research-article

Shatter: Using Threshold Cryptography to Protect Single Users with Multiple Devices

Authors:
Erinn Atwater

University of Waterloo, Waterloo, ON, Canada

University of Waterloo, Waterloo, ON, Canada
View Profile

,
Urs Hengartner

University of Waterloo, Waterloo, ON, Canada

University of Waterloo, Waterloo, ON, Canada
View Profile

WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile NetworksJuly 2016Pages 91–102https://doi.org/10.1145/2939918.2939932

Published:18 July 2016Publication History

WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Pages 91–102

ABSTRACT

The average computer user is no longer restricted to one device. They may have several devices and expect their applications to work on all of them. A challenge arises when these applications need the cryptographic private key of the devices' owner. Here the device owner typically has to manage keys manually with a "keychain" app, which leads to private keys being transferred insecurely between devices -- or even to other people. Even with intuitive synchronization mechanisms, theft and malware still pose a major risk to keys. Phones and watches are frequently removed or set down, and a single compromised device leads to the loss of the owner's private key, a catastrophic failure that can be quite difficult to recover from.

We introduce Shatter, an open-source framework that runs on desktops, Android, and Android Wear, and performs key distribution on a user's behalf. Shatter uses threshold cryptography to turn the security weakness of having multiple devices into a strength. Apps that delegate cryptographic operations to Shatter have their keys compromised only when a threshold number of devices are compromised by the same attacker. We demonstrate how our framework operates with two popular Android apps (protecting identity keys for a messaging app, and encryption keys for a note-taking app) in a backwards-compatible manner: only Shatter users need to move to a Shatter-aware version of the app. Shatter has minimal impact on app performance, with signatures and decryption being calculated in 0.5s and security proofs in 14s.

References

Overview of projects working on next-generation secure email. https://github.com/OpenTechFund/secure-email. Accessed Feb 2015.Google Scholar
Apple Inc. iOS security. https://www.apple.com/business/docs/iOS Security Guide.pdf, June 2015.Google Scholar
M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In Advances in Cryptology -- Eurocrypt 2003, pages 614--629. Springer, 2003. Google ScholarDigital Library
B. Blakley, G. Blakley, A. H. Chan, and J. L. Massey. Threshold schemes with disenrollment. In Advances in Cryptology -- CRYPTO'92, pages 540--548. Springer, 1993. Google ScholarDigital Library
G. R. Blakley. Safeguarding cryptographic keys. In the National Computer Conference, volume 48, pages 313--317, 1979.Google ScholarCross Ref
N. Borisov, I. Goldberg, and E. Brewer. Off-the-record communication, or, why not to use PGP. In 2004 ACM Workshop on Privacy in the Electronic Society, pages 77--84. ACM, 2004. Google ScholarDigital Library
P. Bright and D. Goodin. Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away? Ars Technica, June 2013.Google Scholar
A. Chowdhry. Gmail's 'Undo send' option officially rolls out. Forbes, June 2015.Google Scholar
M. D. Corner and B. D. Noble. Zero-interaction authentication. In 8th Annual International Conference on Mobile Computing and Networking, pages 1--11. ACM, 2002. Google ScholarDigital Library
I. Damgrdå and M. Jurik. A generalisation, a simplification and some applications of Paillier's probabilistic public-key system. In Public Key Cryptography, pages 119--136. Springer, 2001. Google ScholarDigital Library
Y. Desmedt, M. Burmester, R. Safavi-Naini, and H. Wang. Threshold things that think (T4): Security requirements to cope with theft of handheld/handless internet devices. In Symposium on Requirements Engineering for Information Security, 2001.Google Scholar
M. Farb, Y.-H. Lin, T. H.-J. Kim, J. McCune, and A. Perrig. Safeslinger: Easy-to-use and secure public-key exchange. In 19th Annual International Conference on Mobile Computing & Networking, pages 417--428. ACM, 2013. Google ScholarDigital Library
R. Geambasu, J. P. John, S. D. Gribble, T. Kohno, and H. M. Levy. Keypad: An auditing le system for theft-prone devices. InSixth Conference on Computer Systems, EuroSys '11, pages 1--16, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
R. Gennaro, S. Goldfeder, and A. Narayanan. Threshold-optimal DSA/ECDSA signatures and an application to Bitcoin wallet security. In 14th International Conference on Applied Cryptography and Network Security. Springer, 2016.Google ScholarCross Ref
D. L. Gil. Multiple devices and key synchronization. https://github.com/coruus/zero-one/blob/master/multidevice-keysync.markdown, 2014.Google Scholar
M. Green. The daunting challenge of secure e-mail. The New Yorker, November 2013.Google Scholar
B. Greenstein, D. McCoy, J. Pang, T. Kohno, S. Seshan, and D. Wetherall. Improving wireless privacy with an identifier-free link layer protocol. In Sixth International Conference on Mobile Systems, Applications, and Services, MobiSys '08, pages 40--53, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
G. Greenwald, E. MacAskill, and L. Poitras. Edward Snowden: The whistleblower behind the NSA surveillance revelations. The Guardian, 2013.Google Scholar
T. Hase. Secure PGP key sync -- a proposal. https://blog.whiteout.io/2014/07/07/secure-pgp-key-sync-a-proposal/, 2014.Google Scholar
A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret sharing or: How to cope with perpetual leakage. In Advances in Cryptology -- CRYPT0'95, volume 963 of Lecture Notes in Computer Science, pages 339--352. Springer Berlin Heidelberg, 1995. Google ScholarDigital Library
A. Kalamandeen, A. Scannell, E. de Lara, A. Sheth, and A. LaMarca. Ensemble: Cooperative proximity-based authentication. In 8th International Conference on Mobile Systems, Applications, and Services, pages 331--344. ACM, 2010. Google ScholarDigital Library
F. M. A. Krause. Designing secure & usable Picosiblings. https://www.cl.cam.ac.uk/~fms27/papers/2014-Krause-picosiblings.pdf, 2014. Masters thesis.Google Scholar
M. Lentz, V. Erdélyi, P. Aditya, E. Shi, P. Druschel, and B. Bhattacharjee. SDDR: Light-weight, secure mobile encounters. In 23rd USENIX Security Symposium, pages 925--940, 2014. Google ScholarDigital Library
Y.-H. Lin, A. Studer, H.-C. Hsiao, J. M. McCune, K.-H. Wang, M. Krohn, P.-L. Lin, A. Perrig, H.-M. Sun, and B.-Y. Yang. Spate: Small-group PKI-less authenticated trust establishment. In 7th International Conference on Mobile Systems, Applications, and Services, MobiSys '09, pages 1--14, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
M. S. Melara, A. Blankstein, J. Bonneau, E. W. Felten, and M. J. Freedman. CONIKS: Bringing key transparency to end users. In 24th USENIX Security Symposium, pages 383--398, Aug. 2015. Google ScholarDigital Library
A. Oprea, D. Balfanz, G. Durfee, and D. Smetters. Securing a remote terminal application with a mobile trusted device. In 20th Annual Computer Security Applications Conference, pages 438--447, Dec 2004. Google ScholarDigital Library
P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology -- EUROCRYPT'99, pages 223--238. Springer, 1999. Google ScholarDigital Library
R. Peeters. Security architecture for things that think. http://www.cosic.esat.kuleuven.be/publications/thesis-202.pdf, 2012. Ph.D. thesis.Google Scholar
R. Peeters, M. Kohlweiss, and B. Preneel. Threshold things that think: Authorisation for resharing. In J. Camenisch and D. Kesdogan, editors, iNetSec 2009 -- Open Research Problems in Network Security, volume 309 of IFIP Advances in Information and Communication Technology, pages 111--124. SpringerBerlin Heidelberg, 2009.Google Scholar
R. Peeters, S. Nikova, and B. Preneel. Practical RSA threshold decryption for things that think. In 3rd Benelux Workshop on Information and System Security, 2008.Google Scholar
R. Peeters, D. Singelée, and B. Preneel. Threshold-based location-aware access control. Mobile and Handheld Computing Solutions for Organizations and End-Users, pages 20--36, 2013.Google ScholarCross Ref
S. Sheng, L. Broderick, C. Koranda, and J. Hyland. Why Johnny still can't encrypt: Evaluating theusability of email encryption software. In 2006 Symposium On Usable Privacy and Security - Poster Session, 2006.Google Scholar
V. Shoup. Practical threshold signatures. In 19th International Conference on Theory and Application of Cryptographic Techniques, EUROCRYPT'00, pages 207--220, Berlin, Heidelberg, 2000. Springer-Verlag. Google ScholarDigital Library
K. Simoens, R. Peeters, and B. Preneel. Increased resilience in threshold cryptography: sharing a secret with devices that cannot store shares. In Pairing-Based Cryptography-Pairing 2010, pages 116--135. Springer, 2010. Google ScholarDigital Library
S. Sinclair and S. Smith. PorKI: Making user PKI safe on machines of heterogeneous trustworthiness. In 21st Annual Computer Security Applications Conference, pages 10 pp.--430, Dec 2005. Google ScholarDigital Library
D. Singelee, R. Peeters, and B. Preneel. Toward more secure and reliable access control. IEEE Pervasive Computing, (3):76--83, 2012. Google ScholarDigital Library
F. Stajano. Pico: No more passwords! InSecurity Protocols XIX, volume 7114 of Lecture Notes in Computer Science, pages 49--81. Springer Berlin Heidelberg, 2011. Google ScholarDigital Library
O. Stannard and F. Stajano. Am I in good company? A privacy-protecting protocol for cooperating ubiquitous computing devices. In Security Protocols XX, volume 7622 of Lecture Notes in Computer Science, pages 223--230. Springer Berlin Heidelberg, 2012. Google ScholarDigital Library
Q. Staêrd-Fraser, G. Jenkinson, F. Stajano, M. Spencer, C. Warrington, and J. Payne. To have and have not: Variations on secret sharing to model user presence. In 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication, pages 1313--1320. ACM, 2014. Google ScholarDigital Library
A. Whitten and J. D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium , SSYM'99, pages 14--14, Berkeley, CA, USA, 1999. Google ScholarDigital Library

Index Terms

Shatter: Using Threshold Cryptography to Protect Single Users with Multiple Devices
1. Security and privacy

Recommendations

A privacy problem on Hu-Huang's proxy key generation protocol

A proxy signature scheme enables an original signer to delegate his signing capability to a proxy signer and then the proxy signer can sign a message on behalf of the original signer. Recently, several ID-based proxy signature schemes have been ...
Read More
An RSA-based (t, n) threshold proxy signature scheme with freewill identities

Hwang, Lu and Lin (2003) proposed a (t, n) threshold proxy signature scheme, based on the RSA cryptosystem. Later, Wang et al. (2004a) indicated that this scheme was insecure because the original signer's private key could be derived. Moreover, the ...
Read More
A method for obtaining digital signatures and public-key cryptosystems

An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks
July 2016
242 pages
ISBN:9781450342704
DOI:10.1145/2939918
General Chair:
Matthias Hollick
TU Darmstadt, Germany
,
Program Chairs:
Panos Papadimitratos
KTH, Sweden
,
William Enck
NC State University, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 July 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
cryptography
key
management
mobile
privacy
security
threshold
Qualifiers
- research-article
Conference

Acceptance Rates
WiSec '16 Paper Acceptance Rate13of51submissions,25%Overall Acceptance Rate98of338submissions,29%
More
Upcoming Conference
WiSec '24

Sponsor:

sigsac

17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 27 - 30, 2024

Seoul , Republic of Korea
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 10
  Total Citations
  View Citations
- 426
  Total Downloads
- Downloads (Last 12 months)24
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Shatter: Using Threshold Cryptography to Protect Single Users with Multiple Devices

WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

ABSTRACT

References

Cited By

Index Terms

Recommendations

A privacy problem on Hu-Huang's proxy key generation protocol

An RSA-based (t, n) threshold proxy signature scheme with freewill identities

A method for obtaining digital signatures and public-key cryptosystems