Attribute-based Access Control Architectures with the eIDAS - - PowerPoint PPT Presentation

▶

Sep 17, 2022 176 likes •410 views

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank Morgner (Bundesdruckerei) Paul Bastian (Bundesdruckerei) Marc Fischlin (TU Darmstadt) 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

SLIDE 1

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

Attribute-based Access Control Architectures with the eIDAS Protocols

21. SSR 2016

Frank Morgner (Bundesdruckerei) Paul Bastian (Bundesdruckerei) Marc Fischlin (TU Darmstadt)

SLIDE 2

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 2

German electronic identity card since November 2010 Cryptographic protocols of German identity card:

also used for machine readable travel documents (ICAO Doc 9303)
candidate for European eIDAS protocol

electronic identification, authentication, and trust services for electronic transactions

SLIDE 3

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 3

Basic Setting of German eID card

key k key k Terminal Authentication (TA) Chip Authentication (CA) ID card eID server {Secure Messaging} Secure extension to attribute-based access control in different scenarios? Extended Access Control (EAC)

SLIDE 4

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 4

Architectures

SLIDE 5

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 5

Integrated Architecture

TA CA ID card Reader Management {„Read Att“}secure msging

secure channel

{ Attributes }secure msging Attributes Decision

SLIDE 6

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 6

Distributed Architecture

TA CA ID card Reader Management {„Read Att“}secure msging

secure channel

{ Attributes }secure msging Attributes Decision

secure channel

Controller Decision

SLIDE 7

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 7

eID-Service Architecture

ID card Reader eID server Management Controller

secure channel secure channel secure channel

TA CA {„Read Att“}secure msging { Attributes }secure msging Attributes Decision Decision Attributes

SLIDE 8

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 8

Authentication-Service Architecture

ID card Reader Auth server Management Controller

secure channel secure channel secure channel

TA CA {„Read Att“}secure msging { Attributes }secure msging Attributes Decision Decision

S

Sig Request Signature

SLIDE 9

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 9

Security

SLIDE 10

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 10

Goals for Integrated Architecture

TA CA ID card Reader Management {„Read Att“}secure msging

secure channel

{ Attributes }secure msging Attributes Decision Impersonation Resistance Attribute Privacy

SLIDE 11

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 11

Dolev-Yao adversary (for both properties)

adversary can: − eavesdrop − inject/modify messages − determine schedule − corrupt parties − determines data T

requires some notion of sessions and session identifiers

SLIDE 12

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 12

ID card

certified key pair skC, pkC certified key pair skS, pkS

Compr(epk)

pick ephemeral esk, epk

nonceC

s←Sig(skS, nonceC||Compr(epk))

s pkS, certificateS

pick nonceC

pkC, certificateC epk tag, nonce*C

pick nonceC K = KDF(DH(skC,epk) nonceC) tag=MAC(K,epk) K = KDF(DH(epk,pkC) nonce*C) verify tag

EAC Protocol

terminal authentication chip authentication

session identifier SID=(nonceC,Compr(epk)) partner through certificate

SLIDE 13

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 13

Defining security: impersonation resistance

(a) If party accepts in session SID for partner and attributes A, then partner also accepts SID and A in some session (b) at most two SIDs collide, one at a card, one at a reader Example: „passive security“

pretends to be card accepts with SID and A (a) → can only happen if card has also accepted with SID and A → adversary has only relayed data formalized in common game- based style

SLIDE 14

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 14

Defining security: impersonation resistance

(b) at most two SIDs collide, one at a card, one at a reader Example: replay attacks

pretends to be card accepts with SID (a) → can only happen if card has also accepted with SID* and A → adversary has only relayed data accepts with SID and A (b) → SID*≠SID

(a) If party accepts in session SID for partner and attributes A, then partner also accepts SID and A in some session

SLIDE 15

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 15

Proving security: impersonation resistance

Theorem: EAC with secure messaging protocol provides impersonation resistance (assuming random oracles and security of GapDH, MAC, Enc, Sig, Cert). Proof idea: EAC is secure key key exchange protocol + channel protocol is secure ⇒ integrity of attribute transmissions

[Dagdelen, Fischlin, 2010] ISO/IEC 10116, ISO/IEC 9797-1 [Rogaway, 2011] [Brzuska, 2014]

SLIDE 16

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 16

Defining security: attribute privacy

Adversary cannot distinguish betweendifferent attributes A0 and A1 used in executions between honest parties

formalized again in game-based style

Follows again from security of channel: EAC is secure key key exchange protocol + channel protocol is secure ⇒ confidentiality of attribute transmissions

[Dagdelen, Fischlin, 2010] ISO/IEC 10116, ISO/IEC 9797-1 [Rogaway, 2011] [Brzuska, 2014]

SLIDE 17

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 17

Restoring Sessions

SLIDE 18

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 18

Restoring sessions

TA CA ID card Reader {„Read Att“} { Attributes } Management

secure channel

store key and sequence counter store key and sequence counter

„Restore Session“ {„Read Att“} { Attributes }

nly symmetric-

key crypto

SLIDE 19

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 19

Restoring sessions

TA CA ID card Reader {„Read Att“} { Attributes } Management

secure channel

store key and sequence counter store key and sequence counter

„Restore Session“ {„Read Att“} { Attributes } impersonation resistance + attribute privacy still guaranteed easy to integrate via EAC‘s persistent session contexts

SLIDE 20

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 20

Conclusion

SLIDE 21

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 21

Conclusion

EAC protocol easy to adapt for attribute-based access control provides strong impersonation resistance and attribute privacy easy to restore sessions

ID card Reader eID server Management Controller

secure channel secure channel secure channel

„Restore Session“ {„Read Att“} { Attributes }

SLIDE 22

Dec 6th, 2016 | Marc Fischlin | SSR 2016 | 22

Attribute-based Access Control Architectures with the eIDAS Protocols

Frank Morgner (Bundesdruckerei) Paul Bastian (Bundesdruckerei) Marc Fischlin (TU Darmstadt)

German electronic identity card since November 2010 Cryptographic protocols of German identity card:

electronic identification, authentication, and trust services for electronic transactions

Basic Setting of German eID card

key k key k Terminal Authentication (TA) Chip Authentication (CA) ID card eID server {Secure Messaging} Secure extension to attribute-based access control in different scenarios? Extended Access Control (EAC)

Architectures

Integrated Architecture

TA CA ID card Reader Management {„Read Att“}secure msging

secure channel

{ Attributes }secure msging Attributes Decision

Distributed Architecture

TA CA ID card Reader Management {„Read Att“}secure msging

secure channel

{ Attributes }secure msging Attributes Decision

secure channel

Controller Decision

eID-Service Architecture

ID card Reader eID server Management Controller

secure channel secure channel secure channel

TA CA {„Read Att“}secure msging { Attributes }secure msging Attributes Decision Decision Attributes

Authentication-Service Architecture

ID card Reader Auth server Management Controller

secure channel secure channel secure channel

TA CA {„Read Att“}secure msging { Attributes }secure msging Attributes Decision Decision

S

Sig Request Signature

Security

Goals for Integrated Architecture

TA CA ID card Reader Management {„Read Att“}secure msging

secure channel

{ Attributes }secure msging Attributes Decision Impersonation Resistance Attribute Privacy

Dolev-Yao adversary (for both properties)

adversary can: − eavesdrop − inject/modify messages − determine schedule − corrupt parties − determines data T

requires some notion of sessions and session identifiers

ID card

certified key pair skC, pkC certified key pair skS, pkS

Compr(epk)

pick ephemeral esk, epk

nonceC

s←Sig(skS, nonceC||Compr(epk))

s pkS, certificateS

pick nonceC

pkC, certificateC epk tag, nonce*C

pick nonce*C K = KDF(DH(skC,epk) nonce*C) tag=MAC(K,epk) K = KDF(DH(epk,pkC) nonce*C) verify tag

EAC Protocol

terminal authentication chip authentication

session identifier SID=(nonceC,Compr(epk)) partner through certificate

Defining security: impersonation resistance

(a) If party accepts in session SID for partner and attributes A, then partner also accepts SID and A in some session (b) at most two SIDs collide, one at a card, one at a reader Example: „passive security“

pretends to be card accepts with SID and A (a) → can only happen if card has also accepted with SID and A → adversary has only relayed data formalized in common game- based style

Defining security: impersonation resistance

(b) at most two SIDs collide, one at a card, one at a reader Example: replay attacks

pretends to be card accepts with SID (a) → can only happen if card has also accepted with SID* and A → adversary has only relayed data accepts with SID and A (b) → SID*≠SID

(a) If party accepts in session SID for partner and attributes A, then partner also accepts SID and A in some session

Proving security: impersonation resistance

Theorem: EAC with secure messaging protocol provides impersonation resistance (assuming random oracles and security of GapDH, MAC, Enc, Sig, Cert). Proof idea: EAC is secure key key exchange protocol + channel protocol is secure ⇒ integrity of attribute transmissions

[Dagdelen, Fischlin, 2010] ISO/IEC 10116, ISO/IEC 9797-1 [Rogaway, 2011] [Brzuska, 2014]

Defining security: attribute privacy

Adversary cannot distinguish betweendifferent attributes A0 and A1 used in executions between honest parties

formalized again in game-based style

Follows again from security of channel: EAC is secure key key exchange protocol + channel protocol is secure ⇒ confidentiality of attribute transmissions

[Dagdelen, Fischlin, 2010] ISO/IEC 10116, ISO/IEC 9797-1 [Rogaway, 2011] [Brzuska, 2014]

Restoring Sessions

Restoring sessions

TA CA ID card Reader {„Read Att“} { Attributes } Management

secure channel

store key and sequence counter store key and sequence counter

„Restore Session“ {„Read Att“} { Attributes }

key crypto

Restoring sessions

TA CA ID card Reader {„Read Att“} { Attributes } Management

secure channel

store key and sequence counter store key and sequence counter

„Restore Session“ {„Read Att“} { Attributes } impersonation resistance + attribute privacy still guaranteed easy to integrate via EAC‘s persistent session contexts

Conclusion

Conclusion

EAC protocol easy to adapt for attribute-based access control provides strong impersonation resistance and attribute privacy easy to restore sessions

„Restore Session“ {„Read Att“} { Attributes }

Thank you!

pick nonceC K = KDF(DH(skC,epk) nonceC) tag=MAC(K,epk) K = KDF(DH(epk,pkC) nonce*C) verify tag