Beruflich Dokumente
Kultur Dokumente
Kyle Brogle
Leo Reyzin
http://www.cs.bu.edu/~goldbe/papers/bgpsec-sigs.html
IBM Research, New York April 4, 2011
Princeton University
This Talk
Part I : BGPsec and Our Signature
UK ISP
I am Verizon
69.82.0.0/15 69 82 0 0/15
I am Verizon
69.82.0.0/15 69 82 0 0/15 (and 50k other networks)
UK ISP
$
BU
IBM
$
BU Ranking: Local, Local IBM AT&T, IBM Local, Comcast, IBM
Step 1 of defending against BGP Attacks: St f d f di i t Att k The RPKI that certifies mapping of IP Prefixes and PKs to Ases
Operators are actually deploying this now!
BU
IBM
AT&T
36K AS ASes
( Many PKs)
300K IP prefixes ( Store many BGPsec msgs) Routers are resource constrained
[BGR] RSA sequential aggregate signature w. lazy verification. (or, a randomized version of [Neven08])
[BGR11] Instantiation with RSA, SHA-1, and HMAC msgn-1 msgn g g 1 bit b1 ,b2 , ,bn-1 b1 ,b2 , ,bn nth signer r1 ,r2 , , rn 1 r1 ,r2 , , rn k, k SKn n-1 128 bits hn-1 xn-1 hn xn
256 bits 2048 bits
To Sign
1. rn = HMACk(msgn | xn-1 | hn-1) 2. 2 hn = hn-1 + H( PKn | msgn | rn | xn-1) 3. xn = RSA ( G(hn) + xn-1)
4. Remove 1st bit of xn and save it as bn
Signer has a local (unshared) key k used to compute HMAC In our implementation: k=256 bits, and 2048 bit RSA H = SHA-256; HMAC uses SHA-256; G is MGF with SHA-256
Local ISP
The real competition is nothing fancy: Trivial RSA S Trivial ECDSA Both of which allow: 1) Lazy verification, 2) Sign without knowing others keys
exp 65537
Total Sig g Length Average Sig Length n = 3.5 Signing Time Verification Time
Benchmarks computed using OpenSSL & (our implementation) on a laptop: 2GB Ram, Core i3 at 2.4GHz running Linux Ubuntu
Signature Lengths
25000
BitLength
15000
10000
RSA2048 RSA 2048 BGR2048 Weaker routers see longer ECDSA256 n => BGR more efficient
5000
length
Verify Time
30 Average path length in BGP 25 T Time(m ms) 20 15 10 5 0 1 2 3 4 5 6 7 8 9 10 n, path length
Verify time of BGR looks just like basic RSA
This Talk
Part I : BGPsec and Our Signature
Aggregate Signatures
Can we compress multiple signatures to save space? Aggregate signature: [Boneh-Gentry-Lynn-Shacham 2003]
Signer 2
Signer 3
m3, sig3
What about something like RSA or Discrete Log? All known constructions without pairings require:
signers to know each others keys have a prescribed order of operations some operations using other signers public keys
Full-Domain Hash RSA [Rivest Shamir Adleman [Rivest-Shamir-Adleman 78, Bellare-Rogaway 93] Bellare Rogaway
Hash function H (full RSA domain outputs; random oracle). Public key PK = (n, e). Secret key SK = (n, d). y ( , ) y ( , ) Steps of the Signer:
y = H (m) x = y d mod n
Steps of the Verifier: m
2048bit
2048bit
RSA1
y = H (m) ? e y = x mod n
? =
RSA
Signer 1: PK1 g m1 H H
y1 y2 y3
x1 x2 x3
2 3
Check that PK1, PK2 specify permutations Verify x2 using PK1, PK2, m1, m2
? y1 H =
H H
x1 x2 x3
2 3
Check that PK1 specifies a permutation Verify x1 using PK1, m1 2 = H (PK1, PK2, m1, m2)
d x2 = y2 2 mod n2 Steps of Signer 3:
Either proofs, or long verification exponents Prevents lazy verification ifi i Requires other signers PKs
y2 = 2 x1
Check that PK1, PK2 specify permutations Verify x2 using PK1, PK2, m1, m2
[LMRS] Fails under Lazy Verification. Suppose an adversary wants to attack Signer 2 Adversary knows Signer 2 wants to sign m2. But adversary wants to get a sig on bad-m2.
Adversary: PK1 m1 H H H H y1 RSA1 x1
2
bad-2
bad-x1 y2 RSA1 x2
[Neven08]: Sign
No more certified TDP, but sig now has two components: (x, h). Hash function H (short outputs), G (full RSA domain outputs) Steps of Signer 2:
Verify (x1, h1) using PK1, m1 2 = H (PK1, PK2, x1, m1, m2) h1 h2=2 h1 PK1,PK2 y2 = G(h2) x1 m1, m2 H 2 G d2 mod n 256bit h x2 = y2 2 2
PK1, PK2, PK3 m1 , m2 , m3 Steps of Signer 3: H
x1
2048bit
y2
RSA1 S
2048bit
x2
h3
y3
RSA1
x3
? =
h1 G
? =
x1 y2
RSA
h2 G
x2
RSA S
h3 G
y3
RSA
x3
[Neven08]: Issues
No more certified TDP, but sig now has two components: (x, h). No certified TDP, Hash function H (short outputs), G (full RSA domain outputs) but still prevents Steps of Signer 2: lazy verification Requires other Only an artifact of signers PKs Nevens proof. We get rid of this!
Verify (x1, h1) using PK1, m1 2 = H (PK2, PKm2)1, m1, m2) 1 x1, 2, x h2=2 h1 y2 = G(h2) x1 d x2 = y2 2 mod n2
PK1,PK2 m1, m2
h2
y2
RSA1
x2
Our Signature Scheme Randomize hash. Sig has (x, h) an a randomness r per signer.
Hash function H (short outputs), G (full RSA domain outputs)
Steps of Signer 2: p g Lazy Verification Random r2 x1 h1 2 = H (PK2, r2, x1, m2) PK2 h2=2 h1 2 y2 m2 x2 H G RSA1 y2 = G(h2) x1 r2 256bit h2 2048bit 2048bit d2 x2 = y2 mod n2 PK3 3 y3 1
m3 r3 H
h3
RSA
x3
Signing depends only on your own public key! Signature grows (~128 bits / signer if r psuedorandom.)
27
No No No 2048
Wins on all counts except for sig length But best for our target app of BGPsec
This Talk
Part I : BGPsec and Our Signature
m r, x
Unlikely if 2Length(r) > qH qS Forgery m*, r*, x* Find H-query H(m*, r*) = (y*) Return claw (x*, y*)
x1
y2
x2
Proof: If forger F succeeds we find a claw *(x)=*(y) succeeds, (x)= (y) i, mi Get xi-1 associated with i-1, mi-1 i H-Query If * Random xi i = i (xi) xi-1 If i = * * Random zi i = * (zi) xi-1
i
Sign-Query
Forgery
x1
y2
x2
Proof: If forger F succeeds we find a claw *(x)=*(y) succeeds, (x)= (y) i, mi Get xi-1 associated with i-1, mi-1 i H-Query If * Random xi i = i (xi) xi-1 Sign-Query i, mi, xi-1 xi
i
Forgery
x1
y2
x2
Proof: If forger F succeeds we find a claw *(x)=*(y) succeeds, (x)= (y) i, mi Get xi-1 associated with i-1, mi-1 i H-Query If * There is only one xi-1 for each i-1, mi-1 Sign-Query i, mi, xi-1 xi Random xi i = i (xi) xi-1
i
x1
y2
x2
Proof: If forger F succeeds we find a claw *(x)=*(y) succeeds, (x)= (y) i, mi Get xi-1 associated with i-1, mi-1 i H-Query If = * Random zi i = * (zi) xi-1 Sign-Query
i
Forgery
*, m*i, xi
Get zi, xii-1 i associated with i, mi 1 Return claw (xi, zi) because * (zi) = i xi-1= i (xi)
1, 2 2 m1 , m2 H
h1 G
y3
x1 2 1 x2
Sign-Query
Forgery
1, 2 2 m1 , m2 H
h1 G
y3
x1 2 1 x2
1, 2 2 m1 , m2 H
h1 G
y3
x1 2 1 x2
Sign-Query
Forgery
1, 2 2 m1 , m2 H
h1 G
y3
x1 2 1 x2
Sign-Query
i, mi, xi-1 ,hi-1 xi, hi Still need to make sure F cant set hi , i to the wrong value on Forgery an earlier H-Query
1, 2 2 m1 , m2 H
h1 G
y3
x1 2 1 x2
Sign-Query
Forgery
*, m*,hi, xi
Get zi, xii-1 associated with *, m* m 1 Return claw (xi, zi) because * (zi) = hi xi-1= i (xi)
2 m2
h1 G
y2
x1 2 1 x2
Sign-Query
Forgery
2 m2
h1 G
y2
x1 2 1 x2
Sign-Query
2 m2
h1 G
y2
x1 2 1 x2
1 ,m1 , 1, h1 , y1, 2 ,m2 ,x1 y2, 2, h2, * ,m3 ,x2 y3, z3, 3, h3
Tether to parent with (, y) st. (xi-1) = y ( Sign-Query Retrieve hi-1 from parent If i * If i = * Random xi Random zi yi= i (xi) yi= i (zi) hi = yi xii-1 hi = * (zi) xi-1 1 1 i = hi-1 hi i = hi-1 hi-1 Forgery
2 m2
h1 G
y2
x1 2 1 x2
1 ,m1 , 1, h1 , y1, 2 ,m2 ,x1 y2, 2, h2, * ,m3 ,x2 y3, z3, 3, h3
Tether to parent with (, y) st. (xi-1) = y ( Sign-Query Claim: Probability < 2-Length(y) 1 1 that -11(y1 ) = -12(y2 ) Proof: parent is a function. yparent is random. s a do . Forgery w.h.p only 1 parent.
2 m2 r2
h1 G
y2
x1 2 1 x2
Randomized Hash Sign-Query H-Queries H Q i are the same, h just add r to each node Forgery
h1 G
y2
x1 2 1 x2
2 ,m2 , r2, x1 y2, 2, h2, Random ri xi Abort if i, mi,ri , xi-1 in H-Tree! r hi = i (xi) xi-1 i = hi-1 hi QED
h1 h2 G
y2
x1 2 1 x2 , b2
qS) to 2log(qS)
i ,mi ,ri ,xi-1 ) i not always a collision on an G is t l lli i G-query! (which also t k i hi-1) ! ( hi h l takes in
Fin Fi
http://www.cs.bu.edu/~goldbe/papers/bgpsec-sigs.html
Princeton University