1. WebIBC
Identity Based Cryptography for Client Side
Security in Web Applications
Zhi Guan, Zhen Cao, Xuan Zhao, Ruichuan Chen,
Zhong Chen, and Xianghao Nan
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
2. Once upon a time ...
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
3. Once upon a time ...
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
4. Once upon a time ...
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
5. Once upon a time ...
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
6. Once upon a time ...
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
7. Once upon a time ...
Strong Cryptography
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
8. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
9. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
10. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
11. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
12. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
13. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
14. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
15. Now
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
16. Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
17. Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
18. Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
No Security!
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
19. Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
No Security!
No Privacy!
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
20. Web App Security & Privacy?
• User authentication
• SSL/TLS link encryption
What if servers do evil ?
No Security!
No Privacy!
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
21. Web
App
HTML &
JavaScript
Web Browser
Operating System
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
22. Web
App
HTML &
JavaScript
Web Browser
Operating System EFS, PGP
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
23. Web
App
HTML &
JavaScript
Browser Plug-in
Web Browser
Operating System EFS, PGP
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
24. Web
App
HTML & Here we are
JavaScript
Browser Plug-in
Web Browser
Operating System EFS, PGP
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
25. Challenges
• Private key: JavaScript can not read keys in
local file system.
• Public key: acquire other’s public key or
certificate is not easy for JavaScript programs
in Web browser.
Private Key? Public Key?
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
26. Limited Browser Capability
• HTML, CSS
• JavaScript
• AJAX
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
27. Limited Browser Capability
• HTML, CSS
• JavaScript
• AJAX
Browser Plug-ins?
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
28. Limited Browser Capability
• HTML, CSS
• JavaScript
• AJAX
Browser Plug-ins?
No!
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
29. Our Goal
Strengthen Web Browser Security and Privacy
Without Changing the Browser.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
30. Target
• Our solution: bring public key cryptography to
Web browsers, include public key encryption
and signature generation.
• All the cryptography operations and key usage
are inside the browser and implemented in
JavaScript and HTML only, require no plug-ins
and provide “open source” guarantee.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
31. The first Challenge
Public Key:
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
32. The first Challenge
Public Key:
Identity-Based Cryptography
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
33. PKG (Private Key Generator)
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
34. PKG (Private Key Generator)
Setup: generate master secret and public params
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
35. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
36. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
37. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Alice@gmail.com
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
38. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Alice@gmail.com
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
39. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Alice@gmail.com
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
40. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Alice@gmail.com
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
41. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Alice@gmail.com
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
42. PKG (Private Key Generator)
Setup: generate master secret and public params
s
m
ra
Pa
c
bli
Pu
Alice@gmail.com
Decrypt
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
43. Timeline
2001
2004
1986
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
45. Timeline
First Practical
Identity Based IBE scheme
Cryptography, from Weil
the first idea Pairing
Shamir Boneh, Franklin
2001
2004
1986
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
46. Timeline
First Practical
Identity Based IBE scheme
Cryptography, from Weil
the first idea Pairing
Shamir Boneh, Franklin
2001
2004
1986
Cocks
IBE,
not bandwidth efficient
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
47. Timeline
First Practical CPK
Identity Based IBE scheme key
Cryptography, from Weil management,
the first idea Pairing IBE, IBS
Shamir Boneh, Franklin Nan, Chen
2001
2004
1986
Cocks
IBE,
not bandwidth efficient
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
48. CPK Cryptosystem
CPK (Combined Public Key)
Based on generalized Discrete Log Group
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
49. Elliptic Curve Cryptography
G is a point on elliptic curve,
n is the order of cyclic group
<G>
Private key d is random
selected integer in [1, n-1]
Corresponding public key Q =
dG.
y 2 = x3 + ax + b (mod p)
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
50. Elliptic Curve Cryptography
G is a point on elliptic curve,
n is the order of cyclic group
<G>
Private key d is random
selected integer in [1, n-1]
Corresponding public key Q =
dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
y 2 = x3 + ax + b (mod p)
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
51. Elliptic Curve Cryptography
G is a point on elliptic curve,
n is the order of cyclic group
<G>
Private key d is random
selected integer in [1, n-1]
Corresponding public key Q =
dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
y 2 = x3 + ax + b (mod p)
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
52. Elliptic Curve Cryptography
G is a point on elliptic curve,
n is the order of cyclic group
<G>
Private key d is random
selected integer in [1, n-1]
Corresponding public key Q =
dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
Q = Q1 + Q2 = d1G + d2G = (d1+d2)G
y 2 = x3 + ax + b (mod p)
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
53. Elliptic Curve Cryptography
G is a point on elliptic curve,
n is the order of cyclic group
<G>
Private key d is random
selected integer in [1, n-1]
Corresponding public key Q =
dG.
(d1, Q1 = d1G), (d2, Q2 = d2G)
d = d1 + d2
Q = Q1 + Q2 = d1G + d2G = (d1+d2)G
(d,Q)
y 2 = x3 + ax + b (mod p)
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
54. Private Matrix Generation
In PKG
RNG
The trusted authority PKG (Private Key Generator) generates a
m×n matrix in which elements are randomly generated ECC
private keys (integers in [1, n-1]). The private matrix should be kept
secretly in PKG.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
55. Private Matrix Generation
In PKG
private matrix
···
s11 s12 s1n
Rand integers
RNG ···
s21 s22 s2n
sij ∈R [1, n − 1] . . .
..
. . .
.
. . .
···
sm1 sm2 smn
The trusted authority PKG (Private Key Generator) generates a
m×n matrix in which elements are randomly generated ECC
private keys (integers in [1, n-1]). The private matrix should be kept
secretly in PKG.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
56. Public Matrix Generation
In PKG
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
61. Public Matrix Generation
In PKG
public matrix
private matrix
···
s11 G s12 G s1n G
···
s11 s12 s1n
···
s21 G s22 G s2n G
···
s21 s22 s2n
. . .
. . . ..
..
. . .
. . . .
.
. . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
62. Public Matrix Generation
In PKG
public matrix
private matrix
···
s11 G s12 G s1n G
···
s11 s12 s1n
···
s21 G s22 G s2n G
···
s21 s22 s2n
. . .
. . . ..
..
. . .
. . . .
.
. . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn
key pair
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
63. Public Matrix Generation
In PKG
public matrix
private matrix
···
s11 G s12 G s1n G
···
s11 s12 s1n
···
s21 G s22 G s2n G
···
s21 s22 s2n
. . .
. . . ..
..
. . .
. . . .
.
. . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn
key pair
Public Matrix is generated by PKG from the Private Matrix,
elements in Public Matrix is the public key of corresponding
private key in Private Matrix. The public matrix is publicly available
for all users.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
64. Map Algorithm
h1 , h2 , . . . , hn ← H(ID)
Map algorithm H(ID) is a cryptographic hash algorithm, maps
an arbitrary string ID to column indexes of private matrix and
public matrix.
hi is the index of i-th column of public/private matrix.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
65. Private Key Extraction
ID
In PKG
Input user’s identity ID
Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)
···
s11 s12 s1n Select one element through
···
s21 s22 s2n each column of the private
. . .
..
matrix by the index
. . .
.
. . .
···
sm1 sm2 smn
Add selected private keys,
the result is user’s private key
n−1
corresponding to his identity
dID = shi ,i (mod p)
ID.
i=0
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
66. Public Key Extraction
ID
In User
Input user’s identity ID
Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)
···
s11 G s12 G s1n G Select one element through
··· each column of the Public
s21 G s22 G s2n G
. . .
..
matrix by the index
. . .
.
. . .
···
sm1 G sm2 G smn G
Add (elliptic curve point add)
selected private keys, the
n−1
result is user’s public key
QID = shi i G corresponding to his identity
i=0
ID.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
67. Identity Based Signature
CPK-Sign (Message, PrivateKey) {
ECDSA-Sign (Message, PrivateKey) -> Signature
}
CPK-Verify (Message, PublicMatrix, SignerID, Signature) {
CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKey
ECDSA-Verify(Message, Signature, PublicKey);
}
ECDSA: Elliptic Curve Digital Signature Algorithm
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
68. Big Picture
h1 , h2 , . . . , hn ← H(ID)
···
s11 s12 s1n
n−1
H(ID)
···
s21 s22 s2n
dID = shi ,i (mod p)
. . .
..
. . .
.
. . . i=0
···
sm1 sm2 smn
···
s11 G s12 G s1n G
H(ID) n−1
···
s21 G s22 G s2n G
QID =
. . . shi i G
..
. . .
.
. . . i=0
···
sm1 G sm2 G smn G
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
69. The second Challenge:
Private Key
• The private key can be access by the
javascript program
• The private key should never leave the
browser
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
70. URI Fragment Identifier
http://www.domain.com/#skey=72bc845b9592b79...
fragment identifier
fragment identifier starts from a # (number sign)
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
72. Fragment Identifier
<div id=quot;menuquot;>
<a href=quot;#section1quot;>section 1</a>
<a href=quot;#section2quot;>section 2</a>
<a href=quot;#section3quot;>section 3</a>
<a href=quot;#refquot;>reference</a>
</div>
<h1>Section1</h1>
<a name=”#section1” id=”section1”>
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
73. Fragment Identifier as
Key Store
• Utilize fragment identifier in bookmark URL as
the private key storage. The fragment identifier
in URL will never be transfered through the
Internet.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
74. Retrieve Private Key From URL
<script type=”text/javascript>
var URL = window.location;
var fragid_start =
URL.substring(URL.indexOf(‘#’));
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
75. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
76. Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
77. Workflow
% setup
PKG
ID
!
y
ske
quot;
# mpk.js
& save
Browser
) do
$U Secure
( RL
we Channel
bib
c.js Public
,m
'm pk Channel
.js
ess
age
WebApp
* forward
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
78. PKG
Browser
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
79. PKG
❶ setup
Browser
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
80. PKG
❶ setup
❷ mpk.js
Browser
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
81. PKG
❶ setup
ID
❸
❷ mpk.js
Browser
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
82. PKG
❶ setup
ID
❸
ey
❷ mpk.js
sk
❹
Browser
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
83. PKG
❶ setup
ID
❸
ey
❷ mpk.js
sk
❺ save ❹
Browser
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
84. PKG
❶ setup
ID
❸
ey
❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
85. PKG
❶ setup
ID
❸
ey
❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
c.js
, mp
k.js
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
86. PKG
❶ setup
ID
❸
ey
❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
❽ do c.js
, mp
k.js
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
87. PKG
❶ setup
ID
❸
ey
❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
❽ do c.js
, mp
k.js
❾m
ess
age
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
88. PKG
❶ setup
ID
❸
ey
❷ mpk.js
sk
❺ save ❹
Browser
❻U
RL
❼w
ebib
❽ do c.js
, mp
k.js ❿ forward
❾m
ess
age
WebApp
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
89. Workflow
1. The authority trusted by Alice and Bob
establishes a PKG, which will generate the
system parameters including the public matrix.
2. Web application embeds WebIBC into these
systems together with the public system
parameters released by the PKG.
3. Alice registers to the PKG with her ID.
4. PKG returns Alice’s private key.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
90. Workflow
5. Alice can append the private key as an
fragment identifier to the Web application’s
URL, then save it as a bookmark into the
browser.
6. Now Alice can use this bookmark to log into
the web application. It should be noted that
the browser will send the URL without the
fragment identifier, so the private key is
secure.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
91. Workflow
7. The WebIBC JavaScript files will also be
downloaded from the server, including the
public matrix of system.
8. Alice uses this web application as normal,
entering Bob’s email address and message
content into the form. When Alice presses the
send button, WebIBC JavaScript programs will
get the email address from the form as public
key and get private key from URL, encrypt and
sign the message.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
92. Workflow
9. Then message will be sent to the server.
10. Because the message has been protected, the
Web application can do no evil to the message
but only forward it to Bob. Bob can also login
into his web application and decrypt the
message by his private key in the fragment
identifier and verify the message through the
public matrix, similar to Alice.
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
93. Performance
0.5KB 2KB 10KB
Safari 1383.7 1,492 2,071
Firefox 1,523 1,661 2,401
IE 1,459 1,698 2,791
Opera 2,110 2,349 3,628
4000 ms
0.5 KB
2 KB
10 KB
3000 ms
2000 ms
1000 ms
0
Safari Firefox IE Opera
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
94. Future Work
• Web based PRNG
• Other Identity based cryptography
• Local storage in HTML5
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008
95. Thank you!
Jun. 19, 2008 Network and Information Security Lab, Peking University ICDCS 2008