1 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 John Solis and Gene Tsudik University of California, Irvine 6th Workshop on Privacy.

Slides:

Advertisements

Similar presentations

PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.

Advertisements

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

A Framework for Distributed OCSP without Responders Certificate

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Cryptography and Network Security Chapter 14

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

CRL Processing Rules Santosh Chokhani November 2004.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

A Method for Detecting the Exposure of an OCSP Responder ’ s Session Private Key in D-OCSP-KIS Euro PKI 2005 Younggyo Lee, Injung Kim, Seungjoo Kim, Dongho.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

MOCA : Mobile Certificate Authority for Wireless Ad Hoc Networks The 2nd Annual PKI Research Workshop (PKI 2003) Seung Yi, Robin Kravets September. 25,

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili

Configuring Directory Certificate Services Lesson 13.

Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.

DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Brian A. LaMacchia Director, XCG Security & Cryptography, Microsoft Research.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Cryptography and Network Security Chapter 14

Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Cryptography and Network Security

Information Security message M one-way hash fingerprint f = H(M)

Josep Domingo-Ferrer Universitat Rovira i Virgili

Information Security message M one-way hash fingerprint f = H(M)

Information Security message M one-way hash fingerprint f = H(M)

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Information Security message M one-way hash fingerprint f = H(M)

Digital Certificates and X.509

Simple and Flexible Revocation Checking with Privacy

Presentation transcript:

1 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 John Solis and Gene Tsudik University of California, Irvine 6th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Simple and Flexible Revocation Checking with Privacy

2 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Digital Certificates ● PK Certificate – Binds public key to identity-string (name) – Signed by issuer (CA) – Valid from XXXX, Expires on YYYY ● Premature revocation: – Private key loss/compromise – Algorithm weakness – Subject becomes malicious – Change in security policy – Job change/Promotions

3 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Revocation Checking Issues ● Validate certificates prior to communication: – Verify signature(s) – Check revocation status (each time, even if cached) – Implies subsequent communication ● Privacy leak – third parties find out about: 1. Source of the revocation query 2. Target of the query – Goal: Construct a simple, efficient, and flexible privacy-preserving method for revocation checking

4 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Revocation Classes ● Implicit – Certificate owner supplies proof of non-revocation, e.g., CRS ● Explicit – CA issues (signed) data structure containing revocation information, e.g., CRL

5 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Explicit Revocation Methods ● CRLs and Δ-CRLs ● Online Certificate Status Protocol (OCSP) – Certificate Revocation Trees (to enhance OCSP) – Skip Lists and 2-3 trees

6 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Privacy Analysis Hides Target? Certificates Returned Bandwidth CRL & Δ-CRLs YesnO(n) OCSPNo1O(1) Skip-ListsNo1O(log n) CRTNo1O(log n)

7 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Question: ● Is there a practical technique to provide privacy for current revocation methods?

8 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Related Work ● H. Kikuchi “Privacy-preserving revocation check in pki” – Identifies problem – Proposed heavy-weight (inefficient) cryptographic technique ● Private Information Retrieval (PIR) – Obscures targets of database queries – Multi-round protocols/Expensive crypto – Overkill

9 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Privacy Preserving Revocation Checking ● CRTs amenable to supporting privacy-preserving querying ● Modify CRT structure: 1. Range Queries 2. Permuted Ordering

10 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 CRT Details : Notation ● n sequentially sorted revoked nodes – lo, hi - lowest and highest numbered nodes ● C i - certificate with serial number i ● L i …L m – Leaf nodes of CRT ● N(L i ) – Serial number of leaf node L i ● H() – cryptographic hash function ● co-path – sequence of nodes representing siblings of all direct ancestors ● LCA – Least common ancestor of two nodes

11 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 CRT Construction ● Each leaf node L i contains: – Certificate hash ● Date/time of revocation ● Reason for revocation ● Each non leaf node computed as hash of child nodes – H(parent) = H(L||R) ● CA digital signs root node and distributes

12 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 CRT Query ● Client queries certificate with serial number i ● If C i is not revoked, compose response: 1. Two adjacent leaf nodes L p, L p+1 st N(L p ) < i < N(L p+1 ) 2. Three partial co-paths: 1. L p to LCA 2. L p+1 to LCA 3. LCA to Root 3. Signed root node (maybe cached by client)

13 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 CRT Query ● If C i is revoked, then response: 1. Two adjacent sibling nodes L p, L p+1 st N(L p ) = i or N(L p+1 ) = i 2. Co-path starting from sibling of parent node 3. Signed root node ● Clients verify response 1. Re-compute root hash using returned leaf nodes and co-paths 2. Verify signature on root node ● CRT inherently guarantees completeness

14 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 CRT Example -CRT query for L 3

15 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Privacy Preserving Revocation Checking ● CRTs amenable to include privacy ● Modify CRT structure: 1. Range Queries 2. Permuted Ordering

16 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Range Queries ● Observation: MOST Certificates ARE NOT revoked! ● Query for a range of certificates ● Range size determined by: 1. Desired degree of privacy 2. Density/number of revoked nodes

17 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Range Queries Query for a range of (permuted) certificate serial numbers (j,k) st j ≤ i ≤ k Hide target certificate in range –Pr[Correctly guessing i] = –Statistical privacy Range size determines privacy level –Highest level => size = n (CRL) –Lowest level => size = 1 (Existing solutions) –Flexible => Let client decide: trade-off privacy/bandwidth

18 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Optimal Range Size Inputs: –Desired privacy level e.g. – If Pr[guessing] =.001 then k-j+1 = 1000 –Revocation density Not all certificates in range returned To have r certificates returned

19 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Privacy Preserving Revocation Checking ● Modify CRT structure: 1. Range Queries 2. Permuted Ordering

20 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Permuted Ordering ● CAs issue certificates sequentially – Pros: ● Allows for defined subclasses ● Easier management – Cons: ● Consecutive blocks possibly related (information leak) ● Solution: Permuted ordering

21 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Permuted Ordering ● Certificates not revoked uniformly – Different ranges could have dramatically different densities ● Solution: Use PRP to guarantee uniform distribution – No collisions – Uniform distribution ● Sort certificates along permuted serial numbers – Ex: DES, Blowfish, RC4

22 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Some issues ● Repeated queries for same target by same client – Change range or keep same? – Better keep same range ● Multiple queries for same target by different clients – Ideally would have same range ● How? – Intersection (narrowing) attack possible… if adversary aware of target being same (e.g., temporal proximity)

23 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Conclusions ● Proposed solution is a simple/novel approach that addresses privacy concerns in revocation checking ● Configurable levels of privacy on a per-query basis – Bandwidth vs Privacy ● Can be applied to other revocation methods – Skip-Lists (Appendix) – CRLs (paper in preparation) ● Prototype available at:

24 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 Questions?