Day 4 (of 4) of mini-course on Engineering Cryptographic Applications held at AMC Theater Tyson's Corner for Microstrategy, Inc.
See http://www.mightbeevil.com/crypto for details
October 25, 2013
4. Recap
Day 1: Symmetric Ciphers
AES
Sending Secret Messages
Day 2: Using Symmetric Encryption
PRNG, CTR
Encrypting Long Messages
Day 3: Public-Key Protocols
D-H, RSA, ECC
Key Agreement, Signatures
TLS/SSL
Establishing Secure Connect
Things everyone in the developed and semi-developed world
is using hundreds of times a day!
evans@virginia.edu
Engineering Crypto Applications
3
5. Today: Glimpses Into “Future”
Biometrics
Secure Multi-Party Computation
Automated Protocol Testing
Things that are only starting to be used outside of
research labs (other than biometrics).
evans@virginia.edu
Engineering Crypto Applications
4
7. Appeal of Biometrics
Convenient and Easy:
nothing to remember or lose
Humans like to feel unique
Seems cool and futuristic
evans@virginia.edu
Engineering Crypto Applications
6
8. “iPhone 5s introduces Touch ID, an innovative
way to simply and securely unlock your iPhone
with just the touch of a finger. Built into the
home button, Touch ID uses a laser cut sapphire
crystal, together with the capacitive touch
sensor, to take a high-resolution image of your
fingerprint and intelligently analyze it to provide
accurate readings from any angle.”
evans@virginia.edu
Engineering Crypto Applications
7
9. “iPhone 5s introduces Touch ID, an innovative
way to simply and securely unlock your iPhone
with just the touch of a finger. Built into the
home button, Touch ID uses a laser cut sapphire
crystal, together with the capacitive touch
sensor, to take a high-resolution image of your
fingerprint and intelligently analyze it to provide
accurate readings from any angle.”
evans@virginia.edu
Engineering Crypto Applications
8
13. “My Voice is My Passport”
evans@virginia.edu
Engineering Crypto Applications
12
14. Meaningful Security Requires Secrets
Biometrics may be okay
for identification
“Touch ID”
(not “Touch Password”)
Biometrics cannot be
secret (and may not even
be that unique)
evans@virginia.edu
Engineering Crypto Applications
13
16. “Secure-Against-Your-Spouse” Security
Biometrics are fine for identification and
security against weak, unmotivated
vs.
vs.
adversaries. Danger is that they give
users a false sense of security.
Breakable by sophisticated adversary in a few hours
evans@virginia.edu
Engineering Crypto Applications
Breakable by anyone
in second
15
19. (De)Motivating Application:
“Genetic Dating”
Alice
Bob
Genome Compatibility
Protocol
Your offspring will have
WARNING!
good immune systems!
Don’t Reproduce
Your offspring will have
WARNING!
good immune systems!
Don’t Reproduce
evans@virginia.edu
Engineering Crypto Applications
18
22. $100,000,000
Cost to sequence human genome
Moore’s Law prediction
(halve every 18 months)
$10,000,000
$1,000,000
$100,000
$10,000
Engineering Crypto Applications
21
Feb 2013
Aug 2012
Feb 2012
Aug 2011
Feb 2011
Aug 2010
Feb 2010
Aug 2009
Feb 2009
Aug 2008
Feb 2008
Aug 2007
Feb 2007
Aug 2006
Feb 2006
Aug 2005
Feb 2005
Aug 2004
Feb 2004
Aug 2003
Feb 2003
Aug 2002
Aug 2001
evans@virginia.edu
Feb 2002
Ion torrent Personal Genome Machine
$1,000
23. Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje
Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo
Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna
P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex
Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve
Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E.
McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe
Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay
Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran,
Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce
Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.
evans@virginia.edu
Engineering Crypto Applications
22
26. Secure Two-Party Computation
Bob’s Genome: ACTG…
Markers (~1000): *0,1, …, 0+
Alice’s Genome: ACTG…
Markers (~1000): *0, 0, …, 1+
Alice
Bob
Can Alice and Bob compute a function on their private
data, without exposing anything besides the result?
evans@virginia.edu
Engineering Crypto Applications
25
27. Secure Function Evaluation
Alice (circuit generator)
Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1980s
evans@virginia.edu
Engineering Crypto Applications
26
29. Computing with Meaningless Values?
Inputs
Output
a
b
x
a0
a0
a1
b0
b1
b0
x0
x0
x0
a1
b1
x1
ai, bi, xi are random
values, chosen by the
circuit generator but
meaningless to the
circuit evaluator.
evans@virginia.edu
a0 or a1
b0 or b1
AND
x0 or x
Engineering Crypto1Applications
28
30. Computing with Garbled Tables
Inputs
Output
x
a0
a0
a1
b0
b1
b0
Enca0,b0(x0)
Enca0,b1(x0)
Enca1,b0(x0)
a1
a0 or a1
b
b1
Enca1,b1(x1)
b0 or b1
Garbled And Gate
AND
x0
evans@virginia.edu
or x1
Enca0, b1(x0)
Enca1,b1(x1)
Enca1,b0(x0)
Enca0,b Applications
Engineering Crypto0(x0)
Bob can only decrypt
one of these!
a
Random
Permutation
29
31. Garbled Circuit Protocol
Alice (circuit generator)
Bob (circuit evaluator)
Garbled Gate
Enca0, b1(x0)
Enca1,b1(x1)
Enca1,b0(x0)
Enca0,b0(x0)
Sends ai to Bob
based on her input
value
How does the Bob learn his own input wires?
evans@virginia.edu
Engineering Crypto Applications
30
32. Primitive: Oblivious Transfer
Alice
Bob
Oblivious Transfer
Protocol
Oblivious: Alice doesn’t learn which secret Bob obtains
Transfer: Bob learns one of Alice’s secrets
Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers
evans@virginia.edu
Engineering Crypto Applications
31
33. Chaining Garbled Circuits
And Gate 1
a0
a1
b0
AND
AND
Or Gate 2
b1
x1
x0
Enca10, b11(x10)
Enca11,b11(x11)
Enca11,b10(x10)
Enca10,b10(x10)
Encx00, x11(x21)
Encx01,x11(x21)
OR
Encx01,x10(x21)
Encx00,x10(x20)
x2
…
We can do any computation privately this way!
evans@virginia.edu
Engineering Crypto Applications
32
34. Building Computing Systems
Encx00, x11(x21)
Encx01,x11(x21)
Encx01,x10(x21)
Encx00,x10(x20)
Digital Electronic Circuits
Garbled Circuits
Operate on known data
Operate on encrypted wire labels
One-bit logical operation requires
moving a few electrons a few
nanometers
(hundreds of Billions per second)
One-bit logical operation requires
performing (up to) 4 encryption
operations: very slow execution
Reuse is great!
Reuse is not allowed for privacy:
huge circuits needed
evans@virginia.edu
Engineering Crypto Applications
33
35. Faster Circuit
Execution
Pipelined Execution
Optimized Circuit Library
Partial Evaluation
Yan Huang
(UVa PhD 2012)
evans@virginia.edu
Yan Huang, David Evans, Jonathan Katz, and Lior
Malka. Faster Secure Two-Party Computation
Using Garbled Circuits. USENIX Security 2011.
Engineering Crypto Applications
34
43. Garbled Circuits Are Half-Way!
Privacy
Nothing is revealed
other than the output
Generator
Correctness
The output of the
protocol is indeed f(x,y)
Evaluator
As long as evaluator doesn’t send
result back, privacy for evaluator
is guaranteed.
How can we get both correctness, and maintain
privacy while giving both parties result?
evans@virginia.edu
Engineering Crypto Applications
42
44. Dual Execution Protocols
Yan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semievans@virginia.edu
Engineering Crypto Applications
Honest Protocols with Dual Execution. IEEE Security and Privacy (Oakland) 2012. 43
45. Dual Execution Protocol
Alice
generator
Bob
first round execution (semi-honest)
evaluator
z=f(x, y)
evaluator
second round execution (semi-honest)
generator
z'=f(x, y)
z’, learned
output
wire labels
evans@virginia.edu
fully-secure, authenticated equality test
Pass if z = z’ and correct wire labels
Engineering Crypto Applications
z, learned
output
wire labels
44
[Mohassel and Franklin, PKC’06+
46. Security Properties
Correctness: guaranteed by authenticated,
secure equality test
Privacy: Leaks one (extra) bit on average
adversarial circuit generator provides a
circuit that fails on ½ of inputs
Malicious generator can decrease likelihood of being caught, and
increase information leaked when caught (but decreases average
information leaked): at extreme, circuit fails on just one input
evans@virginia.edu
Engineering Crypto Applications
45
48. Proving Security: Malicious
Show equivalence
Ideal World
A
y'
x'
Trusted Party in Ideal World
Adversary
receives:
f (x‘, y‘)
Real World
A
B
B
x'
y'
Secure Computation Protocol
Corrupted
party behaves
arbitrarily
Standard Active Security Model: can’t prove this for Dual Execution
evans@virginia.edu
Engineering Crypto Applications
47
49. Proof of Security: One-Bit Leakage
Ideal World
A
Controlled by
malicious A
y'
Adversary receives:
f (x‘, y') and g(x‘, y‘)
Trusted Party in Ideal World
x'
B
g R {0, 1}
g is an arbitrary
Boolean function
selected by
adversary
Can prove equivalence to this for Dual Execution protocols
evans@virginia.edu
Engineering Crypto Applications
48
50. Implementation
Alice
generator
Bob
first round execution (semi-honest)
Recall: work to generate is 3x work to evaluate!
evaluator
second round execution (semi-honest)
evaluator
z=f(x, y)
generator
z'=f(x, y)
z’, learned
output
wire labels
evans@virginia.edu
fully-secure, authenticated equality test
Pass if z = z’ and correct wire labels
Engineering Crypto Applications
z, learned
output
wire labels
49
51. FairPlay (2004) [10k*10k alignment]
$100,000,000
Free XOR
$10,000,000
$1,000,000
$100,000
HEKM
$10,000
Schneider & Zhoner 2013
evans@virginia.edu
Engineering Crypto Applications
Apr 2013
Sep 2012
Feb 2012
Jul 2011
Dec 2010
May 2010
Oct 2009
Mar 2009
Aug 2008
Jan 2008
Jun 2007
Nov 2006
Apr 2006
Sep 2005
Feb 2005
Jul 2004
Dec 2003
May 2003
Oct 2002
Mar 2002
Aug 2001
$1,000
50
57. Will developers who follow the directions
end up building a secure application?
The requested
response type, one of
code or token.
Defaults to code…
evans@virginia.edu
Facebook documentation
Engineering Crypto Applications
example
56
58. Modeling SSO System
Mallory
Client SDK
MalAppC
FooAppC
FooAppS
Service SDK
Client runtime
Service runtime
Identity Provider
(IdP)
Reason about all possible applications that can be built using the SDK
evans@virginia.edu
Engineering Crypto Applications
57
65. Oracle
Automatically test if site is vulnerable by looking at visual clues and traffic.
evans@virginia.edu
Engineering Crypto Applications
64
66. Dataset
Test the top-ranked
20,000 websites
(from quantcast.com)
for 5 vulnerabilites
3 machines for 3 days
evans@virginia.edu
Engineering Crypto Applications
google.com
youtube.com
facebook.com
msn.com
amazon.com
twitter.com
ebay.com
pinterest.com
yahoo.com
bing.com
microsoft.com
…
65
67. 45%
1700 of top-20000 sites use Facebook SSO
% supporting FB SSO
40%
35%
30%
25%
20%
15%
10%
5%
0%
Top-Ranked Sites
evans@virginia.edu
Site rank percentile (20K)
Engineering Crypto Applications
20,000th-ranked site
66
68. 20%
50 sites
Percent of Sites Vulnerable
30%
10%
20% of sites (in top 20,000) that integrate
Facebook SSO have at least one serious
vulnerability detected by SSOScan
0%
20,000th-ranked site
Top-Ranked Sites
evans@virginia.edu
Engineering Crypto Applications
67
Circuit structure is small and can be reused;Each GT can be used only once.Significance: 1) allow GC to easily scale to arbitrary problem size; 2) indirectly improves time efficiency;
People have done this before. What’s new here is achieving performance & scalability needed for realistic problems.