Security - Telenor

More documents

Recommendations

Info

Figure 1 This figure illustrates the general principle of privacy homomorphisms. The plaintext is x, the encryption function E, decryption function D, and f is a function applied to plaintext data. The function f' is the counterpart of f, when applied to encrypted data 40 f x f(x) E D E(x) f` f`(E(x))=E(f(x)) 2. interact with its environment using either encrypted or plaintext messages, or a combination of both; 3. sign certain data in complete confidentiality while executing on a potentially malicious host; and 4. support encrypted Turing-universal computation. If one looks at these requirements, it should become clear that what is actually needed is the ability to apply operations to encrypted data. This problem was originally studied in the form of privacy homomorphisms for databases. The concept of privacy homomorphisms is a good idea, and addresses many of the requirements above as long as strong encryption is not a requirement. In spite of this, the concept could be central to solving the above problem. The few subsequent approaches in the field have to some degree based themselves on the privacy homomorphism concept, even if the resulting system is strictly speaking not a privacy homomorphism. 5.2.1 Privacy Homomorphisms Let S and S' be non-empty sets with the same cardinality. A bijection E : S → S' is the encryption function, with its inverse D being the corresponding decryption function. Denote an algebraic system for cleartext operations by U = (S; f 1 , ..., f k ; p 1 , ..., p l , s 1 , ..., s m ), where the f i :S g i → S are functions with arity g i , the p i are predicates with arity h i , and the s i are distinct constants in S. Denote U’s counterpart for operation with encrypted data by: C = (S'; f' 1 , ..., f' k ; p' 1 , ..., p' l ; s' 1 , ..., s' m ), where each f' i corresponds to f i , and each p' i corresponds to p i , and each s' i corresponds to s i . Thus f' i has arity g i and p' i has arity h i . A mapping E is called a privacy homomorphism if it satisfies the following conditions: 1. For all f i and f' i : f’ i (a’ i , ..., a’ gi ) = E K (f i (D K (a’ 1 ), ..., D K (a’ gi ))), where a’ 1 , ..., a’ gi ∈ S’, and K is a symmetric encryption key. 2. For all p i and p' i : p’ i (a’ 1 , ..., a’ gi ) if and only if p i (D K (a’ 1 ), ..., D K (a’ hi )). 3. For all s i and s' i D K (s' i ) = s i . Although this is elegant, it has an inherent weakness, summarized in theorem 3.1 in [5]. In essence, it is impossible to have a secure encryption function E for an algebraic system like U when that system has a predicate p i inducing a total order on the constants s 1 , ..., s m , and it somehow is possible to determine the encrypted version of each constant. The following example is from the proof of the theorem in [5]. EXAMPLE 5. Take a plaintext system where si =i∈ N for all 1 ≤i ≤m. Let one function be addition (written +), and one predicate be the relation less-than-or-equal-to (written ≤). The corresponding function applied to encrypted data is written +', and the corresponding predicate is written ≤'. If the cryptanalyst knows 1 and 1', it is possible to decrypt any c' to c by doing a binary search using +', 1', and ≤'. 5.2.2 Computing with Encrypted Functions The privacy homomorphism is revisited in work by Sander and Tschudin [7]. They mention two potential candidates for encrypted computation: 1. polynomials encrypted with a particular type of privacy homomorphism; and 2. rational function composition, where one rational function is used to encrypt another. Only the first scheme, called non-interactive evaluation of encrypted functions, is detailed in their work. Sander and Tschudin present a simple protocol demonstrating how it could work. The protocol is as follows: 1. Alice encrypts f. 2. Alice creates a program P(E(f)) which implements E(f). 3. Alice sends P(E(f)) to Bob. Telektronikk 3.2000
4. Bob executes P(E(f)) using x as argument. 5. Bob sends P(E(f))(x) to Alice. 6. Alice decrypts P(E(f))(x) to obtain f(x). The encryption itself uses an additively homomorphic encryption scheme on a ring Z n . EXAMPLE 6. An additively homomorphic scheme is presented in [7]. The encryption function E:Z p-1 → Z p for a prime p is g x for plaintext x. g is a generator of Z /pZ . Addition of plaintext is thus arithmetic addition, while addition of ciphertext is done using multiplication. The plaintext function is a polynomial with coefficients from Z p-1 . Encryption of f is achieved by encrypting each of f’s coefficients individually. The resulting f' is applied to plaintext data by using so-called mixed multiplication. Mixed multiplication is an operation where the product E(xy) is computed from E(x) and y directly. Note that E(xy) = (g x ) y , so E(x) must be raised to the y th power in order to compute E(xy). This can be done using a double-and-add algorithm, which translates into a square-and-multiply algorithm for encrypted data. The scheme in Example 6 appears to avoid the inherent weakness of privacy homomorphisms by selecting an encryption function such that there is no known easily computable total ordering of the encrypted elements. Along the way, the ability to do repeated applications of the function on the encrypted data appears to be lost, as the result is encrypted, and Bob can only compute mixed-multiplication. Note in particular that if Bob were able to compute multiplication in the encrypted domain, he would probably be able to decrypt the ciphertext fairly easily. The ability to do multiplication with only encrypted elements requires knowledge of either: 1. the generator g; or 2. a method of efficiently solving the discrete logarithm problem. Thus the second scheme trades functionality for increased security compared with easily applicable privacy homomorphisms. 6 Integrity Integrity deals with the detection of unauthorized operations on data in a system. The restoration of damage after unauthorized operations have occurred is usually considered a part of dependability, while the prevention of the unauthorized operations is typically taken care of by authentication and access controls. Telektronikk 3.2000 Integrity can typically be boiled down to the unauthorized detection of modification of system objects by editing, creating, deleting, or reordering data in objects. Integrity is usually achieved by the inclusion of redundant information strongly dependent on the data (or system structure) to be protected such that attempts at unauthorized 1. modifications (or creations or deletions) of objects are detectable; and 2. modifications (or creations or deletions) of the redundant information, are detectable. In addition to the common integrity concept there is also a concept of sequence integrity, where a mandatory order is imposed on otherwise individual data/messages/processes in the system. Such integrity is relevant for ordered data, such as video and audio streams. It is also relevant for protocols being executed by an agent, its platform, or the host upon which the platform resides. 6.1 Agent Attacks As with confidentiality, the agent attacks are fairly well studied, and they are also very similar. Most of them can be realized if the access controls are not precise or not secure (as defined in Denning [4]). Some ways of violating integrity are 1. attempting unauthorized accesses of other agents’ code/data areas; 2. unauthorized creation, modification, or deletion of data associated with host software (such as changing mailing lists in MS Outlook); 3. feeding the platform with misleading information or falsifications; or 4. intentionally trying to trigger race conditions or confuse host protocol state machines by manipulating protocol messages used in communication with the platform. In addition, mobile agents may also become malicious if their state is corrupted during their execution, irrespective of whether that corruption was intentional or not. The first attack above is also halted by any effective virtual machine-based platform (as for Java applets), under similar conditions as those mentioned in Section 5.1. Similarly, if the agent is running as a native machine code process on the platform, there must be hardware support for controlling memory access from the host’s oper- 41
Page 2 and 3: Telektronikk Volume 96 No. 3 - 2000
Page 4 and 5: Øyvind Eilertsen (34) is Research
Page 6 and 7: 4 E(P) = a ⋅ P + b (mod 26) D(C)
Page 8 and 9: 6 In 1997, NIST initiated the proce
Page 10 and 11: 8 decrypt the signed hash value, re
Page 12 and 13: Lars R. Knudsen (38) is Professor a
Page 14 and 15: Table 1 Timetable for AES Table 2 T
Page 16 and 17: 14 K m i Stream cipher algorithm Fi
Page 18 and 19: 16 6 Use of Encryption in Telecommu
Page 20 and 21: 18 mode, integrity mode, key divers
Page 22 and 23: 20 7 Beaver, D. Computing with DNA.
Page 24 and 25: 22 In both cases, my trust depends
Page 26 and 27: 24 A number of standard PC applicat
Page 28 and 29: Henning Wright Hansen (28) is Resea
Page 30 and 31: 28 Securing Locally Stored Informat
Page 32 and 33: Figure 3 A simple Public Key Infras
Page 34 and 35: 32 The Policy Control Center An imp
Page 36 and 37: Tønnes Brekne (31) is on leave fro
Page 38 and 39: 36 Sets definable by such predicate
Page 40 and 41: 38 A failure is caused by some type
Page 44 and 45: 42 ating system(s) and/or platform
Page 46 and 47: Message Sender Recipient Message pa
Page 48 and 49: 46 Assume some agent a carries with
Page 50 and 51: 48 gateway from attack, while the i
Page 52 and 53: 50 transfer at the expense of secur
Page 54 and 55: 52 7 FORE Systems. Firewall Switchi
Page 56 and 57: Figure 2-1 Object invocations throu
Page 58 and 59: Figure 4-1 3 Levels of different fi
Page 60 and 61: 58 phase two, in which the client r
Page 62 and 63: 60 5 CORBA Firewall Traversal 5.1 F
Page 64 and 65: 62 7.2 Visibroker Gatekeeper of Inp
Page 66 and 67: 64 References 1 Abie, H. An Overvie
Page 68 and 69: Cost Figure 1 Minimising total cost
Page 70 and 71: 68 In the coming years it is likely
Page 72 and 73: 70 financial, social, environmental
Page 74 and 75: Consequence 72 Insignificant Substa
Page 76 and 77: 74 in a one week time-frame, using

Security - Telenor

Create successful ePaper yourself

Delete template?

Save as template?