02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Slides:



Advertisements
Similar presentations
A Framework for Distributed OCSP without Responders Certificate
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Infrastructure (PKI)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
1 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 John Solis and Gene Tsudik University of California, Irvine 6th Workshop on Privacy.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
A Method for Detecting the Exposure of an OCSP Responder ’ s Session Private Key in D-OCSP-KIS Euro PKI 2005 Younggyo Lee, Injung Kim, Seungjoo Kim, Dongho.
1 Self Protecting Cryptosystems Moti Yung Columbia University/ RSA Labs.
By Jyh-haw Yeh Boise State University ICIKM 2013.
Bob can sign a message using a digital signature generation algorithm
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Brian Padalino Sammy Lin Arnold Perez Helen Chen
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.
An Efficient and Secure Event Signature (EASES) Protocol for Peer-to-Peer Massively Multiplayer Online Games Mo-Che Chan, Shun-Yun Hu and Jehn-Ruey Jiang.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.
Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.
Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.
Module 9: Fundamentals of Securing Network Communication.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.)
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Security fundamentals Topic 5 Using a Public Key Infrastructure.
X.509 standard and CA’s operation Certificate path validation Dec. 18, C&IS lab. Vo Duc Liem.
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.
Cryptography and Network Security Chapter 14
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
Security. Security Needs Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
Key management issues in PGP
Josep Domingo-Ferrer Universitat Rovira i Virgili
CS 465 Certificates Last Updated: Oct 14, 2017.
Presentation transcript:

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication Costs A preliminary version of this paper is presented at PKC 2004

2 Background Public Key Infrastructure (PKI) –secure , authentication system etc.. Certificate revocation problem –The certificate must be revoked if The user’s private key is compromised User’s personal information is changed –The verifier must check the revocation information

3 Certificate revocation Compromise of private key, or changing personal information –The certificate must be revoked If a certificate is revoked… –Certificate owner sends a revocation requests to the CA who issues certificates –The CA should publish revocation information –The certificate verifier should check the status of certificate Is this certificate valid? or revoked? Certificate verifier

4 Certificate revocation systems Certificate Revocation List (CRL) The list of revoked certificates The size of the CRL is long High communication costs Online Certificate Status Protocol (OCSP) Provide the up-to-date response to certificate status queries Low Communication costs

5 Online Certificate Status Protocol (OCSP) Responder checks the status of a certificate instead of users –User requests the status of a certificate –Responder sends the response including the status of requested certificate –Mitigate the load of user –Reduce the communication costs, compared with CRL CA Responder User request response Revocation information Back

6 OCSP (cont’d) Security –Responses are signed by OCSP responder Communication costs –A user receives response –Independent on number of revoked certificates problem –High computation costs of OCSP responder  It is vulnerable to Denial-of-Service (DoS) attacks

7 Motivation Centralized OCSP Compromise of responder’s private key affects the entire system Protection of the private key Hardware Security Module (FIPS140-2 by NIST) Threshold cryptography :each server holds a shared private key and a predetermined number of servers must cooperate in order to perform the operation unavoidablePrivate key exposures appear to be unavoidable

8 Distributed OCSP Minimize the damage caused by responder’s key exposures A Distributed OCSP(D-OCSP) composed of the multiple responders –Each responder has the different private key  If a responder’s private key is compromised, the others are not derived

9 Traditional D-OCSP CA responder’s certificate CA’s certificate User response + signature responder 1 responder n responder 2 PK 1, SK 1 PK 2, SK 2 PK n, SK n To eliminate the validation of certificate revocation, the CA issues responder’s certificate with short lifetime

10 Challenging issue Responder’s certificate with a short lifetime  In case that the client receives the response, she must download responder’s certificate  Communication costs is inefficient Responder’s certificate with a long lifetime  The client needs to obtain the different responder’s certificates  The client must store the multiple certificates

11 Our Proposed Distributed OCSP To mitigate the damage caused by responder’s private key exposure A distributed OCSP (D-OCSP) Propose an efficient D-OCSP –The client can verify any responses by using a single public key  The client just obtains a single certificate

12 Our idea To generate the responder’s private keys –Use the Key-Insulated Signature scheme (KIS) [DO03] –Each responder has the different private key, but corresponding public key remains fixed –The client can verify any responses by using a single public key To validate responder’s private key –Use the NOVOMODO [M02] [DO03] Y. Dodis et al., “ Strong Key-Insulated Signature Schemes”, PKC [M02] S. Micali, “NOVOMODO”, 1 st Annual PKI Research Workshop, 2002.

13 The lifetime of protocol is divided into short time periods The beginning of period i, a private key is updated The private key is updated frequently, but the corresponding public key is fixed Even if SK i is exposed, the attacker cannot forge signature for any time periods (key-insulated security) SK 1 Lifetime Period 1Period 2 SK T Period T SK 2 Key-insulated signature scheme (KIS) Period i SK i PK

14 The master key SK * is stored on the secure device The Secure-device computes the partial key SK i ’ The user derives Sk i+1 using partial key SK i ’ and SK i Once Sk i+1 is derived, SK i is deleted If an attacker can know SK i, she cannot derive any other private keys (as long as SK* is secure) Secure device SK* SK 1 ’ SK T ’ SK 1 Lifetime Period 1Period 2 SK T Period T SK 2 Update algorithm in KIS signer

15 All signatures can be verified by using a fixed public key Key-insulated security Responder’s private keys are generated using Key-Insulated signature scheme n (= the number of responders) private keys are generated at first stage Our method

16 The CA stores the master key The CA generates n private keys using key update algorithm in KIS The CA delivers a private key to each responder securely CA responder 1 responder n Decentralization Method Reponder’s public key responder 2 SK 1 SK 2 SK n The user must check that responder’s private key is not revoked

17 Use the NOVOMODO [M02] –Using one-way hash function h –Generating the following hash-chain –At period t, the verifier checks the following equation X Input value h XTXT hh X0X0 Validation of responder’s private key X T-1 h

18 The CA produces n hash-chains and stores them securely The CA issues responder’s certificate D: certificate data Responder 1 Responder n Issuance of responder’s certificate X T,1 h X T-1, 1 hh X 0, 1 X T-2, 1 h X T,2 h X T-1, 2 hh X 0,2 X T-2, 2 h X T,n h X T-1, n hh X 0, n X T-2, n h Responder 2 C res =Sig CA (D, PK res, X 0, 1, X 0, 2, …, X 0, n )

19 If responder’s private key is valid at period t, the CA delivers the hash value to responder The responder sends both the signed response and this hash value The user checks the following equation at period t –The user can verify the responder’s private key using hash function CA responder i Validation process X t, i X 0, i = h t (X t, i )

20 CA responder’s certificate CA’s certificate User Our Proposed D-OCSP responder 1 responder n responder 2 SK 1 SK 2 SK n Response + X t, i X t,1 X t,2 X t,i

21 Discussions Security –If one private key is exposed, the attacker can not derive the others (Key-insulated security) –If the attacker obtains the hash value, she cannot derive the next hash value (one-way function) Minimize the impact of responder’s private key exposure

22 Discussions (cont’d) Communication costs –The client can check any responses using a single public key –The client simply obtains one responder’s certificate  the communication cost is efficient –The client only stores one certificate  the memory space is small Computational costs –Signing cost and verification cost are less efficient

23 Efficiency Traditional D-OCSP (DSA) Our proposed D-OCSP (KIS) Size of a response bytes bytes Verification costs (# of multiplications) 3+EX|q|t+2+3EX|q| Signature costs (# of multiplications) 2+EX|q|2+2EX|q| ・ OpenSSL ・ CA’s key size : 2048 bit ・ Responder’s key size : 1024 bit ・ EX : # of multiplication required to compute a exponentiation ・ |q| =160 ・ t = (# of responders)

24 Conclusion Centralized OCSP –Compromise of private key affects the entire system –Mitigate the damage caused by compromise of responder Efficient distributed OCSP –Apply key-insulated signature scheme and NOVOMODO –Any responses can be checked by using fixed public key

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.