ICDCS‘08 WebIBC

WebIBC
Identity Based Cryptography for Client Side
Security in Web Applications

Zhi Guan, Zhen Cao, Xuan Zhao, Ruichuan Chen,
Zhong Chen, and Xianghao Nan

Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008

Once upon a time ...


Once upon a time ...

Strong Cryptography


Now


Web App Security & Privacy?

• User authentication

• SSL/TLS link encryption





What if servers do evil ?





No Security!





No Security!
No Privacy!


Web
App

HTML &
JavaScript

Web Browser

Operating System


Web
App

HTML &
JavaScript

Web Browser

Operating System EFS, PGP


Web
App

HTML &
JavaScript

Browser Plug-in
Web Browser



Web
App

HTML & Here we are
JavaScript

Browser Plug-in
Web Browser



Challenges
• Private key: JavaScript can not read keys in
local ﬁle system.

• Public key: acquire other’s public key or
certiﬁcate is not easy for JavaScript programs
in Web browser.

Private Key? Public Key?


Limited Browser Capability
• HTML, CSS

• JavaScript

• AJAX


• HTML, CSS

• JavaScript

• AJAX

Browser Plug-ins?


• HTML, CSS

• JavaScript

• AJAX

Browser Plug-ins?

No!


Our Goal

Strengthen Web Browser Security and Privacy
Without Changing the Browser.


Target
• Our solution: bring public key cryptography to
Web browsers, include public key encryption
and signature generation.

• All the cryptography operations and key usage
are inside the browser and implemented in
JavaScript and HTML only, require no plug-ins
and provide “open source” guarantee.


The ﬁrst Challenge

Public Key:


The ﬁrst Challenge

Public Key:

Identity-Based Cryptography


PKG (Private Key Generator)


Setup: generate master secret and public params



s
m
ra
Pa
c
bli
Pu



s
m
ra
Pa
c
bli
Pu

Alice@gmail.com



s
m
ra
Pa
c
bli
Pu

Alice@gmail.com

Decrypt


Timeline

2001
2004
1986


Timeline
Identity Based
Cryptography,
the ﬁrst idea
Shamir

2001
2004
1986


Timeline
First Practical
Identity Based IBE scheme
Cryptography, from Weil
the ﬁrst idea Pairing
Shamir Boneh, Franklin

2001
2004
1986


Timeline
First Practical
Identity Based IBE scheme
Cryptography, from Weil
the ﬁrst idea Pairing
Shamir Boneh, Franklin

2001
2004
1986

Cocks
IBE,
not bandwidth efﬁcient


Timeline
First Practical CPK
Identity Based IBE scheme key
Cryptography, from Weil management,
the ﬁrst idea Pairing IBE, IBS
Shamir Boneh, Franklin Nan, Chen

2001
2004
1986

Cocks
IBE,
not bandwidth efﬁcient


CPK Cryptosystem

CPK (Combined Public Key)

Based on generalized Discrete Log Group


Elliptic Curve Cryptography
G is a point on elliptic curve,
n is the order of cyclic group
<G>
Private key d is random
selected integer in [1, n-1]
Corresponding public key Q =
dG.

y 2 = x3 + ax + b (mod p)


<G>
dG.

(d1, Q1 = d1G), (d2, Q2 = d2G)

y 2 = x3 + ax + b (mod p)


<G>
dG.

(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2

y 2 = x3 + ax + b (mod p)


<G>
dG.

(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
Q = Q1 + Q2 = d1G + d2G = (d1+d2)G
y 2 = x3 + ax + b (mod p)


<G>
dG.

(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
Q = Q1 + Q2 = d1G + d2G = (d1+d2)G
(d,Q)
y 2 = x3 + ax + b (mod p)


Private Matrix Generation
In PKG

RNG

The trusted authority PKG (Private Key Generator) generates a
m×n matrix in which elements are randomly generated ECC
private keys (integers in [1, n-1]). The private matrix should be kept
secretly in PKG.


Private Matrix Generation
In PKG
private matrix
 
···
s11 s12 s1n
Rand integers
 
RNG ···
s21 s22 s2n
 
sij ∈R [1, n − 1] . . .
..
 
. . .
.
 
. . .
···
sm1 sm2 smn

The trusted authority PKG (Private Key Generator) generates a
m×n matrix in which elements are randomly generated ECC
private keys (integers in [1, n-1]). The private matrix should be kept
secretly in PKG.


Public Matrix Generation
In PKG


In PKG
private matrix
 
···
s11 s12 s1n
 
···
s21 s22 s2n
 
. . .
..
 
. . .
.
 
. . .
···
sm1 sm2 smn


In PKG
public matrix
private matrix
 
 
···
s11 G s12 G s1n G
···
s11 s12 s1n
 
  ···
s21 G s22 G s2n G
···
s21 s22 s2n  
 
. . .
. . . ..
 
..
  . . .
. . . .
.  
  . . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn


In PKG
public matrix
private matrix
 
 
···
s11 G s12 G s1n G
···
s11 s12 s1n
 
  ···
s21 G s22 G s2n G
···
s21 s22 s2n  
 
. . .
. . . ..
 
..
  . . .
. . . .
.  
  . . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn

key pair


In PKG
public matrix
private matrix
 
 
···
s11 G s12 G s1n G
···
s11 s12 s1n
 
  ···
s21 G s22 G s2n G
···
s21 s22 s2n  
 
. . .
. . . ..
 
..
  . . .
. . . .
.  
  . . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn

key pair
Public Matrix is generated by PKG from the Private Matrix,
elements in Public Matrix is the public key of corresponding
private key in Private Matrix. The public matrix is publicly available
for all users.


Map Algorithm

h1 , h2 , . . . , hn ← H(ID)

Map algorithm H(ID) is a cryptographic hash algorithm, maps
an arbitrary string ID to column indexes of private matrix and
public matrix.

hi is the index of i-th column of public/private matrix.


Private Key Extraction
ID
In PKG
Input user’s identity ID

Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)

 
···
s11 s12 s1n Select one element through
 
···
s21 s22 s2n each column of the private
 
. . .
..
  matrix by the index
. . .
.
 
. . .
···
sm1 sm2 smn

Add selected private keys,
the result is user’s private key
n−1
corresponding to his identity
dID = shi ,i (mod p)
ID.
i=0


Public Key Extraction
ID
In User
Input user’s identity ID

Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)

 
···
s11 G s12 G s1n G Select one element through
 
··· each column of the Public
s21 G s22 G s2n G
 
. . .
..
  matrix by the index
. . .
.
 
. . .
···
sm1 G sm2 G smn G
Add (elliptic curve point add)
selected private keys, the
n−1
result is user’s public key
QID = shi i G corresponding to his identity
i=0
ID.


Identity Based Signature

CPK-Sign (Message, PrivateKey) {
ECDSA-Sign (Message, PrivateKey) -> Signature
}

CPK-Verify (Message, PublicMatrix, SignerID, Signature) {
CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKey
ECDSA-Verify(Message, Signature, PublicKey);
}

ECDSA: Elliptic Curve Digital Signature Algorithm


Big Picture
h1 , h2 , . . . , hn ← H(ID)

 
···
s11 s12 s1n
  n−1
H(ID)
···
s21 s22 s2n
 
dID = shi ,i (mod p)
. . .
..
 
. . .
.
 
. . . i=0
···
sm1 sm2 smn

 
···
s11 G s12 G s1n G
  H(ID) n−1
···
s21 G s22 G s2n G
 
QID =
. . . shi i G
..
 
. . .
.
 
. . . i=0
···
sm1 G sm2 G smn G


The second Challenge:
Private Key
• The private key can be access by the
javascript program

• The private key should never leave the
browser


URI Fragment Identifier

http://www.domain.com/#skey=72bc845b9592b79...
fragment identifier

fragment identifier starts from a # (number sign)


Fragment Identiﬁer


Fragment Identiﬁer
<div id=quot;menuquot;>

<a href=quot;#section1quot;>section 1</a>



<a href=quot;#refquot;>reference</a>

</div>

<h1>Section1</h1>
<a name=”#section1” id=”section1”>


Fragment Identifier as
Key Store

• Utilize fragment identifier in bookmark URL as
the private key storage. The fragment identifier
in URL will never be transfered through the
Internet.


Retrieve Private Key From URL

<script type=”text/javascript>
var URL = window.location;
var fragid_start =
URL.substring(URL.indexOf(‘#’));


Workﬂow
% setup
PKG

ID
!
y
ske
quot;

# mpk.js
& save
Browser
) do
$U Secure
( RL
we Channel
bib
c.js Public
,m
'm pk Channel
.js
ess
age

WebApp
* forward


PKG

Browser

WebApp


PKG
❶ setup

Browser

WebApp


PKG
❶ setup

❷ mpk.js
Browser

WebApp


PKG
❶ setup
ID
❸

❷ mpk.js
Browser

WebApp


PKG
❶ setup
ID
❸
ey

❷ mpk.js
sk
❹
Browser

WebApp


PKG
❶ setup
ID
❸
ey

❷ mpk.js
sk
❺ save ❹
Browser

WebApp


PKG
❶ setup
ID
❸
ey

❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL

WebApp


PKG
❶ setup
ID
❸
ey

❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
c.js
, mp
k.js

WebApp


PKG
❶ setup
ID
❸
ey

❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
❽ do c.js
, mp
k.js

WebApp


PKG
❶ setup
ID
❸
ey

❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
❽ do c.js
, mp
k.js
❾m
ess
age
WebApp


PKG
❶ setup
ID
❸
ey

❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
❽ do c.js
, mp
k.js ❿ forward
❾m
ess
age
WebApp


Workﬂow
1. The authority trusted by Alice and Bob
establishes a PKG, which will generate the
system parameters including the public matrix.
2. Web application embeds WebIBC into these
systems together with the public system
parameters released by the PKG.
3. Alice registers to the PKG with her ID.
4. PKG returns Alice’s private key.


Workflow
5. Alice can append the private key as an
fragment identifier to the Web application’s
URL, then save it as a bookmark into the
browser.
6. Now Alice can use this bookmark to log into
the web application. It should be noted that
the browser will send the URL without the
fragment identifier, so the private key is
secure.


Workﬂow
7. The WebIBC JavaScript ﬁles will also be
downloaded from the server, including the
public matrix of system.
8. Alice uses this web application as normal,
entering Bob’s email address and message
content into the form. When Alice presses the
send button, WebIBC JavaScript programs will
get the email address from the form as public
key and get private key from URL, encrypt and
sign the message.


Workﬂow
9. Then message will be sent to the server.
10. Because the message has been protected, the
Web application can do no evil to the message
but only forward it to Bob. Bob can also login
into his web application and decrypt the
message by his private key in the fragment
identiﬁer and verify the message through the
public matrix, similar to Alice.


Performance
0.5KB 2KB 10KB
Safari 1383.7 1,492 2,071
Firefox 1,523 1,661 2,401
IE 1,459 1,698 2,791
Opera 2,110 2,349 3,628

4000 ms
0.5 KB
2 KB
10 KB
3000 ms

2000 ms

1000 ms

0
Safari Firefox IE Opera


Future Work
• Web based PRNG

• Other Identity based cryptography

• Local storage in HTML5


Thank you!


Questions?


ICDCS‘08 WebIBC

Recommended

Recommended

More Related Content

Similar to ICDCS‘08 WebIBC

Similar to ICDCS‘08 WebIBC (20)

More from Zhi Guan

More from Zhi Guan (9)

Recently uploaded

Recently uploaded (20)

ICDCS‘08 WebIBC