Table of Links
Abstract and 1. Introduction
-
Related Work
2.1 The Alternative-Authenticator Approach
2.2 The Original-Authenticator Approach
-
The Proposed Secret Backup Approaches
3.1 Notations
3.2 Assumptions
3.3 The Direct-Escrow Method
3.4 Our Proposed Algorithms
-
Security and Reliability Analysis
4.1 Security Analysis
4.2 Reliability Analysis
4.3 Recovery Failure Rate Analysis
4.4 Real World Parameters
4.5 Failure Rate Optimization of (k,n)
-
Comparison
-
Conclusion, Acknowledgment, and References
Appendix
4 SECURITY AND RELIABILITY ANALYSIS
Both security and reliability are critical measures of any successful secret backup and recovery approach. However, most works consider only security measures. In reality, either the security or the reliability fails, and the recovery fails.
For reliability, we are talking about the probability that an owner can complete the process and truly recover the owned private key when needed. In contrast, security is about the possibility an attacker fails to obtain the owner’s private key. Both security and reliability are essential for any recovery approach. In the following, we first separately analyze the security and reliability. Finally, we combine them into a new integrated failure measure and then suggest how to choose parameters for the proposed approach optimally
4.1 Security Analysis
An adversary may guess the owner’s contact list from the owner’s social network profile if it is public. If the profile is private, Jin et al. [62] proposed a “mutual friend attack” method that utilizes the mutual friends of the owner. Jin’s experiments showed that an adversary could simply locate 60~95% of a target’s contacts using the mutual friend attack method. However, in reality, for our approach, a trustee may not even appear on the owner’s online social network. At any rate, we assume that an adversary can identify all owner’s contacts in the worst case.
When an adversary requests the owner’s contact for decryption, the person being contacted may have the following reactions. Typically, an owner’s connection may simply ignore the request (assume the probability is p1) or notify the owner of the suspicion (assume the probability is p2). Similarly, when a trustee is being contacted, they may simply ignore the request (probability p1), notify the owner (probability p2), or be fooled (probability p3).
Generally, the attack will fail if anyone contacted by the adversary feels suspicious and notifies the owner. The owner can then change the random key and secret shares to break the attack since the stolen backup file is now invalid. Practically, it is implausible for an adversary to request illegal decryption without causing any suspicion.
Then we have the following worst-case probability P for a successful adversary. The details of derivation are listed in the appendix.
Note that n is the number of trustees and k is the secret share recovery threshold.
The above equation is complicated and can be approximated as
Authors:
(1) Wei-Hsin Chang, Deepmentor Inc. ([email protected]);
(2) Ren-Song Tsay, Computer Science Department, National TsingHua University, Hsinchu, Taiwan ([email protected]).
