Virtual ID
Cryptography
Kaspar Etter
ETH Zurich
1.0
etterka@ethz.ch August 2012
Table of Contents
1.
Preface
3
1.1.
Abstract
3
1.2.
About this Document
3
1.3.
Acknowledgments
3
2.
Introduction
4
2.1.
Terminology
4
–
Cryptography
–
Encryption and Decryption
–
Authentication and Authorization
–
Secure Communication
–
Hash Function
2.1.
SymmetricKey Cryptography
4
–
Setting
–
Notation
–
OneTime Pad
–
Block Ciphers
2.1.
PublicKey Cryptography
5
–
Motivation and Setup
–
Digital Signatures
–
Public Key Infrastructure
2.1.
Group Theory
5
–
Algebraic Structure
–
Group Axioms
–
Order and Subgroup
–
Lagrange’s Theorem
–
Modular Arithmetic
–
Euler’s Totient Function
–
Euler’s Theorem
2.1.
RSA Algorithm
6
–
Cryptosystems
–
Key Generation
–
Encryption/Veriﬁcation
–
Decryption/Signing
2.1.
Anonymous Credential System
6
–
Motivation and Setup
–
Requirements
–
Commitment Schemes
–
ZeroKnowledge Proofs
–
Schnorr Signature
–
Camenisch and Lysyanskaya Credential
–
Veriﬁable Encryption
3.
Security
7
3.1.
Overview
7
–
Environment
–
Objectives
–
Communication
3.1.
Notation
7
3.2.
Parameters
7
4.
Keys
8
4.1.
Host
8
–
Private Key
–
Public Key
–
Liability
–
Certiﬁcation
–
Key Rotation
4.1.
Client
8
–
Secret Key
–
Commitments
–
Liability
–
Key Rotation
5.
Encryption
9
5.1.
Procedure
9
5.2.
Implementation
9
5.3.
Forward Secrecy
9
6.
Signatures
10
6.1.
Format
10
6.2.
Host
10
–
Format
–
Signing
–
Veriﬁcation
6.1.
Client
10
–
Format
–
Signing
–
Veriﬁcation
7.
Credentials
11
7.1.
Content
11
7.2.
Issuance
11
7.3.
Usage
11
–
Unlinkable
–
Accountable
–
Signing
–
Veriﬁcation
7.1.
Shortening
12
–
Roles
–
Certiﬁcates
2
Virtual ID
Chapter 0
C r y p t o g r a p h y
T a b l e o f C o n t e n t s
1.
Preface
1.1.
Abstract
Virtual ID
is a protocol that constitutes an open
identity layer
for the Internet and a
semantic alternative
to the World Wide Web.
It allows you to prove your
identity
towards others and to look up
attributes
of others in a decentralized manner. Being freely
extensible with
services
,
Virtual ID
aims to supersede proprietary platforms by establishing a framework of open standards.
1.2.
About this Document
This document speciﬁes the cryptography of
Virtual ID
, whereas a separate document introduces its concepts – the italic terms.
1.3.
Acknowledgments
A special thank goes to
Jan Camenisch
, scientist at the IBM Zurich Research Laboratory, for his support in the adaptation of his
anonymous credential system (see
idemix.wordpress.com
) to the particular requirements of
Virtual ID
(see
www.virtualid.ch
).
Chapter 1
Virtual ID
3
Preface Cryptography
2.
Introduction
2.1.
Terminology
Cryptography
The original goal of cryptography (from the Ancient Greek
κρυπτός (“secret”) and γράφειν (“writing”)) is to accomplish
secure communication
in the presence of malicious parties.
Encryption has a long history, dating back to ancient times.
For a long time, however, it was rather an art than a science.
Modern cryptography is based on assumptions about the
computational hardness
of problems like the factorization
of integers or the discrete logarithm. A distinction is made
between computationally secure techniques, which are hard
to break, and informationtheoretically secure ones, which
cannot be broken even with inﬁnite computing power.
Encryption and Decryption
Encryption
denotes the process of converting plaintext into
unintelligible ciphertext.
Decryption
reverts this process by
recovering the plaintext from the ciphertext with the special
knowledge of some secret information called a
key
.
Authentication and Authorization
Authentication
is the process of conﬁrming the identity of
an entity, whereas the
authorization
speciﬁes its rights.
Secure Communication
The communication between two parties is called
secure
if
both the
conﬁdentiality
and the
integrity
of their messages
is guaranteed, which is only meaningful with authentication.
Hash Function
A cryptographic
hash function
is a oneway function that
maps an arbitrary block of data to a ﬁxedsized
bit string
.
Such a function has to fulﬁll the following three properties:
–
Preimage resistance
: It is diﬃcult to invert the function.
–
Secondpreimage resistance
: It is diﬃcult to ﬁnd another
input that is mapped to the same value by the function.
–
Collision resistance
: It is diﬃcult to ﬁnd any two distinct
inputs that are mapped to the same hash by the function.
2.2.
SymmetricKey Cryptography
Setting
In symmetrickey cryptography, the communicating parties
share
the same key
for encryption and decryption. This was
the only encryption method publicly known before the year
1976, when Whitﬁeld Diﬃe and Martin Hellman proposed to
use diﬀerent but mathematically related keys for encryption
and decryption (see section
2.3.
PublicKey Cryptography).
Notation
Symmetric encryption/decryption is usually written with the
key k as a
subscript
such that, for any given message m, the
following equation holds: Decryption
k
(Encryption
k
(m)) = m.
OneTime Pad
The socalled onetime pad is an encryption method that is
perfectly secure
but not practical in most cases since the
key needs to be as long as the message and may be used
only once. A message is encrypted by taking the bitwise
xor
operation
with
the
key,
which
ﬂips
the
bits
in
those
positions
where the key is 1. Decryption works the same way by just
reapplying the key. Since the key is chosen at random, the
ciphertext is also random and contains no information at all
about the message. Thus, the onetime pad is unbreakable.
Block Ciphers
A
cipher
is
a
pair
of encryption and decryption algorithms. In
case of
block ciphers
, they take as input a block of plaintext
and a key, and output a block of ciphertext of the same size.
There are various possibilities for how to combine successive
blocks in a way that no patterns emerge. Examples of block
ciphers are the Data Encryption Standard (
DES
, 1977) and
the more secure Advanced Encryption Standard (
AES
, 2001).
4
Virtual ID
Chapter 2
C r y p t o g r a p h y
I n t r o d u c t i o n
2.3.
PublicKey Cryptography
Motivation and Setup
The main problem with symmetrickey cryptography is the
management of keys
since each pair of parties must share a
diﬀerent key or rely on a trusted third party to distribute one
on demand. By using
a pair of related but distinct keys
, it is
possible to share the one for encryption while keeping the
one for decryption secret. The former is known as the
public
key
, the latter as the
private key
. In order to preserve the
conﬁdentiality of messages, it has to be hard to compute the
private key from the public key (see the RSA method in
2.5.
).
Digital Signatures
The essential feature of signatures is that they are easy for
the author to produce but hard for others to forge. This is
achieved by using the private key for
signing
and the public
key for the
veriﬁcation
of a signature, which anyone can do.
Public Key Infrastructure
Since it is not possible to authenticate someone you have
never met before, you need to trust a third party to conﬁrm
their identity. This service is usually provided by
certiﬁcate
authorities (CAs)
that issue certiﬁcates on the public key of
registered users and thereby making them accountable.
2.4.
Group Theory
Algebraic Structure
A group is a structure that consists of a
set
and an
operation
which combines any two of its elements to form a third one.
The goal of algebra is to understand the properties of such
structures at the highest level of
generality
and
abstraction
.
Group Axioms
To qualify as a group, the set G and the operation ∙ must
satisfy the following conditions called
group axioms
:
–
Closure
:
∀
a, b
∈
G: a ∙ b
∈
G (
∀
means “for all”).
–
Associativity
:
∀
a, b, c
∈
G: (a ∙ b) ∙ c = a ∙ (b ∙ c).
–
Identity
:
∃
e
∈
G
∀
a
∈
G: e ∙ a = a ∙ e = a (
∃
says “it exists”).
–
Invertibility
:
∀
a
∈
G
∃
b
∈
G: a ∙ b = b ∙ a = e.
Due to associativity,
parentheses
are usually omitted. There
exists only one identity element since
e
=
e
∙
e’
=
e’. Moreover,
we write the
inverse
of an element a as
a
–1
and the repeated
application of the operation as
exponentiation
. Thus, the
following equations hold: a
m
∙ a
n
= a
m + n
, (a
m
)
n
= a
m ∙ n
, a
0
= e.
Order and Subgroup
The number of elements in a group is called its order. On the
other hand, the
order
of an element
a
is the least n ≥ 1 with
a
n
= e. In ﬁnite groups, every element a has a ﬁnite order
a
.
A
subgroup
is a group H contained within a bigger one G
so that the neutral element of G is contained in H, and if h
1
and h
2
are in H, then so are h
1
∙ h
2
and h
1
−1
.
Lagrange’s Theorem
Lagrange’s Theorem
states that for any ﬁnite group G, the
order of every subgroup H of G divides the order of G. This
can be shown according to the following
proof sketch
:
–
H ∙ a = {h ∙ a  h
∈
H} for a
∈
G is called the right coset of H.
–
The cosets of H form a partition of G: The union of cosets
is equal to G and two cosets are either equal or disjoint.
–
Two cosets H ∙ a and H ∙ b are equal iﬀ
∃
h
∈
H: b = h ∙ a.
–
Deﬁne bijective mapping f: H ∙ a
→
H ∙ b as f(x) = x ∙ a
–1
∙ b.
–
Thus all cosets have the same order, namely H elements.
Modular Arithmetic
For a positive integer n, two integers a and b are said to be
congruent
modulo
n (written a
≡
n
b) if a
–
b is a multiple of n.
If a
≡
n
b and a, b ≥ 0, a/n and b/n have the same remainder.
This relation partitions integers into
congruence classes
:
a
1
≡
n
b
1
and a
2
≡
n
b
2
ﱺ
a
1
+ a
2
≡
n
b
1
+ b
2
and a
1
∙
a
2
≡
n
b
1
∙
b
2
.
Integers modulo a prime number n with multiplication as
the operation form a group if all multiples of n are excluded.
In such groups, it is assumed to be hard to compute x as the
discrete logarithm
of y (solving the equation y
≡
n
g
x
for x).
Euler’s Totient Function
In case of multiplicative groups modulo n, only integers that
are
coprime
to n (i.e. their greatest common divisor with n is
1) have an inverse element and can therefore be an element.
The
totient function φ
of a positive integer n is the number
of positive integers less than n that are coprime to n, which
gives us the order of the multiplicative group modulo n.
Overall, cryptography is only interested in
two cases
:
–
Prime p:
φ(p)
= p – 1 (all positive integers smaller than p).
–
Product of primes p and q:
φ(p ∙ q)
= (p – 1) (q – 1) (count).
Euler’s Theorem
Euler’s Theorem
is widely used in cryptography and states
that
a
φ(n)
≡
n
1
for any coprime integers n and a. It is proven
by applying the group theory that we have covered so far:
–
See a as an element of the multiplicative group modulo n.
–
The subgroup
x
a
y
= {e, a, a
2
, …, a
a – 1
} of G has order a.
–
By Lagrange’s Theorem: a divides G for every a
∈
G.
–
Consequently, a
G
= e for every a
∈
G and ﬁnite group G.
–
The order of the multiplicative group G is given by φ(n).
Chapter 2
Virtual ID
5
Introduction Cryptography
2.5.
RSA Algorithm
Cryptosystems
A
cryptosystem
refers to a suite of three algorithms:
–
Key Generation
: Generates a random pair of keys.
–
Encryption
: Transforms the plaintext into ciphertext.
–
Decryption
: Recovers the plaintext from the ciphertext.
These algorithms have to be
eﬃcient
(requiring polynomial
time in terms of the key size) except for decryption, which
has to be
hard
(requiring exponential time in terms of the
key size) for all parties that do not possess the appropriate
private key. Given this
asymmetry
, we can compensate for
any performance improvements of modern computers by
increasing the key size. The most famous cryptosystem is
RSA
, published in 1977 by Rivest, Shamir and Adleman.
Key Generation
–
Choose two random primes
p
and
q
, compute
n
= p ∙ q.
–
Compute
φ(n)
= (p  1) (q  1), choose
e
w. gcd(e, φ(n)) = 1.
–
Determine the multiplicative inverse of e:
d
≡
φ(n)
e
1
, which
is done eﬃciently with the Extended Euclidean Algorithm.
–
Publish modulus n and exponent e, retain d as private key.
Encryption/Veriﬁcation
Compute the ciphertext
c
≡
n
m
e
(m being a group element).
Decryption/Signing
Compute
m
≡
n
c
d
≡
n
(m
e
)
d
≡
n
m
1 + k ∙ φ(n)
≡
n
m (m
φ(n)
)
k
≡
n
m ∙ 1
k
,
using Euler’s Theorem and that d ∙ e – 1 = k ∙ φ(n) for some k.
2.6.
Anonymous Credential System
Motivation and Setup
As we have seen with RSA, classical publickey cryptography
requires the complete message for the veriﬁcation of digital
signatures. In order to protect one’s
privacy
, it is desirable to
reveal the content of a certiﬁcate more selectively and
prove
nevertheless certain facts about
hidden
statements. This can
be used to show
certiﬁcates
anonymously
as
credentials
and
still provide evidence that they were issued to the same
user.
Requirements
An
anonymous
credential
system
has
the
following
features:
–
Anonymity
: Show credentials without telling the identity.
–
Unlinkability
:
Use
credentials
without
getting
traceable.
–
Unforgeability
: Only authorities can issue credentials.
–
Consistency
: Diﬀerent credentials cannot be pooled.
–
Anonymity Revocation
: Users can still be held liable.
Commitment Schemes
The purpose of a
commitment scheme
is to bind a party to
a certain value that can be hidden from others and revealed
later on but no longer be changed. A commitment scheme
is either
perfectly
hiding
or
perfectly
binding
but not both.
The other property is thus only computationally secure.
Given a
group
G =
x
g
y
=
x
h
y
with prime order q, the ﬁrst
scheme is perfectly hiding and the second perfectly binding:
–
Pedersen
: Choose r
∈
{0, …, q – 1} and compute c = g
x
h
r
.
–
ElGamal
:
Choose r
∈
{0, …, q – 1}, compute c = (g
x
h
r
, g
r
).
ZeroKnowledge Proofs
The goal of
zeroknowledge proofs
is to convince another
party of one’s knowledge without revealing any information.
Such proofs require a protocol between the
prover
and the
veriﬁer
and is said to be zeroknowledge only if the veriﬁer
can produce equivalent
transcripts
without any interaction
with the prover. Furthermore, it is only a proof of knowledge
if the secret information can be
extracted
from the prover
when given as a rewindable black box (see to the right).
In order to convince a veriﬁer that you know the discrete
logarithm of some value y to base g denoted as x (i.e. y = g
x
),
you choose a random value
r
, compute
t
= g
r
and pass it to
the veriﬁer. The veriﬁer returns a random
c
(the challenge),
whereon you submit the value
s
= r – c
∙
x. Finally, the veriﬁer
accepts the proof iﬀ t = g
s
y
c
(since g
r
= g
r – c ∙ x
∙
(g
x
)
c
).
It is easy to see that this proof satisfy the two properties:
–
Zeroknowledge
: By ﬁrst choosing random values c and s,
then computing
t = g
s
y
c
, the interaction is simulatable.
(To be precise, it is only honestveriﬁer zeroknowledge.)
–
Proof of knowledge
: By sending two distinct challenges c
and c’ on the same t (
g
s
y
c
=
g
s ‘
y
c’
), x is extractable:
s – s’
/
c’ – c
.
Several statements can be
combined
by choosing a random
value r per hidden value and computing t for each equation.
Schnorr Signature
To be a proof of knowledge, it is crucial that the challenge c
is chosen only after the value t is ﬁxed. This dependency can
be established by a veriﬁer but also by a cryptographic hash
function. This results in a
noninteractive version
of the just
mentioned proof, which can also be used to sign messages.
Camenisch and Lysyanskaya Credential
In order to obtain a certiﬁcate on its secret value that can be
shown unlinkably, the client commits to it in the
RSA group
of the authority:
c
≡
n
g
x
h
r
. Subsequently, the authority signs
the commitment by choosing a random exponent
e
that is
coprime to the group order and by computing
b
≡
n
(f
–s
c)
–1/e
,
where
s
is the hash of the statement being certiﬁed and the
values
n
,
f
,
g
and
h
constitute the authority’s public key. Due
to the fact that only the authority knows the group order, no
one else can compute the e
th
root to ﬁnd b. The
credential
is
shown by proving f
s
≡
n
b’
e
g
x
h
r – e ∙ r’
with b’
≡
n
b
∙
h
r’
(see
7.3.
).
Veriﬁable Encryption
In order to revoke the anonymity of a user, its identity can be
veriﬁably
encrypted
for
the
issuing
authority
(see
chapter
7
).
6
Virtual ID
Chapter 2
C r y p t o g r a p h y
I n t r o d u c t i o n
3.
Security
3.1.
Overview
Environment
The
actors
–
hosts
and
clients
–
communicate in the presence
of
an
active
attacker
as
given
by
the
DolevYao
model
. Such
an attacker can overhear, intercept and insert any messages
on the network but has only limited computing power.
Objectives
Virtual ID
is designed to achieve
authentic
and
conﬁdential
communication between uncorrupted actors. However, due
to the nature of the Internet and the above attacker model,
the
availability
of
services
cannot be guaranteed.
Since
clients
cannot be
framed
by
hosts
and actors cannot
repudiate
their actions (except in welldeﬁned cases), they
can generally be hold
liable
. The protocol provides neither
forward secrecy
(see
5.3.
) nor
anonymity
on the network
layer, although the latter could still be added separately.
Communication
Connections are always established to
hosts
, which process
requests
and return
responses
. The data is sent as
packets
(see the description of the type
packet@virtualid.ch
), which
are usually
encrypted
(see
5.
) and can be
signed
(see
6.
).
3.2.
Notation
Each letter has a speciﬁc meaning for the rest of this paper:
–
a
(with subscripts): The bases for a
credential’s
arguments.
–
b
: A random value to blind the arguments of a
credential
.
–
c
: The certifying base of a
credential
(with e as exponent).
–
d
: RSA’s private exponent used for decryption/signing.
–
e
: RSA’s public exponent used for encryption/veriﬁcation.
–
f
: The
client’s
commitment, which is ﬁxed at the native
VID
.
–
g
: The generator of the group for veriﬁable encryption.
–
h
: The hash function, taking as argument a tuple or a list.
–
i
: The serial number of a
credential
, identifying it per
host
.
–
j
: The commitment to a serial number chosen by a
client
.
–
k
: The key used for the symmetric encryption of a packet.
–
l
(with subscripts): The bitlength of variables for security.
–
m
: The message (or its hash) to be encrypted and signed.
–
n
: The RSA modulus, deﬁned as the product of p and q.
–
o
: The argument of a credential that is always exposed.
–
p
: The ﬁrst (safe) prime factor of the RSA modulus n.
–
q
: The second (safe) prime factor of the RSA modulus n.
–
r
: A randomly chosen value for proofs and commitments.
–
s
: The solution to the challenge in zeroknowledge proofs.
–
t
: The hash of temporary values in zeroknowledge proofs.
–
u
: The
client’s
secret key (the “private key” of user agents).
–
v
: The hash of
restrictions
or the hash of the
VID
identiﬁer
.
–
w
(with subscripts): The veriﬁable encryption of a value.
–
x
: The private key of the veriﬁable encryption scheme.
–
y
: The public key of the veriﬁable encryption scheme.
–
z
: The square root of the veriﬁable encryption modulus.
As in
XDF
,
tuples
are denoted as (…, …, …) and
lists
as […].
3.3.
Parameters
The
following
security
parameters
indicate
the
bitlengths
of
the respective variables and are part of the protocol version:
–
l
p
,
l
q
=
1024,
l
n
=
2048: The bitlength of the RSA modulus.
–
l
h
,
l
u
,
l
i
,
l
v
,
l
o
=
256: Size of hash and all arguments except b.
–
l
r
,
l
s
=
512: Size of r (always positive) and s (also negative).
–
l
e
= 512: The length of a
credential’s
certifying exponent.
–
l
b
= 768: Length of the blinding value b, which is positive.
–
l
r
b
,
l
s
b
= 1024: Size of the values to prove knowledge of b.
–
l
z
= 1024: Length of the veriﬁable encryption modulus / 2.
–
l
k
= 256: Length of the hashed symmetric encryption key.
Chapter 3
Virtual ID
7
Security Cryptography
4.
Keys
4.1.
Host
Private Key
The
private key
of a
host
consists of
–
two safe primes
p
and
q
of lengths l
p
and l
q
, p – q > 2
3l
n
/8
,
–
a random value
d
with 2
l
n
/4
< d < φ(n) and gcd(d, φ(n)) = 1,
–
temporary values
u
,
i
,
v
and
o
being coprime to φ(n),
–
temporary values
r
u
,
r
i
,
r
v
and
r
o
between 1 and φ(n),
–
and a randomly chosen value
x
with 1 < x < (z – 1)
2
.
Public Key
The
public key
of a
host
consists of
–
the RSA modulus
n
= p ∙ q of length l
n
(or length l
n
– 1)
,
–
the encryption exponent
e
computed as e
≡
φ(n)
d
–1
,
–
a
b
with 1 < a
b
< n, each a
b
2 (p – 1)
, a
b
2 (q – 1)
, a
b
(p – 1) (q – 1) / 2
≢
n
1,
–
the values
a
u
≡
n
a
b
u
,
a
i
≡
n
a
b
i
,
a
v
≡
n
a
b
v
and
a
o
≡
n
a
b
o
,
–
the value
t
computed as t = h(a
b
r
u
, a
b
r
i
, a
b
r
v
, a
b
r
o
),
–
s
u
= r
u
– t
∙ u,
s
i
= r
i
– t
∙ i,
s
v
= r
v
– t
∙ v and
s
o
= r
o
– t
∙ o,
–
a random safe prime number
z
with a bitlength of l
z
,
–
a value
g
≠ z with 1 < g < z
2
, g
2 (z – 1)
≢
z
2
1, g
(z
–
1) (z – 1) / 2
≢
z
2
1,
–
and the veriﬁable encryption value
y
computed as y
≡
z
2
g
x
.
When
retrieving
a public key, a client
veriﬁes
that the bases
a
u
,
a
i
,
a
v
and
a
o
are
all
in
the
subgroup
generated
by
a
b
,
which
is the case if t
=
h(a
b
s
u
a
u
t
,
a
b
s
i
a
i
t
,
a
b
s
v
a
v
t
,
a
b
s
o
a
o
t
). This property
ensures
that
commitments
in
this
group
are
perfectly
hiding
.
The values’
correctness
can be veriﬁed after their expiration.
Liability
Hosts
respectively their
providers
are
liable
for messages
signed with their private keys
for two years
after signing.
They are also liable for the correct creation of their keys.
Certiﬁcation
In order to know for sure that a public key belongs to a
host
,
a
public key infrastructure
is established on the
host
level.
Since a public key is an
attribute
of a
host
, it can be
certiﬁed
in the same way as ordinary
attributes
. The hierarchy’s
root
is
the
type
itself, namely
public.key.host@virtualid.ch
. Thus, all
clients
need
to
be
delivered
with
the
public
key
of
virtualid.ch
.
Key Rotation
Cryptographic keys need to be replaced from time to time. It
is important, however, to ensure that all
clients
learn the new
public key of the root in advance because otherwise they
are
no longer able to verify any public keys. With the rules that a
public key can be
cached
for one year and that a
client
needs
to be started just once a year, the root’s public key has to be
announced
two years before becoming
valid
. At this point,
the next key is announced and the current one becomes in
valid
after
another
two
years
but
stays
eﬀective
for
two
more
years
due
to
its
liability.
Thus,
always
three
keys
are
published.
4.2.
Client
Secret Key
The
secret key
of a
client
is a randomly chosen value
u
with
a
bitlength of at most l
u
that is used in proofs of knowledge.
Commitments
At its native
VID
, the
client
commits
to the value
f
≡
n
a
u
u
and
authenticates
itself by proving knowledge of the value u (see
the Schnorr signature in
2.6.
) (this is not a real commitment).
Liability
The
liability
of a
client’s
secret key is limited to
one year
.
Key Rotation
A
client
changes its secret key by sending a corresponding
request
to its native
VID
. Due to the
relocation
of
VIDs
and
the rotation of
host
keys,
clients
need to indicate the
group
of their commitment in their signatures (see
6.3.
).
8
Virtual ID
Chapter 4
Cryptography Keys
5.
Encryption
5.1.
Procedure
Since requests are always sent to
hosts
, the randomly chosen
symmetric key
that is used to encrypt the message can itself
be encrypted with the
public key
of the receiving
host
. The
response is encrypted with the same symmetric key. Using
encryption is
mandatory
– only the
attributes
of
hosts
may
be requested in plain text (to retrieve the public key).
AES
is
used
for
symmetric and
RSA
for
asymmetric
encryption.
For better eﬃciency, symmetric keys and their encryption
with RSA can be
cached
and
reused
in successive requests
to the same
host
. The
replay of messages
can be prevented
by rejecting all requests that were not signed within the last
24 h and by requiring unique signature times per symmetric
key, which can only be checked once an upload is complete.
5.2.
Implementation
The
syntactic type
for encryption (
encryption@xdf.ch
) has the
following
format
: (host, time, key, text). The elements mean:
–
Host
: The
identiﬁer
of the receiving
host
in plaintext, since
a server can run many
hosts
at the same network address.
–
Time
: Either the time of encryption to specify the applied
public key or empty if the message is not encrypted at all.
–
Key
: A random group element k encrypted with the
host’s
public exponent e as k
e
in requests, empty in
responses.
–
Text
: The ciphertext of the message m computed as m
h(k)
or the plaintext if no encryption is used (‘Time’ is empty).
5.3.
Forward Secrecy
In a keyagreement protocol,
forward secrecy
describes the
property that the key used to encrypt
a
session
between
two
parties will not be compromised if the attacker learns one of
their private keys in the future. Even though this property is
desirable, it is not supported for the following three reasons:
–
Key negotiation requires at least
one additional round
of
communication, adding more complexity to the protocol.
–
By not requiring any interaction to determine the session
key, messages can also be
encryped
oﬄine
for later use.
–
Since
hosts
have to
log
all
requests
with an eﬀect on the
state of a
VID
, forward secrecy is of little beneﬁt anyway.
Chapter 5
Virtual ID
9
Encryption Cryptography
6.
Signatures
6.1.
Format
The
syntactic type
for signatures (
signature@xdf.ch
) has the
format
(content, host, client, credentials), where the content
is
either
signed
by
a
host
,
a
client
,
with
credentials
or
not
at
all:
–
Content
= (identiﬁer, time, message): The content consists
of the
identiﬁer
of the
VID
, about which a statement (often
a request or a response) is made, the time of signing (even
if no signature is attached) and the message itself.
–
Host
: The signature generated by a
host
(see
6.2.
).
–
Client
: The signature generated by a
client
(see
6.3.
).
–
Credentials
: The signature made with
credentials
(see
7.
).
6.2.
Host
Format
The signature of a
host
has the
format
(identiﬁer,
value) with:
–
Identiﬁer
: The
identiﬁer
of the signing
VID
– being the
host
itself in case of responses and the authority for
certiﬁcates
.
–
Value
: The signing value computed as h(content)
d
.
Signing
In order to
sign
a message, the
host
raises the
hash
of the
content (
6.1.
) to its private exponent
d
(
4.1.
) with
RSA
(
2.5.
).
Veriﬁcation
A signature can be
veriﬁed
by raising the
value
to the public
exponent
e
of the
identiﬁer’s
host
and computing the hash.
6.3.
Client
Format
The signature of a
client
has the
format
(host, time, f, t, s):
–
Host
and
time
: Indicate the group of the commitment f.
–
f
: The commitment to the secret key computed as f
≡
n
a
u
u
.
–
t
: The hash of the temporary value computed as t = h(a
u
r
).
–
s
: The solution to the challenge, s = r – (t
⊕
h(content))
∙
u.
Signing
Clients
only
sign
requests
to their native
VID
in this way, by
–
choosing randomly a positive value
r
with at most l
r
bits,
–
computing the value
t
in the group of their
accreditation
,
–
and computing the value
s
with the bitwise xor operation.
Veriﬁcation
The receiving
host
authenticates
the
client
by
verifying
that
–
the equation t = h(a
u
s
∙ f
t
⊕
h(content)
) holds (and that s ≤ l
s
).
10
Virtual ID
Chapter 6
Cryptography Signatures
7.
Credentials
7.1.
Content
Each
credential
includes the following values as
arguments
:
–
b
: A random value to blind a
credential’s
other arguments.
–
u
:
Client’s
secret
key,
which
is
never
revealed
or
escrowed.
–
i
: The serial number i is usually chosen by the issuing
host
.
–
v
: Either the hash of
restrictions
or the hash of an
identiﬁer.
–
o
= h(issuer, time, authorization, role, attribute): Hash of:
–
Issuer
: The
identiﬁer
of the
VID
that
issued
the
credential
.
–
Time
: The issuance time rounded to the last halfhour.
–
Authorization
: A randomized hash of the
authorization
.
–
Role
: The
role
for which the
client
has
the
authorization
.
–
Attribute
: The
attribute
for anonymous access control.
7.2.
Issuance
A
client
can
request
a
credential
for a certain
authorization
in
a certain
role
from its native
VID
by signing this request with
its secret key (see
6.3.
). The
host
checks whether this request
is valid, chooses a random exponent
e
of bitlength l
e
that is
coprime to the order
φ(n)
and
computes
c’
≡
n
(f
a
i
i
a
v
v
a
o
–o
)
–1/e
.
It
returns
the values c’ and e together with an arbitrary serial
number i to the
client
,
which
knows
then
all
the
values,
as
v
is
the hash of its
restrictions
and the
attribute
in o is still empty.
The
secret
key
u
is
included
through
the
commitment
f
≡
n
a
u
u
,
which requires that the
client
renews
it to the current group.
7.3.
Usage
Unlinkable
In
order
to
sign
with
a
credential
,
the
client
proves
knowledge
of
values
e,
u,
i
and
v
such
that
a
o
o
≡
n
c’
e
a
u
u
a
i
i
a
v
v
.
The
problem
is that the base c’ has to be
revealed
(see
2.6.
), which
renders
the
credential
linkable
(o is exposed anyway). By choosing a
random value r of at most l
b
– l
e
bits, c’ can be randomized to
c
≡
n
c’
∙ a
b
r
to prove
a
o
o
≡
n
c
e
a
b
b
a
u
u
a
i
i
a
v
v
with
b = b’ – r ∙ e
,
where b’ was now 0 (because
hosts
do not blind
credentials
).
The
issuance time
is rounded down to the last halfhour in
order that honest
hosts
accept requests for only two values
at any time, preventing them from becoming linkable on o.
Accountable
In
order
to
prevent
misuse,
it
is
important
that
the
anonymity
of a
client
respectively its user can be
revoked
under certain
conditions for certain requests. The mechanism required for
this purpose is called
veriﬁable encryption
, which allows to
escrow
one’s
identity
by
encrypting
a
value
for
a
third
party
in
such a way that a recipient can verify its
correctness
without
being able to decipher it. In
Virtual ID
, it is always the issuing
host
that takes the function of this third party.
Such
a
scheme
can
be
implemented
by
using
the
following
property
: For any number z,
(1 + z)
m
≡
z
2
1 + m ∙ z
, which can
be derived with the binomial formula.
A message m can thus
be encrypted for a
host
as
w
m
≡
z
2
(y
r
∙
(1
+
z)
m
,
g
r
)
with z, g and
y being part of its public key (
4.1.
) and r chosen randomly. In
order to
decrypt
w
m
=
(w
1
,
w
2
), the
host
computes the value
m
≡
z
2
(w
1
/
w
2
x
–
1)
/
z
≡
z
2
((g
x
)
r
∙
(1
+
z)
m
/
(g
r
)
x
–
1)
/
z with y
≡
z
2
g
x
.
(The
host
can even prove the correctness of this decryption.)
Accountability
can be achieved by requiring the
client
to
veriﬁably encrypt the values i and b for the
host
that issued
the
credential
. The serial number allows the
host
to link each
credential
to the other values and the
client
that requested it.
For holding a
client
liable
, it also needs to be ensured that
the
host
cannot act on its behalf by issuing
faked
credentials
.
Since
clients
never reveal their secret key,
hosts
cannot sign
with a
credential
unless they issue it on a diﬀerent secret key.
If a
client
repudiates
a signature, the
host
needs to provide
the values o, e, b, i and v, and by computing a
u
r
u
≡
n
a
u
s
u
f
t
, it is
easy to check whether the value t has been derived correctly
(see the next section) or whether the
client
has been
framed
.
Chapter 7
Virtual ID
11
Credentials Cryptography
Signing
Due to the ﬂexibility and the combination of
credentials
, the
format
of
credential
based signatures is relatively complex:
(t, s
u
, v, s
v
, [(o, c, s
e
, s
b
, i, s
i
,
(
w
i
, s
wi
, w
b
, s
wb
)
)], f’, certiﬁcates).
After
randomizing
each
credential
(see
7.3.
)
and
computing
the encryptions
w
i
and
w
b
with
random
values
wi
and
wb
of
length
l
r
b
–
l
h
,
the
client
chooses randomly the values
r
u
and
r
v
of length l
r
, and per
credential
the values
r
e
and
r
i
of length l
r
and
r
b
,
r
wi
and
r
wb
of length l
r
b
(see
3.3.
).
Afterwards,
the
value
t
= h
[(c
r
e
a
b
r
b
a
u
r
u
a
i
r
i
a
v
r
v
,
(
y
r
wi
(1+
z)
r
i
, g
r
wi
, y
r
wb
(1+
z)
r
b
, g
r
wb
)
)]
⊕
…
h(content), where the tuple in the list is computed for every
credential
. If
no veriﬁable encryption
is required, the part in
the bold parentheses can be omitted for all
credentials
. The
svalues are ﬁnally computed as
s
u
=
r
u
–
t
∙
u and
s
v
=
r
v
–
t
∙
v,
and for each credential
s
e
=
r
e
–
t
∙
e,
s
b
=
r
b
–
t
∙
b,
s
i
=
r
i
–
t
∙
i,
s
wi
=
r
wi
–
t
∙
wi and
s
wb
=
r
wb
–
t
∙
wb.
The value
o
is added to the signature in its unhashed form
(
7.1.
). The same applies to
v
if the
restrictions
are
revealed
.
In
this case, s
v
is left empty and a
v
rv
is not a factor in
t
but
a
o
o
on
the left side of each
credential’s
equation is divided by a
v
v
.
In order to give
services
more possibilities, also the value
i
can be disclosed (with the same consequences as in case of
v). The idea is that clients can commit to a random value i as
j
≡
n
a
i
i
a
b
b’
inside a request for a speciﬁc
credential
, which the
host then includes in the computation of c’ (see
7.2.
) without
learning i. Such
credentials
are useful in situations in which it
is desired that
clients
can make
anonymous
submissions but
only
once
(e.g. digital money and online surveys).
Last but not least, the value
f’
is needed in the
shortening
of
credentials
(see
7.4.
) and
certiﬁcates
can be appended for
combining
identity
 and
attribute
based
authentication
.
Veriﬁcation
The receiving
host
veriﬁes
that the following equation
holds:
t =
h(
[(c
s
e
a
b
s
b
a
u
s
u
a
i
s
i
a
v
s
v
(a
o
o
)
t
,
(
y
s
wi
(1+
z)
s
i
w
i1
t
, g
s
wi
w
i2
t
, y
s
wb
(1+
z)
s
b
w
b1
t
, g
r
wb
w
b2
t
)
)])
⊕
h(content), with w
i1
and w
i2
being the
ﬁrst and second element of w
i
(and for w
b
accordingly).
Additionally, the
host
needs to make sure that all svalues
except s
b
, s
wi
and s
wb
are
at most l
s
bits long (the others may
be up to l
s
b
bits long). The reason for this is that the
exponent
e of length l
e
may not ﬁt into any other exponent but b, such
that the value c’ can only be blinded with the base a
b
.
As a ﬁnal remark,
hosts
have to choose the exponent
e
at
random
in order to prevent the multiplication of
credentials
.
7.4.
Shortening
Roles
Before being able to make requests on behalf
of
another
VID
for which the native
VID
is
authorized
in a certain
role
, a
client
needs to obtain a
credential
from this other
VID
by
signing
an
appropriate
request
with
a
credential
from
the
native
VID
.
The
current
restrictions
have to be exposed in this process that is
called
shortening
such that the issuing
host
can check their
conformity
. The
client’s
authorization
is also checked and the
role
stated in the value o is reduced by one entry. Since
roles
can be
chained
,
credentials
have to be shortened recursively.
To
guarantee
that
the
validity
period
of
a
credential
cannot
be
extended
by
shortening,
the
same
time
value
has
to
be
used.
Such requests require that i and b are
veriﬁably encrypted
.
Certiﬁcates
The shortening of
certiﬁcates
works similarly, except that the
restrictions
are
replaced
with a randomized hash of the
VID’s
identiﬁer
at the
authority
that issued the
certiﬁcate
. This step
is required to ensure that
clients
cannot
pool
credentials
from
various
VIDs
for
attribute
based
access
control.
Furthermore,
the main
role
is dropped from the
credential
and the
certiﬁed
attribute
is added instead.
While shortening, the secret key
u
and the value
v
, which
is no longer disclosed further up the
certiﬁcation
hierarchy,
need to be
transferred
to a new group (also in case of
roles
).
This is achieved by
committing
to them with
f’
≡
n
a
u
u
a
v
v
a
b
b’
and proving that the same values
and a random b’ are used.
12
Virtual ID
Chapter 7
Cryptography Credentials
Enter the password to open this PDF file:
File name:

File size:

Title:

Author:

Subject:

Keywords:

Creation Date:

Modification Date:

Creator:

PDF Producer:

PDF Version:

Page Count:

Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο