Efficient Asynchronous Accumulators for Distributed PKI

Slides:

Advertisements

Similar presentations

A Framework for Distributed OCSP without Responders Certificate

Advertisements

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Public Key Management and X.509 Certificates

Report on Attribute Certificates By Ganesh Godavari.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Computer Science Public Key Management Lecture 5.

By Jyh-haw Yeh Boise State University ICIKM 2013.

Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Overview of Security Research in Ad Hoc Networks Melanie Agnew John Folkerts Cory Virok.

Brian Padalino Sammy Lin Arnold Perez Helen Chen

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Anonymous Identification in Ad Hoc Groups New York, NY, USAApril 6 th, 2004 Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.

Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Using Public Key Cryptography Key management and public key infrastructures.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Identity-Based Signatures for MANET Routing Protocols draft-dearlove-manet-ibs-00 Christopher Dearlove Presented by Ulrich Herberg.

Decentralized Access Control: Overview Deepak Garg Foundations of Security and Privacy Fall 2009.

Key management issues in PGP

CSE 4905 Public-key Infrastructure

Improving Authenticated Dynamic Dictionaries

Non-PKI Methods for Public Key Distribution

CSE 4095 Lecture 22 – BlockChain Slides adapted from Claudio Orlandi.

Information Security message M one-way hash fingerprint f = H(M)

CS480 Cryptography and Information Security

Josep Domingo-Ferrer Universitat Rovira i Virgili

Information Security message M one-way hash fingerprint f = H(M)

Information Security message M one-way hash fingerprint f = H(M)

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

AccAAD: An Efficient Append-Only Authenticated Dictionary for Transparency Logs Vivek Bhupatiraju, PRIMES 2018.

Cryptography Lecture 27.

Public Key Infrastructure (PKI)

Information Security message M one-way hash fingerprint f = H(M)

CS 465 Certificates Last Updated: Oct 14, 2017.

Certificates An increasingly popular form of authentication

刘振上海交通大学计算机科学与工程系电信群楼3-509

Chapter 4 Cryptography / Encryption

به نام آنکه هستی نام از او یافت

PKI (Public Key Infrastructure)

Peer-to-peer networking

University of Cyprus By: Nectarios Efstathiou

刘振上海交通大学计算机科学与工程系电信群楼3-509

Faculty Seminar Series Blockchain Technology

Ensuring Correctness over Untrusted Private Database

Cryptography Lecture 27.

Cryptography Lecture 26.

Presentation transcript:

Efficient Asynchronous Accumulators for Distributed PKI Sophia Yakoubov Joint work with Leo Reyzin

Outline Motivation: Distributed PKI Background: Accumulators Our Contributions: Asynchronous Accumulators Definition: verification works even if the accumulator and witness are out of synch Construction

Application: PKI PKI goals: Accurate Registration Identity Retention Enable Alice to associate Bob’s identity with Bob’s public key PKB (We do not consider revocation here.) PKCA “I’m Bob” PKB Bob, CA SKCA PKB PKB “I’m Bob” PKCA SKB PKB Bob, CA PKCA

Certificate Authorities are a single point of failure! Application: PKI Problem: Certificate Authorities are a single point of failure! PKE PKCA “I’m Bob” PKE Bob, CA SKCA Eve PKE PKE “I’m Bob” PKCA SKE PKE Bob, CA PKCA

Problem: Certificate Authorities are a Single Point of Failure! Trusting central authorities is a risk. Verisign (2010) Was repeatedly infiltrated, potential compromised information includes secret signing keys Comodo (2011) Issued erroneous certificates DigiNotar (2011) Issued certificate for Google to someone who wasn’t Google TrustWave (2012) Issued root certificate to customers, enabling them to issue other certificates Symantec (2015) Issued certificates for Google without it’s knowledge

Ensuring Identity Retention: Decentralization via a Public Bulletin Board Append-only Consensus protocol ensures that posts are “valid” Implemented via blockchains formalized by [PSs16, GKL16] Validity check performed by miners

Decentralized PKI PKB Bob, Bob Look up “Bob” at locationB Validation: the identity “Bob” has not already been registered (ensures identity retention) PKB “I’m Bob” locationB SKB Problem: expensive storage / access! Alice needs to maintain online access to the entire bulletin board. Problem: expensive lookup! Alice needs to search through the entire bulletin board.

Outline Motivation: Distributed PKI Background: Accumulators [BdM94,CL02,LLX07,Ngu05,DT08,ATSM09,CHKO08…] Our Contributions: Asynchronous Accumulators Definitions Construction

Solution: accumulators Accumulator: compact commitment to set S S membership witness wB (Bob, PKB) T = S + {(Bob, PKB)} T can be used together with wB to verify that (Bob, PKB) is in set T

Accumulator Example: Merkle Hash Tree (Charlie, PKC) (Daniela, PKD) (Frank, PKF) (Bob, PKB)

Accumulator Example: Merkle Hash Tree (Charlie, PKC) (Daniela, PKD) (Frank, PKF) (Bob, PKB)

Accumulator Example: Merkle Hash Tree (Charlie, PKC) (Daniela, PKD) (Frank, PKF) (Bob, PKB)

Using Accumulators in the Bulletin Board Charlie, , Daniela, , Frank, , Bob, , PKC PKD PKF PKB Maintain an accumulator containing all (Name, PK) pairs

Accumulators in Decentralized PKI Look up latest PKB Bob, Bob Look up latest Validation (e.g. by miners): Check that the identity “Bob” has not already been registered Compute the new accumulator value (Bob, PKB) wB PKB SKB PKB “I’m Bob”, , wB wB

Accumulator Example: Merkle Hash Tree (Frank, PKF) (Charlie, PKC) (Daniela, PKD)

Accumulator Example: Merkle Hash Tree Charlie’s witness changed! h(,) h(,) h() h() h() h() (Charlie, PKC) (Daniela, PKD) (Frank, PKF) (Bob, PKB)

Problem: Synchrony Using existing notion of accumulators… wB wB wB wB wB wB wB wB wB wB time Using existing notion of accumulators… Bob needs to update his membership witness with every key registration! Alice needs to download a new accumulator value with every key registration!

Outline Motivation: Distributed PKI Background: Accumulators Our Contributions: Asynchronous Accumulators Definitions Low witness update frequency Old-accumulator compatibility Construction: Merkle Hash Forrest

Solution: Asynchronous Accumulators - Low Witness Update Frequency wB wB wB wB wB wB wB wB wB wB time Low witness update frequency wB wB wB wB time

Solution: Asynchronous Accumulators - Old Accumulator Compatibility wB wB wB wB wB wB wB wB wB wB time wB wB wB wB wB wB wB wB wB wB time Old-accumulator compatibility

Outline Motivation: Distributed PKI Background: Accumulators Our Contributions: Asynchronous Accumulators Definitions Low witness update frequency (helping Bob) Old-accumulator compatibility (helping Alice) Construction: Merkle Hash Forrest

Asynchronous Accumulator: Merkle Hash Forest Depth 3 Depth 2 Depth 1 At most log(n) complete Merkle trees Each element is a leaf in one of the trees As new elements get added, older elements move to bigger trees

Asynchronous Accumulator: Merkle Hash Forest D = 1 1 This is similar to a binary counter… 1 element

Asynchronous Accumulator: Merkle Hash Forest D = 2 1 This is similar to a binary counter… 2 elements

Asynchronous Accumulator: Merkle Hash Forest D = 2 D = 1 1 1 This is similar to a binary counter… 3 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 1 This is similar to a binary counter… 4 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 D = 1 1 1 This is similar to a binary counter… 5 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 D = 2 1 1 This is similar to a binary counter… 6 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 D = 2 D = 1 1 1 1 This is similar to a binary counter… 7 elements

Asynchronous Accumulator: Merkle Hash Forest 1 This is similar to a binary counter… 8 elements

Asynchronous Accumulator: Merkle Hash Forest D = 1 1 1 This is similar to a binary counter… 9 elements

Asynchronous Accumulator: Merkle Hash Forest D = 2 1 1 This is similar to a binary counter… 10 elements

Asynchronous Accumulator: Merkle Hash Forest D = 2 D = 1 1 1 1 This is similar to a binary counter… 11 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 1 1 This is similar to a binary counter… 12 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 D = 1 1 1 1 This is similar to a binary counter… 13 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 D = 2 1 1 1 This is similar to a binary counter… 14 elements

Asynchronous Accumulator: Merkle Hash Forest D = 3 D = 2 D = 1 1 1 1 1 This is similar to a binary counter… 15 elements

Asynchronous Accumulator: Merkle Hash Forest 1 This is similar to a binary counter… 16 elements

Merkle Hash Forest Asynchrony Low update frequency A witness only needs to be updated when the tree in question is “carried”! Old-accumulator compatibility A witness is append-only; it contains all prior states D = 3 D = 2 D = 1

Conclusion Bulletin boards are good for distributed dictionaries Namecoin PKI Accumulators improve efficiency no need to have access to the whole board Asynchronous accumulators reduce the witness maintenance cost A forest is better than a tree! More flexibility