what is the problem with end-to-end encrypted communication?
TRANSCRIPT
![Page 1: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/1.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTIONRedirect end-to-end encrypted traffic
![Page 2: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/2.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
2IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 3: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/3.jpg)
SECURE SYSTEMS ENGINEERING GMBH 3IT SECURITY IS NOT BINARY
Bachelor in maths @ Freie UniversitΓ€t Berlin
Master in computer science @ Freie UniversitΓ€t Berlin
Master thesis on Proxy Re-Encryption and its uses for electronic mail boxes
Security Expert @ SSE
Who am I?
WHO AM I?
β Doppelkopf enthusiastβ Into crypto, sports and games
TEETJE STARK
![Page 4: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/4.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
4IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 5: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/5.jpg)
SECURE SYSTEMS ENGINEERING GMBH
MESSAGES DOCUMENTS INTELLECTUAL PROPERTY
COMPANY SECRETS INTERNAL STRUCTURE OF THE COMPANY
STRATEGIES PERSONAL DATA β¦
REASONS TO USE END-TO-END-ENCRYPTION (E2EE)
5IT SECURITY IS NOT BINARY
Confidentiality Integrity Authenticity Non-repudiationAnnoy
the NSA ;-)
![Page 6: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/6.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
6
STEP 1: I GO TO WORK
IT SECURITY IS NOT BINARY
![Page 7: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/7.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
7
STEP 2: I COMMUNICATE WITH A CLIENT VIA END-TO-END ENCRYPTION
IT SECURITY IS NOT BINARY
me my client
![Page 8: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/8.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
8
STEP 3: I GO ON VACATION
IT SECURITY IS NOT BINARY
![Page 9: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/9.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROBLEMS WITH E2EE
9IT SECURITY IS NOT BINARY
STEP 4: MY CLIENT WANTS TO TALK, BUT THE REPLACEMENT DOESNβT HAVE THE KEY
me my client
?
my replacement
![Page 10: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/10.jpg)
SECURE SYSTEMS ENGINEERING GMBH
SOLUTIONS
10
JUST DONβT ENCRYPT
IT SECURITY IS NOT BINARY
![Page 11: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/11.jpg)
SECURE SYSTEMS ENGINEERING GMBH
SOLUTIONS
11
SHARE ALL THE KEYS
IT SECURITY IS NOT BINARY
![Page 12: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/12.jpg)
SECURE SYSTEMS ENGINEERING GMBH
SOLUTIONS
12
IGNORE UNTIL IβM BACK
IT SECURITY IS NOT BINARY
![Page 13: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/13.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
13IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 14: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/14.jpg)
SECURE SYSTEMS ENGINEERING GMBH
β¦ βFORWARDINGβ (RE-ENCRYPTION) OF E2EE CIPHERTEXTS BY A SEMI-TRUSTED PROXY (E.G. MAIL SERVER)
PROXY RE-ENCRYPTION
14IT SECURITY IS NOT BINARY
SECUREEFFICIENTASYNCHRONUS
PROXY RE-ENCRYPTION IS A CRYPTOGRAPHIC PRIMITIVE THAT ALLOWS β¦
![Page 15: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/15.jpg)
SECURE SYSTEMS ENGINEERING GMBH
Mailserver
USUAL SETUP
15IT SECURITY IS NOT BINARY
Alice Bob
![Page 16: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/16.jpg)
SECURE SYSTEMS ENGINEERING GMBH
Mailserver
USUAL SETUP
16IT SECURITY IS NOT BINARY
Alice Bob
Charlie
Allow Re-Encryption to Charlie
![Page 17: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/17.jpg)
SECURE SYSTEMS ENGINEERING GMBH
USUAL SETUP
17IT SECURITY IS NOT BINARY
Alice Bob
Proxy
Re-Encryption
Charlie
![Page 18: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/18.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTION
18IT SECURITY IS NOT BINARY
Proxy never sees the plaintext
Only with permission of Bob can the proxy re-encrypt mails
Charlie cannot read Bobs mails without the proxies help
If either Bob or the Proxy are honest, only the messagesintended to be forwarded will be forwarded
β’ Time-boxed
β’ Could be based on additional attributesthat are not encrypted(better: attribute-based encryption)
In a company the semi-trusted mail server is a reasonable assumption
![Page 19: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/19.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
19IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 20: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/20.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
20IT SECURITY IS NOT BINARY
vs.CPA-SECURE CCA-SECURE
vs.UNIDIRECTIONAL BIDIRECTIONAL
vs.SINGLE-USE MULTI-USE
vs.WITHOUT MASTER SECRET SECURITY WITH MASTER SECRET SECURITY
![Page 21: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/21.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
21IT SECURITY IS NOT BINARY
re-encryptionkey can only
be used in one direction
re-encryptionkey can beused in bothdirections
vs.UNIDIRECTIONAL BIDIRECTIONAL
![Page 22: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/22.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
22IT SECURITY IS NOT BINARY
re-encryptioncan only bedone once
re-encryptioncan be donemultiple times
vs.SINGLE-USE MULTI-USE
![Page 23: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/23.jpg)
SECURE SYSTEMS ENGINEERING GMBH
THERE ARE MULTIPLE TYPES OF PROXY RE-ENCRYPTION
23IT SECURITY IS NOT BINARY
vs.CPA-SECURE CCA-SECURE
vs.UNIDIRECTIONAL BIDIRECTIONAL
vs.SINGLE-USE MULTI-USE
vs.WITHOUT MASTER SECRET SECURITY WITH MASTER SECRET SECURITY
![Page 24: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/24.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
24IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 25: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/25.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTION
25IT SECURITY IS NOT BINARY
What is the most useful attribute?
Unidirectionality
How is it (usually) achieved?
Bilinear maps
What are bilinear maps?
Bilinear maps are maps e: πΊ1 Γ πΊ2 β πΊ3, usually G β πΊ1 = πΊ2, with πΊπ cyclic groups of prime order π, which are:
βͺ Bilinear: β π, β β πΊ, π, π β β€π: π ππ, βπ = π π, β ππ
βͺ Non-degenerate: βπ, β β πΊ: π π, β β ππΊ3
![Page 26: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/26.jpg)
SECURE SYSTEMS ENGINEERING GMBH
EXAMPLE ENCRYPTION
26
CCA-Secure UnidirectionalProxy Re-Encryption in theAdaptive Corruption Modelwithout Random Oracles π
1https://eprint.iacr.org/2010/265.pdf
26SECURE SYSTEMS ENGINEERING GMBH IT SECURITY IS NOT BINARY
Weng et al.
![Page 27: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/27.jpg)
SECURE SYSTEMS ENGINEERING GMBH
PROXY RE-ENCRYPTION
27IT SECURITY IS NOT BINARY
πΉ is a pseudo-random function, π» is a collision-resistant* hash function
Second-level encryptionCreate a ciphertext that
can be forwarded
πΈππ2 πππ = ππ₯π , π :
π Υ$β€πβ
πΆ1 = π1π
πΆ2 = ππππ
πΎ = ππ
πΆ3 = πΉ πΎ, πΆ1 π1 β₯ πΉ πΎ, πΆ1π2 βπ
tΥ$β€πβ
β = π» πΆ1, πΆ3
πΆ4 = π’βπ£π‘π€π
Return πΆππ = π‘, πΆ1, πΆ2, πΆ3, πΆ4
First-level encryptionCreate a ciphertext thatcan not be forwarded
πΈππ1 πππ = ππ₯π ,π :
π Υ$β€πβ
πΆ1 = π1π
πΆ2β² = π πππ , π
π
πΎ = ππ
πΆ3 = πΉ πΎ, πΆ1 π1 β₯ πΉ πΎ, πΆ1π2 βπ
π‘Υ$β€πβ
β = π» πΆ1, πΆ3
πΆ4 = π’βπ£π‘π€π
Return πΆππβ² = π‘, πΆ1, πΆ2
β² , πΆ3, πΆ4
Re-Encryption functionTransform second-level ciphertext
to first-level ciphertext
π ππΈππ πππβπ = ππ₯π/π₯π , πΆππ :β
π‘, πΆ1, πΆ2, πΆ3, πΆ4 Υ πΆππ
πΆ2β² = π πΆ2, πππβπ
Return πΆππβ² = π‘, πΆ1, πΆ2
β² , πΆ3, πΆ4
βͺ Note that πππβπ = ππ₯π/π₯π is the
re-encryption key, which can beconstructed from public keyπππ = ππ₯π of π½ and private key π₯π of πΌ
βͺ It cannot be generated from ππ₯π and π₯π,
i.e. πππβπ = ππ₯π/π₯π β πππβπ = ππ₯π/π₯π
β Thus the scheme is unidirectional
β Leaving out all required validity checks
![Page 28: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/28.jpg)
SECURE SYSTEMS ENGINEERING GMBH
AGENDA
28IT SECURITY IS NOT BINARY
1 What is the problem with end-to-end encrypted communication?
2 What is Proxy Re-Encryption and how can it solve the problem?
3 What flavours does it come in?
4 How does it work?
5 What are the drawbacks of Proxy Re-Encryption?
![Page 29: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/29.jpg)
SECURE SYSTEMS ENGINEERING GMBH
DRAWBACKS OF PROXY RE-ENCRYPTION
29
https://crypto.stanford.edu/pbc/times.html (C library) has timing on some pairings ranging from roughly the time of one 1024-bit RSA decryption to 60 times as much time. Note that encryption or decryption with Proxy Re-Encryption may need multiple pairings.
IT SECURITY IS NOT BINARY
1
Mainly based on bilinear maps
βͺ Security assumption is often some weirdand scheme-specific adaptation of thebilinear version of the decisional Diffie-Hellman problem
βͺ Bilinear maps are slow1
![Page 30: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/30.jpg)
SECURE SYSTEMS ENGINEERING GMBH
Mainly based on bilinear maps
βͺ Security assumption is often some weirdand scheme-specific adaptation of thebilinear version of the decisional Diffie-Hellman problem
βͺ Bilinear maps are slow1
DRAWBACKS OF PROXY RE-ENCRYPTION
30
https://crypto.stanford.edu/pbc/times.html (C library) has timing on some pairings ranging from roughly the time of one 1024-bit RSA decryption to 60 times as much time. Note that encryption or decryption with Proxy Re-Encryption may need multiple pairings.
IT SECURITY IS NOT BINARY
1
π, π Ξ€1 π, ππ , π π2 , ππ, π π, π π
Can someone distinguish between:
π, π Ξ€1 π, ππ , π π2 , ππ, π π, π Ξ€π π2
and:
where π, π, π Υ$β€πβ (3-weak decisional bilinear Diffie-Hellman inversion)?
![Page 31: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/31.jpg)
SECURE SYSTEMS ENGINEERING GMBH
DRAWBACKS OF PROXY RE-ENCRYPTION
31
https://crypto.stanford.edu/pbc/times.html (C library) has timing on some pairings ranging from roughly the time of one 1024-bit RSA decryption to 60 times as much time. Note that encryption or decryption with Proxy Re-Encryption may need multiple pairings.
IT SECURITY IS NOT BINARY
1
Mainly based on bilinear maps
βͺ Security assumption is often some weirdand scheme-specific adaptation of thebilinear version of the decisional Diffie-Hellman problem
βͺ Bilinear maps are slow1
Proxy
Still requires a certain level of trust in the proxy
![Page 32: What is the problem with end-to-end encrypted communication?](https://reader036.vdocuments.site/reader036/viewer/2022070504/62c1862d618aad3f2159b335/html5/thumbnails/32.jpg)
SECURE SYSTEMS ENGINEERING GMBH IT SECURITY IS NOT BINARY
THANK YOU!
IT SECURITY IS NOT BINARY
IF YOU HAVE QUESTIONS, JUST ASK
MY HOLIDAY REPLACEMENT β¦ ;-)