t with ID-tuple <ID1,…,IDt>, where <ID1,…, IDi>is the ID-tuple of the entity's ancestor at level i (1 ≦ i ≦t), the entity's parent computes Pt = H1(ID1,…,IDt) ∈ G1. sets the secret point st to be ∑t

i=1 Si-1Pi, and defines Q-values as Qi = siP0for 1 ≦ i ≦ t -1.

• ENCRYPT: Given a message m with the ID-tuple <ID1,…,IDt>, the message can be encrypted by first computing Pi = H1(ID1,…,IDt) ∈G1. for 1 ≦ i ≦ t; then choosing a random r ∈ Zq ; and the ciphertext is set to:

where in which its value can be pre-computed.

HIBE & HIBS schemes(3)

• DECRYPT: Given a ciphertext

<U0,U2,…,Ut, V>encrypted using the ID-

tuple <ID1 ,…,IDt>, the ciphertext can be

decrypted by computing:

Design of IKIG(Identity-Based Key

Infrastructure for Grid)

Single sign-on:

• Password unlocks user (level 2) private key.

• User (level 2) can then create private key for user proxy (level 3).

• Level 3 identifier encodes validity period for proxy.

• Level 3 identifiers can be parsed by resources when checking proxy signatures and making access control decisions.

Delegation

• User proxy combines user proxy identifier, resource identifier, validity period and delegated privileges to create identifier for delegated resource (level 4).– Identifier acts as a form of delegation token.

• User proxy transports private key matching identifier to resource, e.g. using a shared session key.

• Resource can now use private key to verify that it has received delegated rights from user proxy.

Delegation

Identity-Based Key Infrastructure

for Grid

Key Generation:

• When a new grid user Alice (A) goes to a nearby

RA, the RA performs the following steps:

– 1. The RA verifies A's identity by checking her

password. Once the check succeeds, the RA

compares A's identity with its global identity list and

subsequently assigns her a distinguished IDA ∈ {0; 1}*.

The identifier is in the form of:

/C=UK/O=eScience/OU=RHUL/CN=Alice/Y=2011

Key Generation

• 2. The RA generates A's long-term private

key as SA = S0PA, where PA = H1(IDA) is

the matching long-term public key. The

long-term credential for A and her TA's

system parameters which have been

signed by the root TA are distributed to her

through a temporary storage medium. i.e.

a floppy disk.

Key Generation

• 3. A performs the LOWER-LEVEL SETUP

algorithm of the Gentry-Silverberg HIBE

(or HIBS) scheme to pick a random sA ∈Zq* which she will keep secret. She then

defines her Q-values as (Q0 = s0P0, QA

=sAP0).

Key update and revocation

Key update:

• User long-term keys can be updated on a yearly basis.– Encode year as part of user identifier.

/C=UK/O=eScience/OU=RHUL/CN=Alice/Y=2011

• Update requires secure channel from TA to user.– Can use existing user public key to encrypt new private key.

Key revocation:

• We can use finer-grained identifiers for more regular automated revocation:/C=UK/O=eScience/OU=RHUL/CN=Alice/Y=2011/A=April

• However, if this is still not sufficient, existing PKI revocation mechanisms such as CRLs, OCSP, can be used.

• Default lifetime for short-term keys in GSI is 12 hours.– Mimic this by including expiry periods in all proxy identifiers.

Performance Analysis

• Assumptions:– CA’s certificates and TA’s system parameters are pre-distributed.

– Size of standard certificate = 1.5 kilobytes(12 kilobits) (RSA public key, modulus, signature, excluding subject, issuer, validity period).

– Size of proxy certificate = 0.8 kilobytes(6.4 kilobits).

– An encrypted or a signed message with a short-term RSA key is 512 bits in size assuming the length of the message is smaller than the 512-bit block size.

– Selection of ID-based components to give roughly same security as 1024-bit RSA.

• Two categories: – Computational costs

– Communication costs

• We will compare the GSI & proposed IKIG systems.

Communication costs

• The communication cost for the GSI is estimatedto be 2(12)+2(6.4)+2(0.512) = 37.8 kilobits since there are two public key certificates, two proxy certificates, one encrypted pre-master secret key and one signed message being transmitted over the network.

Computational costs

• GSI:– Single sign-on: 1 key generation

– Delegation: 1 key generation, 1 modular

exponentiation (encryption), 2 modular

exponentiations (decryption)

• ID-based GSI:– Single sign-on: 1 key generation (point multiplication)

– Delegation: 1 key generation, 1 point multiplication.

Computational costs

• Known optimisation techniques were used, e.g. small RSA public exponent, faster RSA decryption (CRT method) and eta pairing.

Benefits and Drawbacks

Benefits:

• Identity-based replication of existing grid security features.

• Certificate-free

Drawbacks:

• Inherent escrow may be a problem in commercially-oriented grid environments.– But MyProxy already in wide-spread use!

• Distribution of private keys to users/resources

Some Future Works

• Detailed comparison of computation and

bandwidth requirements.

– Pure ID-PKC verus hybrid approach versus pure PKI.

– Can certificateless PKC offer something extra?

• Can we exploit aggregate signatures to make

multiple delegations easier?

– Efficient ID-based aggregate signature scheme?

– Mixed scheme allowing aggregation of ID-based and

short signatures?

References

• I. Foster, C. Kesselman, and S. Tuecke. The anatomy of the Grid: Enabling scalable virtual organizations. International Journal of High Performance Computing Applications, 15(3):200.222, 2001.

• P.S.L.M Barreto, H.Y Kim, B. Lynn, and M. Scott. Efcient algorithms for pairing-based cryptosystems. In M. Yung, editor, Advances in Cryptology – Proceedings of CRYPTO 2002, pages 354.368. Springer-Verlag LNCS 2442, 2002.

• W. Mao. An Identity-based Non-interactive Authentication Framework for Computational Grids. HP Lab, Technical Report HPL-2004-96, June 2004. Available at http://www.hpl.hp.com/techreports/2004/HPL-2004-96.pdf.

• Hoon Wei Lim. On the Application of Identity-Based Cryptography in Grid Security. Information Security Group, 2006.

• I.F. Blake, G. Seroussi, and N.P. Smart, editors. Elliptic Curve Cryptography. Cambridge University Press, LMS 265, Cambridge, 1999.

Quiz

• 1. What are three main grid security requirements?

• 2. With the typical modular exponentiation algorithms used to implement the RSA algorithm, what is the running time of key generation?

• 3. Who was the first person introduced the Identity-Based Cryptography (IBC)?

• 4. What is the equation for Bilinear Map?

• 5. What is the size of proxy certificate when we refer to communication costs?