Integrating DAGA into the cothority framework and using it to build a login service DEDIS, EPFL 2018/19 - Lucas Pires Responsible: Prof. Bryan Ford, Dr. Ewa Syta Supervisor: Linus Gasser 1
Integrating DAGA into the cothority framework and using it to build a login service D eniable A nonymous G roup A uthentication • Decentralized Authentication Protocol • Forward-security, etc. more later 2
Motivation / Intro • Authentication Identification and Privacy • ➔ where possible, get rid of identification • ➔ DAGA • GOAL: offer easy way to use DAGA, Login Service 3
Overview • Background / DAGA • Cothority implementation • Authentication delegation • PoC & demo • Conclusion 4
Background / DAGA Big picture Properties Description 5
Background / DAGA – DAGA 6
Background / DAGA – DAGA Entity / user 6
Background / DAGA – DAGA Entity / user Anytrust servers 6
Background / DAGA – Group DAGA Auth. request Entity / user Anytrust servers Decision 6
Background / DAGA – • Completeness • Soundness Group DAGA Auth. request Entity / user Anytrust servers Decision 7
Background / DAGA – • Completeness • Soundness Group • Anonymity DAGA Auth. request Entity / user Anytrust servers Decision 7
Background / DAGA – • Anonymity • Proportionality Group DAGA Auth. request Entity / user Anytrust servers Decision + Linkage Tag 8
Background / DAGA – • Anonymity • Proportionality Group • Deniability DAGA Auth. request Entity / user Anytrust servers Decision + Linkage Tag 9
Background / DAGA – • Anonymity • Proportionality Group • Deniability • Forward security DAGA Auth. request Entity / user Anytrust servers Decision + Linkage Tag 10
Background / DAGA – Build request / client’s protocol Prover Context Verifiers Adapted / redrawn from https://github.com/dedis/student_17/blob/master/pfs_pop/presentation_pfs_pop.pdf 11
Background / DAGA – Build request / client’s protocol Initial tag Prover Context Verifiers Adapted / redrawn from https://github.com/dedis/student_17/blob/master/pfs_pop/presentation_pfs_pop.pdf 11
Background / DAGA – Build request / client’s protocol Initial tag Proof generation Prover ∑ Challenge ∑ commitments Context Distributed randomness / challenge generation Verifiers Adapted / redrawn from https://github.com/dedis/student_17/blob/master/pfs_pop/presentation_pfs_pop.pdf 11
Background / DAGA – Build request / client’s protocol Initial tag Proof generation Prover ∑ Challenge Linkage tag ∑ commitments Request Context (with ∑ responses) Collective proof verification, decision and Distributed randomness Servers’ protocol Tag building / challenge generation Verifiers Adapted / redrawn from https://github.com/dedis/student_17/blob/master/pfs_pop/presentation_pfs_pop.pdf 11
Overview • Background / DAGA • Cothority implementation • Authentication delegation • PoC demo • Conclusion &? Future 12
Cothority Implementation • DAGA Library (continuation of A. Villard’s work) • New Service & Protocols (context generation / challenge generation / DAGA servers’ protocol) • Can run simulations locally and on DETERLab • 80% code coverage • Possible to generate proto files • CLI client 13
Cothority Implementation • DAGA Library (continuation of A. Villard’s work) • New Service & Protocols (context generation / challenge generation / DAGA servers’ protocol) • Can run simulations locally and on DETERLab • 80% code coverage • Possible to generate proto files • CLI client 14
DAGA Cothority 15
Client / 3 rd party service admin Administrative phase 1) Collect public keys of subscribers 2) Build a roster of willing conodes (partnerships or open access nodes) 16
Client / 3 rd party service admin Administrative phase 1) Collect public keys of 3) Call CreateContext( keys , roster ) subscribers 2) Build a roster of willing conodes (partnerships or open access nodes) Context generation protocol Random node Other nodes 16
Client / 3 rd party service admin Administrative phase 1) Collect public keys of 3) Call CreateContext( keys , roster ) subscribers 2) Build a roster of willing conodes Context (partnerships or open access nodes) Context generation protocol New Cothority Random node Other nodes For the new context 16
Build auth. Message M Proof generation Initial tag Entity ∑ Challenge Call PKClient( ∑ commitments, ) DAGA Linkage context tag Call Auth(M, ) challenge generation Servers’ protocol protocol Need to keep state across endpoint calls ➔ avoid by storing it in clients DAGA cothority
Cothority Implementation • DAGA Library (continuation of A. Villard’s work) • New Service & Protocols (context generation / challenge generation / DAGA servers’ protocol) • Can run simulations locally and on DETERLab • 80% code coverage • Possible to generate proto files • CLI client 18
Simulation results – total authentication time Local DETERLab 1) DETERLab Setup: • pc2133 nodes: • Ubuntu 14.04, AMD64 • CPU: 4 @ 2,13 GHz • RAM: 4 GiB Wall time [s] • LAN with 100 ms delay 2) Local Setup: • Debian 9, AMD64 • CPU: 8 @ 2.50GHz Number of group members Number of group members • RAM: 16 GiB 19
Original results and previous student’s results Original paper (2014) Previous student Taken from https://github.com/dedis/student_17/blob/master/pfs_pop/presentation_pfs_pop.pdf 20
Simulation results – total authentication time Local 4 servers Local 16 servers Wall time [s] Number of group members Number of group members 21
Simulation results – total server traffic Previous student’s results ~ Traffic [KiB] 22
Cothority Implementation • DAGA Library (continuation of A. Villard’s work) • New Service & Protocols (context generation / challenge generation / DAGA servers’ protocol) • Can run simulations locally and on DETERLab • 80% code coverage • Possible to generate proto files • CLI client 23
Overview • Background / DAGA • Cothority implementation • Authentication delegation • PoC demo • Conclusion &? Future 24
Authentication delegation Entity / user DAGA cothority 25
Authentication delegation Service Provider Entity / user DAGA cothority 25
Authentication delegation Service Provider Entity / user DAGA cothority 25
Authentication delegation Service Provider Entity / user DAGA cothority Authentication Delegation Protocol 25
RP IdP OpenID connect authentication - “code flow” 26
RP IdP GET rp/login OpenID connect authentication - “code flow” 26
RP IdP GET rp/login REDIRECT IdP/daga_auth GET IdP/daga_auth OpenID connect authentication - “code flow” 26
RP IdP GET rp/login REDIRECT IdP/daga_auth GET IdP/daga_auth OpenID connect 200 authentication page authentication - “code flow” IdP authenticates user-agent REDIRECT rp/callback with code GET rp/callback with code 26
RP IdP GET rp/login REDIRECT IdP/daga_auth GET IdP/daga_auth OpenID connect 200 authentication page authentication - “code flow” IdP authenticates user-agent REDIRECT rp/callback with code GET rp/callback with code POST IdP/token_endpoint with code 200 token 26
RP IdP GET rp/login REDIRECT IdP/daga_auth GET IdP/daga_auth 200 authentication page 27
RP IdP GET rp/login REDIRECT IdP/daga_auth GET IdP/daga_auth 200 authentication page 27
RP IdP GET rp/login REDIRECT IdP/daga_auth GET IdP/daga_auth DAGA client 200 authentication page daemon Browser / WEB UI 27
RP IdP DAGA client daemon Browser / WEB UI 28
RP IdP DAGA client daemon Arguments, context + key Browser / WEB UI 28
RP IdP Call PKClient (commitments) DAGA client Challenge daemon Arguments, context + key Browser / WEB UI 28
RP IdP Call PKClient (commitments) DAGA client Challenge daemon Auth. Msg Arguments, context + key Browser / WEB UI 28
RP IdP Call PKClient (commitments) DAGA client Challenge daemon Auth. Msg Arguments, context + key POST back with Auth. msg Browser / WEB UI 28
RP IdP Call PKClient (commitments) DAGA client Challenge daemon Auth. Msg Arguments, context + key POST back with Auth. msg Browser / Call Auth (Auth. msg) WEB UI Linkage Tag 28
RP IdP Call PKClient (commitments) DAGA client Challenge daemon Auth. Msg Arguments, context + key POST back with Auth. msg Browser / Call Auth (Auth. msg) WEB UI Linkage Tag REDIRECT rp/callback with code GET rp/callback with code 28
RP IdP Call PKClient (commitments) DAGA client Challenge daemon Auth. Msg Arguments, context + key POST back with Auth. msg Browser / Call Auth (Auth. msg) WEB UI Linkage Tag REDIRECT rp/callback with code GET rp/callback with code POST IdP/token_endpoint with code 200 token 28
Demo 29
Conclusion • Democratization of DAGA as anonymous authentication is feasible • Future works: 30
Recommend
More recommend