Multi-party Off-the-Record Messaging Ian Goldberg glu Berkant - - PowerPoint PPT Presentation

Motivation mpOTR Wrap up

Multi-party Off-the-Record Messaging

Ian Goldberg∗ Berkant Ustao˘ glu† Matthew D. Van Gundy‡ Hao Chen‡

∗University of Waterloo †NTT Information Sharing Platform Laboratories ‡University of California, Davis

16th ACM Conference on Computer and Communications Security

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 1

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Chicago Outfit

Boss Al Capone Bootlegging Bugs Moran Gambling Paul Ricca Extortion Machine Gun Mc Gurn

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 2

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Chicago Outfit

Boss Al Capone Bootlegging Bugs Moran Gambling Paul Ricca Extortion Machine Gun Mc Gurn The Law Eliot Ness

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 3

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Chicago Outfit

Boss Al Capone Bootlegging Bugs Moran Gambling Paul Ricca Extortion Machine Gun Mc Gurn The Law Eliot Ness

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 4

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 5

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

M M

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 6

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

M M Bugs: M Bugs: M

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 7

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

M M Bugs: M Bugs: M Bugs: M

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 8

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Ness here. Ness here.

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 9

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

• Capone. . .

And, . . .

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 10

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Protect me

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 11

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Protect me Protect my family

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 12

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Only you Only you

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 13

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Only you Only you Ness: Protect family

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 14

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Ok Ok

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 15

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

x ∧ ¬y ¬x ∧ y

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 16

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

x ∧ ¬y ¬x ∧ y x

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 17

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

x ∧ ¬y ¬x ∧ y x y

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 18

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

x ∧ ¬y ¬x ∧ y x y

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 19

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

x ∧ ¬y ¬x ∧ y x y Ness: x Ness: y

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 20

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

M M′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 21

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

M M′ Bugs: M Ricca: M′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 22

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

M M′ Bugs: M Ricca: M′ Bugs: M Ricca: M′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 23

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

M M′ Bugs: M Ricca: M′ Bugs: M Ricca: M′ Bugs: M Ricca: M′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 24

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Bugs: M Ricca: M′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 25

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Bugs: M Ricca: M′ Bugs: Z Ricca: Z ′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 26

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Bugs: Z Ricca: Z ′ Bugs: M Ricca: M′ Bugs: Z Ricca: Z ′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 27

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Bugs: M Ricca: M′ Bugs: Z Ricca: Z ′ Bugs: M Ricca: Z ′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 28

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

The Secret Life of the American Stool Pigeon

Bugs Ricca Ness McGurn Capone

Bugs: M Ricca: Z ′ Bugs: M Ricca: M′ Bugs: Z Ricca: Z ′ Bugs: M Ricca: Z ′

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 29

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

System Requirements and Threat Model

Requirements

◮ Confidentiality ◮ Entity Authentication ◮ Origin Authentication ◮ Consensus ◮ (Limited) Non-Repudiation ◮ Plausible Deniability

◮ Forgeability ◮ Malleability

The Adversary

◮ Has full control of the network ◮ Corrupts up to n − 1

participants

◮ Delivers wire transcripts and

corrupt participant state to the Judge

The Judge

◮ Distinguishes legitimate

transcripts from forgeries

◮ Given: transcript, corrupt

participant state, all long-lived secrets

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 30

Motivation mpOTR Wrap up Introduction Threat Model Partial Solutions

Partial Solutions

◮ PGP

◮ Employs digital signatures for non-repudiation ◮ Allows proving authorship to a third-party

◮ Two-party Off-the-Record Communication

◮ All confidentiality and authenticity based on shared secret ◮ Symmetric capabilities allow impersonation Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 31

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Overview

We achieve Multi-party Off-the-Record Messaging through:

◮ Generate per-session ephemeral signing keys ◮ Deniable signature key exchange (DSKE) ◮ Generate shared group encryption key ◮ Until membership change:

◮ Communicate via authenticated encryption

◮ Detect consensus violations

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 32

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

Guarantees Bugs (respectively Ricca) that:

◮ He is indeed talking to Ricca ◮ Ricca has chosen PK R as ephemeral signature key for session sid ◮ Ricca knows private key SK R corresponding to PK R ◮ A corrupt Ricca cannot prove to Capone that PK B is Bugs’s key

Given

◮ Deniable Key Exchange (Di Raimondo and Gennaro CCS 2006) ◮ Authenticated Encryption ◮ Secure Public-Key Signature Scheme

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 33

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 34

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 35

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R B ↔ R: k ← DKA(B, R)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 36

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R B ↔ R: k ← DKA(B, R) B → R: AEk(sid, B, R, PK B)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 37

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R B ↔ R: k ← DKA(B, R) B → R: AEk(sid, B, R, PK B) R → B: AEk(sid, R, B, PK R)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 38

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R B ↔ R: k ← DKA(B, R) B → R: AEk(sid, B, R, PK B) R → B: AEk(sid, R, B, PK R) B → R: AEk( SignSK B(sid, B, R, PK R) )

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 39

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R B ↔ R: k ← DKA(B, R) B → R: AEk(sid, B, R, PK B) R → B: AEk(sid, R, B, PK R) B → R: AEk( SignSK B(sid, B, R, PK R) ) R → B: AEk( SignSK R(sid, R, B, PK B) )

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 40

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R B ↔ R: k ← DKA(B, R) B → R: AEk(sid, B, R, PK B) R → B: AEk(sid, R, B, PK R) B → R: AEk( SignSK B(sid, B, R, PK R) ) R → B: AEk( SignSK R(sid, R, B, PK B) ) B: Upon validating values from R: associate PK R to Ricca for sid

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 41

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Deniable Signature Key Exchange (DSKE)

B: PK B, SK B R: PK R, SK R B ↔ R: k ← DKA(B, R) B → R: AEk(sid, B, R, PK B) R → B: AEk(sid, R, B, PK R) B → R: AEk( SignSK B(sid, B, R, PK R) ) R → B: AEk( SignSK R(sid, R, B, PK B) ) B: Upon validating values from R: associate PK R to Ricca for sid R: Upon validating values from B: associate PK B to Bugs for sid

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 42

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Guarantees to each participant

◮ The identity of every other participant ◮ The ephemeral pubic key PK ∗ of each other participant ◮ A shared symmetric encryption key gk ◮ The protocol parameters negotiated before session initiation ◮ Consensus all of the above

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 43

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 44

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK B PK R PK N

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 45

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK B PK R PK N DSKE

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 46

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK N DSKE PK B PK R PK R PK B

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 47

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK N PK B PK R PK R PK B DSKE

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 48

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK R PK B DSKE PK B PK R, PK N PK N PK B

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 49

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK R PK B PK B PK R, PK N PK N PK B DSKE

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 50

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK B PK R, PK N DSKE PK R PK B, PK N PK N PK B, PK R

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 51

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK B PK R, PK N PK R PK B, PK N PK N PK B, PK R GKA GKA GKA

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 52

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

GKA GKA GKA PK B PK R, PK N gk PK R PK B, PK N gk PK N PK B, PK R gk

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 53

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Bugs Ricca Ness

PK B PK R, PK N gk PK R PK B, PK N gk PK N PK B, PK R gk AESK B( H(sid, PK B, . . .) ) AESK B( H(sid, PK B, . . .) )

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 54

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Guarantees to each participant

◮ The identity of every other participant ◮ The ephemeral pubic key PK ∗ of each other participant ◮ A shared symmetric encryption key gk ◮ The protocol parameters negotiated before session initiation ◮ Consensus all of the above

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 55

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Guarantees to each participant

◮ The identity of every other participant

DSKE

◮ The ephemeral pubic key PK ∗ of each other participant

DSKE

◮ A shared symmetric encryption key gk ◮ The protocol parameters negotiated before session initiation ◮ Consensus all of the above

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 56

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Guarantees to each participant

◮ The identity of every other participant

DSKE

◮ The ephemeral pubic key PK ∗ of each other participant

DSKE

◮ A shared symmetric encryption key gk

GKA

◮ The protocol parameters negotiated before session initiation ◮ Consensus all of the above

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 57

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Guarantees to each participant

◮ The identity of every other participant

DSKE

◮ The ephemeral pubic key PK ∗ of each other participant

DSKE

◮ A shared symmetric encryption key gk

GKA

◮ The protocol parameters negotiated before session initiation

Attest

◮ Consensus all of the above

Attest

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 58

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Session Initiation

Guarantees to each participant

◮ The identity of every other participant

DSKE

◮ The ephemeral pubic key PK ∗ of each other participant

DSKE

◮ A shared symmetric encryption key gk

GKA

◮ The protocol parameters negotiated before session initiation

Attest

◮ Consensus all of the above

Attest

Performance

◮ DSKE: O(n2) ◮ GKA: O(n) ◮ Attest: O(n)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 59

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK B, PK N, PK R, gk PK R, PK N, PK B, gk PK N, PK B, PK R, gk

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 60

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK R, PK N, PK B, gk PK N, PK B, PK R, gk PK B, PK N, PK R, gk Bugs: M

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 61

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK R, PK N, PK B, gk PK N, PK B, PK R, gk PK B, PK N, PK R, gk Bugs: M C ← Encryptgk(M)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 62

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK R, PK N, PK B, gk PK N, PK B, PK R, gk PK B, PK N, PK R, gk Bugs: M C ← Encryptgk(M) σ ← SignSK B(sid, C)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 63

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK R, PK N, PK B, gk PK N, PK B, PK R, gk PK B, PK N, PK R, gk Bugs: M C ← Encryptgk(M) σ ← SignSK B(sid, C) sid, C, σ sid, C, σ

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 64

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK B, PK N, PK R, gk Bugs: M C ← Encryptgk(M) σ ← SignSK B(sid, C) sid, C, σ sid, C, σ PK R, PK N, PK B, gk if VerifyPK B(sid, C, σ): PK N, PK B, PK R, gk if VerifyPK B(sid, C, σ):

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 65

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK B, PK N, PK R, gk Bugs: M C ← Encryptgk(M) σ ← SignSK B(sid, C) sid, C, σ sid, C, σ PK R, PK N, PK B, gk if VerifyPK B(sid, C, σ): M ← Decryptgk(C) PK N, PK B, PK R, gk if VerifyPK B(sid, C, σ): M ← Decryptgk(C)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 66

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Sending Messages

Guarantees to the recipient

◮ Confidentiality ◮ Origin Authentication

Performance

◮ One symmetric key encryption ◮ One public key signature

Bugs Ricca Ness

PK B, PK N, PK R, gk Bugs: M C ← Encryptgk(M) σ ← SignSK B(sid, C) sid, C, σ sid, C, σ PK R, PK N, PK B, gk if VerifyPK B(sid, C, σ): M ← Decryptgk(C) Bugs: M PK N, PK B, PK R, gk if VerifyPK B(sid, C, σ): M ← Decryptgk(C) Bugs: M

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 67

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Ending a Session

Guarantees to each participant

◮ Confidentiality of previous messages ◮ Confidentiality of subsequent messages ◮ Detection of consensus violations ◮ Publication of ephemeral signature keys

Procedure

◮ Each participant calculates a digest over all messages (h) ◮ Participants exchange digests using authenticated encryption ◮ Publish ephemeral signing key if digests received from all other

participants

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 68

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Detecting Consensus Violations

Each participant forms a Merkle hash tree over all messages: h = H(·) hB = H(·) MB

1

MB

2

MB

3

hR = H(·) MR

1

MR

2

MR

3

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 69

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Detecting Consensus Violations

Each participant forms a Merkle hash tree over all messages: h = H(·) hB = H(·) MB

1

MB′

2

MB

3

hR = H(·) MR

1

MR

2

MR

3

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 70

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Detecting Consensus Violations

Each participant forms a Merkle hash tree over all messages: h = H(·) h′

B = H(·)

MB

1

MB′

2

MB

3

hR = H(·) MR

1

MR

2

MR

3

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 71

Motivation mpOTR Wrap up DSKE Initiation Communication Shutdown

Detecting Consensus Violations

Each participant forms a Merkle hash tree over all messages: h′ = H(·) h′

B = H(·)

MB

1

MB′

2

MB

3

hR = H(·) MR

1

MR

2

MR

3

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 72

Motivation mpOTR Wrap up

Weakening Assumptions

◮ Ensuring consensus incrementally ◮ Robustness to network interruption ◮ n-party primitives

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 73

Motivation mpOTR Wrap up

Related Work

◮ Two-party Off-the-Record Communication (Borisov et al.

WPES 2004)

◮ Group OTR (GOTR) (Bian et al. IRI 2007) ◮ Deniable Encryption (Canetti et al. CRYPTO 1997) ◮ Deniable Authentication and Key Exchange (Di Raimondo and

Gennaro CCS 2006)

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 74

Motivation mpOTR Wrap up

Conclusion

◮ Given requirements for off-the-record communication in a

multi-party setting

◮ Given new primitive for Deniable Signature Key Exchange ◮ Leveraged DSKE to get deniable n-party interactive communication

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 75

Motivation mpOTR Wrap up

Questions anyone?

Goldberg, Ustao˘ glu, Van Gundy, Chen mpOTR CCS 2009 76