   Yvo Desmedt October 31, 2002 SECURITY PROBLEMS WITH ON-LINE REVOCATION By Yvo Desmedt Dept. Of Computer Science Florida State University

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.4 Public Key Infrastructure (PKI) Acknowledgment: Slides revised from.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

1 fairCASH: Concepts and Framework Yen Choon Ching Institute of Computer Science, University of Kiel, Germany Ver Sept 2008.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Josh Benaloh Brian LaMacchia Winter Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side.

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Real-World Problems of PKI Hierarchies Daniel Cvrček Department of Computer Science and Engineering, Brno University of Technology SPI Conference 2001,

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

March 8, 2006  Yvo Desmedt Robust Operations Research II: Production Networks by Yvo Desmedt University College London, UK.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Cloud Computing Characteristics A service provided by large internet-based specialised data centres that offers storage, processing and computer resources.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Configuring Directory Certificate Services Lesson 13.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Certificate revocation list

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

Chapter 7 – Confidentiality Using Symmetric Encryption.

Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

1 X.509-style PKI Revolves around the distribution and management of digital identity certificates Invented in 1978 to facilitate message encryption In.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

1 Internet data security (HTTPS and SSL) Ruiwu Chen.

TAG Presentation 18th May 2004 Paul Butler

Key management issues in PGP

TAG Presentation 18th May 2004 Paul Butler

CS480 Cryptography and Information Security

Network Security – Kerberos

CS 465 Certificates Last Updated: Oct 14, 2017.

Presentation transcript:

   Yvo Desmedt October 31, 2002 SECURITY PROBLEMS WITH ON-LINE REVOCATION By Yvo Desmedt Dept. Of Computer Science Florida State University and Royal Holloway, Univ. of London, U.K.

   Yvo Desmedt October 31, 2002 Overview 1. Why on-line revocation 2. What is on-line revocation 3. Learning from ATM/POS 4. Security problems 5. Security tools from a client's perspective 6. Security tools from a server's perspective 7. Conclusion

   Yvo Desmedt October 31, Why on-line revocation a) history basis of X500/X509 predates internet, when: - physical security was much higher: » Few computers » security guards » Vaults - communication was expensive, in particular on-line (uucp)

   Yvo Desmedt October 31, Why on-line revocation a) history: consequences – viewed that a revocation would be an exception – Off-line So CRL (Certificate Revocation List) was a natural evolution and standard.

   Yvo Desmedt October 31, Why on-line revocation b) CRL: implementation problems – Some CAs do not publish CRLs, worse – Many implementations do not use them Anderson-type conclusion: since it works without, there is no need for CRL. Answer: see later.

   Yvo Desmedt October 31, Why on-line revocation b) CRL: conceptual problems – DELAY: meanwhile fraud is possible. Accumalated fraud could be too high – SIZE: proportional in: Number of revoked keys Accumalated aspect

   Yvo Desmedt October 31, Why on-line revocation b) CRL: conceptual problems – DELAY – SIZE (Daniel-Rubin: still no reason for on-line revocation: could publish very frequently CRL.) Answer: see later.

   Yvo Desmedt October 31, Why on-line revocation c) Aggravation aspect Technology has changed since first effort on X500/X509: CPU was slow and Public Key technology requires many operations: viewed that special hardware was required. Today most have been implemented in software. Implications:

   Yvo Desmedt October 31, Why on-line revocation c) Aggravation aspect Technology has changed: Implications: – Computer insecurity: Then: No computer viruses/worms, Now: there are! Example of problem: www of US State Dept. Then: Operating System security was taken seriously Now: it is mainly advertisement!

   Yvo Desmedt October 31, Why on-line revocation c) Aggravation aspect Technology has changed: Implications: – Hardware insecurity Then: Chip-cards and dedicated hardware believed to be significantly more secure than software Now: Many attacks are known (see CHES, PKC 2003, etc.)

   Yvo Desmedt October 31, Why on-line revocation Physical insecurity Now: – Handheld/Handless devices – Laptops: » US State Dept.: stolen laptops with “code level” information » UK: MI5/MI6: stolen or lost laptops – Sensors:

   Yvo Desmedt October 31, Why on-line revocation Physical insecurity Now: Sensors: – Inexpensive: massive number – Example of use: » Eco-disaster, » Hostage taking » Explore adversial situtation – Use wireless technology – Need to authenticate – Could fall in the hands of bad guys

   Yvo Desmedt October 31, Why on-line revocation Physical insecurity Now: Common problem: – Could easily be Stolen – Fall in the hands of the wrong guys

   Yvo Desmedt October 31, Why on-line revocation c) Aggravation aspect Technology has changed: Implications: – Key of device, not of user Then: Users would have public keys Now: Devices, or applications (ssh) have public keys (new machine, old name). Implies: User does not regard key as his/her and does not take precautions.

   Yvo Desmedt October 31, Why on-line revocation c) Aggravation aspect – Key of device, not of user Implies: If device belongs to third party (rented: e.g. cell phone or employer), at the end of the contract public key should be changed: increasing revocations

   Yvo Desmedt October 31, Why on-line revocation c) Aggravation aspect: conclusion Technology has changed: Implications: Future applications of Public Key: -) Secret keys are much more vulnerable, and -) There will be an increased need for revocation -) Depending on application (non-financial), delay may be unacceptable

   Yvo Desmedt October 31, What is on-line revocation Instead of having a blacklist (CRL) one checks on-line whether a certificate is still valid (see e.g. Rivest FC 98). Basic use: no lifetime of validity. Instead: only the time the certificate was issued is part of the signed “message”.

   Yvo Desmedt October 31, What is on-line revocation COST: requires: -) On-line access -) CA needs to sign more

   Yvo Desmedt October 31, Learning from ATM/POS Daniel-Rubin vs. Rivest: -) black or white -) real world is not black or white ATM/POS history -) in 's debate was online or offline revocation of credit/debit cards -) Offline: * POS: booklet !! * ATM: daily floppy

   Yvo Desmedt October 31, Learning from ATM/POS ATM/POS history -) debate: * Online: +: less delay -: what if line goes dead: do/do not provide -) Offline: viewed as more reliable! -) Fraud became too big to fit in a booklet and online: won. Extra cost not that high.

   Yvo Desmedt October 31, Learning from ATM/POS ATM/POS history -) online: what if the line is dead?? * Depends on size of transaction, so not black or white ATM/POS lesson: -) Not black or white -) Need for online: depends on accumulated fraud risk: not necessarily financial: e.g. Bosnia

   Yvo Desmedt October 31, Learning from ATM/POS – The more PKI becomes important and the more frequently important Public Keys are hacked, the more online will dominate! – Currently Anderson-type arguments are close to correct! Future will change once PKI takes off.

   Yvo Desmedt October 31, Security problems Being on-line and when PKI becomes truly important, CAs will become the “next target of hackers.” On-line aspects seriously aggravates the issue! CAs capability of signing is now on- line, making the secret key vulnerable!

   Yvo Desmedt October 31, Security problems Two viewpoints: – Client: (Rivest: takes the risk: often false!!) How can the client deal with CAs taken over by an enemy? – Server: To maintain credibility (future: to reduce liability): How can the server deal with hacking of the secret key?

   Yvo Desmedt October 31, Security tools from a client's perspective Client should not rely on trusting a vulnerable CA since CAs: – Today: are not responsible! – Future: may go bankrupt Solution: do not rely on single CA, indepedently proposed by Reiter- Stubblebine and Burmester-Desmedt- Kabatianskii.

   Yvo Desmedt October 31, Security tools from a client's perspective – Solution: similar to PGP: trust graph of certificates. However, we require that the trust graph is 2k+1 connected. If (at most) k “CA”s have been hacked: majority vote solves issue. – Alternative Solution: see IWAP 2000 (to appear Communications of ACM):

   Yvo Desmedt October 31, Security tools from a client's perspective – Alternative Solution: see IWAP 2001 (to appear Communications of ACM): Gave nodes using same operating system different colors. Enemy can take over k colors: many more nodes may be affected.

   Yvo Desmedt October 31, Security tools from a server's perspective – Daniel-Rubin: To deal with increased load, one needs to replicate the CA. – Our solution: Servers should use threshold cryptography.

   Yvo Desmedt October 31, Security tools from a server's perspective – What is threshold cryptography: n servers have share of the secret, of which k are needed to co-sign. note: (if n>1) no server ever sees secret key and k-1 cannot sign (if underlying signature scheme is secure)

   Yvo Desmedt October 31, Security tools from a server's perspective – Compare with Daniel-Rubin: replicate, however use it to increase security (provided k>1)! – Why can this not deal with client security issues? Threshold Cryptography is too transparent. What comes out is a signature as coming out from a single entity.

   Yvo Desmedt October 31, Security tools from a server's perspective – Why can this not deal with client security issues? Moreover co-signing can be simulated. Note: robust variant may achieve the goal if one trust these are independent!!!

   Yvo Desmedt October 31, Security tools from a server's perspective – Why can this not deal with client security issues? Moreover co-signing can be simulated. Note: robust variant may achieve the goal if one trust these are independent!!!

   Yvo Desmedt October 31, Conclusion – On-line revocation: to keep in mind once public key is heavily used and relied on. – ATM/POS: learn from history. – Security issue: much more severe issue – Client/Server: Different goals, different interests, so need for different approaches.