ICDCS‘08 WebIBC

1,092 views
1,034 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,092
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
42
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

ICDCS‘08 WebIBC

  1. 1. WebIBC Identity Based Cryptography for Client Side Security in Web Applications Zhi Guan, Zhen Cao, Xuan Zhao, Ruichuan Chen, Zhong Chen, and Xianghao Nan Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  2. 2. Once upon a time ... Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  3. 3. Once upon a time ... Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  4. 4. Once upon a time ... Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  5. 5. Once upon a time ... Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  6. 6. Once upon a time ... Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  7. 7. Once upon a time ... Strong Cryptography Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  8. 8. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  9. 9. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  10. 10. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  11. 11. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  12. 12. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  13. 13. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  14. 14. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  15. 15. Now Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  16. 16. Web App Security & Privacy? • User authentication • SSL/TLS link encryption Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  17. 17. Web App Security & Privacy? • User authentication • SSL/TLS link encryption What if servers do evil ? Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  18. 18. Web App Security & Privacy? • User authentication • SSL/TLS link encryption What if servers do evil ? No Security! Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  19. 19. Web App Security & Privacy? • User authentication • SSL/TLS link encryption What if servers do evil ? No Security! No Privacy! Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  20. 20. Web App Security & Privacy? • User authentication • SSL/TLS link encryption What if servers do evil ? No Security! No Privacy! Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  21. 21. Web App HTML & JavaScript Web Browser Operating System Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  22. 22. Web App HTML & JavaScript Web Browser Operating System EFS, PGP Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  23. 23. Web App HTML & JavaScript Browser Plug-in Web Browser Operating System EFS, PGP Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  24. 24. Web App HTML & Here we are JavaScript Browser Plug-in Web Browser Operating System EFS, PGP Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  25. 25. Challenges • Private key: JavaScript can not read keys in local file system. • Public key: acquire other’s public key or certificate is not easy for JavaScript programs in Web browser. Private Key? Public Key? Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  26. 26. Limited Browser Capability • HTML, CSS • JavaScript • AJAX Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  27. 27. Limited Browser Capability • HTML, CSS • JavaScript • AJAX Browser Plug-ins? Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  28. 28. Limited Browser Capability • HTML, CSS • JavaScript • AJAX Browser Plug-ins? No! Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  29. 29. Our Goal Strengthen Web Browser Security and Privacy Without Changing the Browser. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  30. 30. Target • Our solution: bring public key cryptography to Web browsers, include public key encryption and signature generation. • All the cryptography operations and key usage are inside the browser and implemented in JavaScript and HTML only, require no plug-ins and provide “open source” guarantee. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  31. 31. The first Challenge Public Key: Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  32. 32. The first Challenge Public Key: Identity-Based Cryptography Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  33. 33. PKG (Private Key Generator) Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  34. 34. PKG (Private Key Generator) Setup: generate master secret and public params Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  35. 35. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  36. 36. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  37. 37. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Alice@gmail.com Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  38. 38. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Alice@gmail.com Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  39. 39. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Alice@gmail.com Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  40. 40. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Alice@gmail.com Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  41. 41. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Alice@gmail.com Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  42. 42. PKG (Private Key Generator) Setup: generate master secret and public params s m ra Pa c bli Pu Alice@gmail.com Decrypt Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  43. 43. Timeline 2001 2004 1986 Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  44. 44. Timeline Identity Based Cryptography, the first idea Shamir 2001 2004 1986 Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  45. 45. Timeline First Practical Identity Based IBE scheme Cryptography, from Weil the first idea Pairing Shamir Boneh, Franklin 2001 2004 1986 Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  46. 46. Timeline First Practical Identity Based IBE scheme Cryptography, from Weil the first idea Pairing Shamir Boneh, Franklin 2001 2004 1986 Cocks IBE, not bandwidth efficient Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  47. 47. Timeline First Practical CPK Identity Based IBE scheme key Cryptography, from Weil management, the first idea Pairing IBE, IBS Shamir Boneh, Franklin Nan, Chen 2001 2004 1986 Cocks IBE, not bandwidth efficient Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  48. 48. CPK Cryptosystem CPK (Combined Public Key) Based on generalized Discrete Log Group Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  49. 49. Elliptic Curve Cryptography G is a point on elliptic curve, n is the order of cyclic group <G> Private key d is random selected integer in [1, n-1] Corresponding public key Q = dG. y 2 = x3 + ax + b (mod p) Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  50. 50. Elliptic Curve Cryptography G is a point on elliptic curve, n is the order of cyclic group <G> Private key d is random selected integer in [1, n-1] Corresponding public key Q = dG. (d1, Q1 = d1G), (d2, Q2 = d2G) y 2 = x3 + ax + b (mod p) Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  51. 51. Elliptic Curve Cryptography G is a point on elliptic curve, n is the order of cyclic group <G> Private key d is random selected integer in [1, n-1] Corresponding public key Q = dG. (d1, Q1 = d1G), (d2, Q2 = d2G) d = d1 + d2 y 2 = x3 + ax + b (mod p) Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  52. 52. Elliptic Curve Cryptography G is a point on elliptic curve, n is the order of cyclic group <G> Private key d is random selected integer in [1, n-1] Corresponding public key Q = dG. (d1, Q1 = d1G), (d2, Q2 = d2G) d = d1 + d2 Q = Q1 + Q2 = d1G + d2G = (d1+d2)G y 2 = x3 + ax + b (mod p) Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  53. 53. Elliptic Curve Cryptography G is a point on elliptic curve, n is the order of cyclic group <G> Private key d is random selected integer in [1, n-1] Corresponding public key Q = dG. (d1, Q1 = d1G), (d2, Q2 = d2G) d = d1 + d2 Q = Q1 + Q2 = d1G + d2G = (d1+d2)G (d,Q) y 2 = x3 + ax + b (mod p) Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  54. 54. Private Matrix Generation In PKG RNG The trusted authority PKG (Private Key Generator) generates a m×n matrix in which elements are randomly generated ECC private keys (integers in [1, n-1]). The private matrix should be kept secretly in PKG. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  55. 55. Private Matrix Generation In PKG private matrix   ··· s11 s12 s1n Rand integers   RNG ··· s21 s22 s2n   sij ∈R [1, n − 1] . . . ..   . . . .   . . . ··· sm1 sm2 smn The trusted authority PKG (Private Key Generator) generates a m×n matrix in which elements are randomly generated ECC private keys (integers in [1, n-1]). The private matrix should be kept secretly in PKG. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  56. 56. Public Matrix Generation In PKG Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  57. 57. Public Matrix Generation In PKG private matrix   ··· s11 s12 s1n   ··· s21 s22 s2n   . . . ..   . . . .   . . . ··· sm1 sm2 smn Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  58. 58. Public Matrix Generation In PKG private matrix   ··· s11 s12 s1n   ··· s21 s22 s2n   . . . ..   . . . .   . . . ··· sm1 sm2 smn Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  59. 59. Public Matrix Generation In PKG private matrix   ··· s11 s12 s1n   ··· s21 s22 s2n   . . . ..   . . . .   . . . ··· sm1 sm2 smn Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  60. 60. Public Matrix Generation In PKG private matrix   ··· s11 s12 s1n   ··· s21 s22 s2n   . . . ..   . . . .   . . . ··· sm1 sm2 smn Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  61. 61. Public Matrix Generation In PKG public matrix private matrix     ··· s11 G s12 G s1n G ··· s11 s12 s1n     ··· s21 G s22 G s2n G ··· s21 s22 s2n     . . . . . . ..   ..   . . . . . . . .     . . . . . . ··· sm1 G sm2 G smn G ··· sm1 sm2 smn Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  62. 62. Public Matrix Generation In PKG public matrix private matrix     ··· s11 G s12 G s1n G ··· s11 s12 s1n     ··· s21 G s22 G s2n G ··· s21 s22 s2n     . . . . . . ..   ..   . . . . . . . .     . . . . . . ··· sm1 G sm2 G smn G ··· sm1 sm2 smn key pair Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  63. 63. Public Matrix Generation In PKG public matrix private matrix     ··· s11 G s12 G s1n G ··· s11 s12 s1n     ··· s21 G s22 G s2n G ··· s21 s22 s2n     . . . . . . ..   ..   . . . . . . . .     . . . . . . ··· sm1 G sm2 G smn G ··· sm1 sm2 smn key pair Public Matrix is generated by PKG from the Private Matrix, elements in Public Matrix is the public key of corresponding private key in Private Matrix. The public matrix is publicly available for all users. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  64. 64. Map Algorithm h1 , h2 , . . . , hn ← H(ID) Map algorithm H(ID) is a cryptographic hash algorithm, maps an arbitrary string ID to column indexes of private matrix and public matrix. hi is the index of i-th column of public/private matrix. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  65. 65. Private Key Extraction ID In PKG Input user’s identity ID Map identity to indexes of matrix h1 , h2 , . . . , hn ← H(ID)   ··· s11 s12 s1n Select one element through   ··· s21 s22 s2n each column of the private   . . . ..   matrix by the index . . . .   . . . ··· sm1 sm2 smn Add selected private keys, the result is user’s private key n−1 corresponding to his identity dID = shi ,i (mod p) ID. i=0 Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  66. 66. Public Key Extraction ID In User Input user’s identity ID Map identity to indexes of matrix h1 , h2 , . . . , hn ← H(ID)   ··· s11 G s12 G s1n G Select one element through   ··· each column of the Public s21 G s22 G s2n G   . . . ..   matrix by the index . . . .   . . . ··· sm1 G sm2 G smn G Add (elliptic curve point add) selected private keys, the n−1 result is user’s public key QID = shi i G corresponding to his identity i=0 ID. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  67. 67. Identity Based Signature CPK-Sign (Message, PrivateKey) { ECDSA-Sign (Message, PrivateKey) -> Signature } CPK-Verify (Message, PublicMatrix, SignerID, Signature) { CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKey ECDSA-Verify(Message, Signature, PublicKey); } ECDSA: Elliptic Curve Digital Signature Algorithm Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  68. 68. Big Picture h1 , h2 , . . . , hn ← H(ID)   ··· s11 s12 s1n   n−1 H(ID) ··· s21 s22 s2n   dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn   ··· s11 G s12 G s1n G   H(ID) n−1 ··· s21 G s22 G s2n G   QID = . . . shi i G ..   . . . .   . . . i=0 ··· sm1 G sm2 G smn G Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  69. 69. The second Challenge: Private Key • The private key can be access by the javascript program • The private key should never leave the browser Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  70. 70. URI Fragment Identifier http://www.domain.com/#skey=72bc845b9592b79... fragment identifier fragment identifier starts from a # (number sign) Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  71. 71. Fragment Identifier Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  72. 72. Fragment Identifier <div id=quot;menuquot;> <a href=quot;#section1quot;>section 1</a> <a href=quot;#section2quot;>section 2</a> <a href=quot;#section3quot;>section 3</a> <a href=quot;#refquot;>reference</a> </div> <h1>Section1</h1> <a name=”#section1” id=”section1”> Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  73. 73. Fragment Identifier as Key Store • Utilize fragment identifier in bookmark URL as the private key storage. The fragment identifier in URL will never be transfered through the Internet. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  74. 74. Retrieve Private Key From URL <script type=”text/javascript> var URL = window.location; var fragid_start = URL.substring(URL.indexOf(‘#’)); Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  75. 75. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  76. 76. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  77. 77. Workflow % setup PKG ID ! y ske quot; # mpk.js & save Browser ) do $U Secure ( RL we Channel bib c.js Public ,m 'm pk Channel .js ess age WebApp * forward Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  78. 78. PKG Browser WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  79. 79. PKG ❶ setup Browser WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  80. 80. PKG ❶ setup ❷ mpk.js Browser WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  81. 81. PKG ❶ setup ID ❸ ❷ mpk.js Browser WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  82. 82. PKG ❶ setup ID ❸ ey ❷ mpk.js sk ❹ Browser WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  83. 83. PKG ❶ setup ID ❸ ey ❷ mpk.js sk ❺ save ❹ Browser WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  84. 84. PKG ❶ setup ID ❸ ey ❷ mpk.js sk ❺ save ❹ Browser ❻U RL WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  85. 85. PKG ❶ setup ID ❸ ey ❷ mpk.js sk ❺ save ❹ Browser ❻U RL ❼w ebib c.js , mp k.js WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  86. 86. PKG ❶ setup ID ❸ ey ❷ mpk.js sk ❺ save ❹ Browser ❻U RL ❼w ebib ❽ do c.js , mp k.js WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  87. 87. PKG ❶ setup ID ❸ ey ❷ mpk.js sk ❺ save ❹ Browser ❻U RL ❼w ebib ❽ do c.js , mp k.js ❾m ess age WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  88. 88. PKG ❶ setup ID ❸ ey ❷ mpk.js sk ❺ save ❹ Browser ❻U RL ❼w ebib ❽ do c.js , mp k.js ❿ forward ❾m ess age WebApp Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  89. 89. Workflow 1. The authority trusted by Alice and Bob establishes a PKG, which will generate the system parameters including the public matrix. 2. Web application embeds WebIBC into these systems together with the public system parameters released by the PKG. 3. Alice registers to the PKG with her ID. 4. PKG returns Alice’s private key. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  90. 90. Workflow 5. Alice can append the private key as an fragment identifier to the Web application’s URL, then save it as a bookmark into the browser. 6. Now Alice can use this bookmark to log into the web application. It should be noted that the browser will send the URL without the fragment identifier, so the private key is secure. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  91. 91. Workflow 7. The WebIBC JavaScript files will also be downloaded from the server, including the public matrix of system. 8. Alice uses this web application as normal, entering Bob’s email address and message content into the form. When Alice presses the send button, WebIBC JavaScript programs will get the email address from the form as public key and get private key from URL, encrypt and sign the message. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  92. 92. Workflow 9. Then message will be sent to the server. 10. Because the message has been protected, the Web application can do no evil to the message but only forward it to Bob. Bob can also login into his web application and decrypt the message by his private key in the fragment identifier and verify the message through the public matrix, similar to Alice. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  93. 93. Performance 0.5KB 2KB 10KB Safari 1383.7 1,492 2,071 Firefox 1,523 1,661 2,401 IE 1,459 1,698 2,791 Opera 2,110 2,349 3,628 4000 ms 0.5 KB 2 KB 10 KB 3000 ms 2000 ms 1000 ms 0 Safari Firefox IE Opera Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  94. 94. Future Work • Web based PRNG • Other Identity based cryptography • Local storage in HTML5 Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  95. 95. Thank you! Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
  96. 96. Questions? Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008

×