Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil.

Slides:



Advertisements
Similar presentations
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Advertisements

Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
URSA: Providing Ubiquitous and Robust Security Support for MANET
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Key Distribution CS 470 Introduction to Applied Cryptography
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Computer Science 1 Research on Sensor Network Security Peng Ning Cyber Defense Laboratory Department of Computer Science NC State University 2005 TRES.
8. Data Integrity Techniques
Overview of Security Research in Ad Hoc Networks Melanie Agnew John Folkerts Cory Virok.
Brian Padalino Sammy Lin Arnold Perez Helen Chen
On the Risks of IBE Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006.
An Efficient Identity-based Cryptosystem for
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
Where Fault-tolerance and Security Meet DARPA PI Meeting, July 2001 Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York.
1 Secure Ad-Hoc Network Eunjin Jung
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.
Cryptography and Network Security (CS435) Part Eight (Key Management)
SECURITY SCHEMES FOR AMI Jincheol Kim et al. – Korea – Distribution business and impact of regulation – 0845 Jincheol Kim, Seongji Ahn, Youngeok Kim Jongman.
Presented by: Sanketh Beerabbi University of Central Florida.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security
Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol.
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
Private key
Problem: Replication versus Confidentiality
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
VEHICULAR AD HOC NETWORKS GAURAV KORDE KAPIL SHARMA.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Security of the Internet of Things: perspectives and challenges
Further Simplifications in Proactive RSA Signatures
SCONCE: Secure Computing and Networking Center
Presentation transcript:

Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil Yang Sakurai Laboratory Kyushu University

Sakurai Lab. Information Technology & Security Lab. 2 Certificate Revocation in PKI  X.509 certificate in Public Key Infrastructure (PKI) A signed binding a public key to certain properties (e.g., a user’s identity) When the binding ceases to hold, the certificate needs to be revoked  Certificate Revocation techniques Methods for propagating revocation information to relying parties Schemes  Certificate Revocation Lists : CRLs  Online Certificate Status Protocol : OCSP  Variants of CRLs : Delta CRLs, Indirect CRLs  Certificate Revocation Tree : CRT  Certificate Revocation System : CRS

Sakurai Lab. Information Technology & Security Lab. 3 Semi-Trusted Mediator (SEM)  Basic Idea : Boneh et. al. [1] Please help me sign message M Partial signature Signature Immediate Revocation of users’ signing ability Alice Bob SEM CA

Sakurai Lab. Information Technology & Security Lab. 4 Mediated RSA (mRSA)  Direct application of 2-out-of-2 threshold RSA  Let be a user’s public key, be the private key, CA split, The user has SEM has  Signing User’s partial signature SEM’s partial signature RSA signature RSA Key generation RSA Sig. / Ver.

Sakurai Lab. Information Technology & Security Lab. 5 Distributing Security-Mediated PKI  Disadvantages of SEM : G. Vanrenen et al. [5] Temporary denial of service, if the network is partitioned. Permanent denial of service, if SEM suffers a serious failure. Inability to revoke the key pair, if an adversary compromises SEM and learn its secrets.  Distributed SEM (DSEM) Consists of trustworthy islands in P2P network. Each island may still become compromised to the adversary. Each island may also become unavailable, due to crash or partition. Threshold cryptography Proactive Secret sharing Migration

Sakurai Lab. Information Technology & Security Lab. 6 RSA or DL based threshold signatures  Response Time to generate a signature : (5,3) threshold mRSA DL based Two party signature RSA based Threshold signature DL based Threshold signature R.Gennaro, S.Jarecki, and H.Krawczyk, Revisiting the Distributed Key Generation for Discrete-Log Based Cryptosystems, RSA Security' 03 (2003). T.Rabin, Simplified Approach to Threshold and Proactive RSA, Advances in Cryptology--CRYPTO'98, LNCS 1462 (1998).

Sakurai Lab. Information Technology & Security Lab. 7 RSA or DL based threshold signatures  Response Time to generate a signature : (5,3) threshold mRSA DL based Two party signature RSA based Threshold signature DL based Threshold signature

Sakurai Lab. Information Technology & Security Lab. 8 RSA or DL based threshold signatures  Message traffics : 1024 bits keysize RSA based Threshold signature DL based Threshold signature DKG(Distributed Key Generation) : to verifiably distribute shares for one-time secret parameter

Sakurai Lab. Information Technology & Security Lab. 9 RSA or DL based threshold signatures  Which one is a better important factor? Communication cost Computation cost  For example, Application to large scale MANETs  DL-based threshold signatures are not suitable  For Small scale MANETs, suitable Application to a distributed system with high computing power  RSA-based threshold signatures are suitable  In the near future model (using threshold computation) The rapid progress of computing power in mobile device Redundancy of resources  Computation cost > Communication cost

Sakurai Lab. Information Technology & Security Lab. 10 DSEM – Key Setup C A User Island SEM Server Distributed SEM Network random islands shares of Proactively updated -secret sharing mRSA

Sakurai Lab. Information Technology & Security Lab. 11 DSEM - Migration  If a user issues a request but the island holding is not available, the user select another island and requests migration. User Island M Distributed SEM Network random islands Island L down Reconstruct shares of Update shares M must knows to interpolate a polynomial used in secret sharing

Sakurai Lab. Information Technology & Security Lab. 12 Notable Problems – Question 1  How can we make k islands perform efficiently a proactive secret sharing ? After Key setup, k islands periodically participate in a proactive secret sharing for in [3][4][7][8]. The schemes in [7][8]  Based on discrete logarithm The scheme in [4]  instead of The scheme in [3]  Low performance caused by performing subsharings as many times as k.

Sakurai Lab. Information Technology & Security Lab. 13 Notable Problems – Question 2  Is DSEM always performed as efficient as SEM ? In case that the scheme in [4] or [15] is used.  (k,k)-additive secret sharing  (k,t)-polynomial secret sharing for each share A Island B Island reconstruct M B Island Alice DSEM cannot present signing or decrypting before finishing complex migration caused by reconstructing the corrupted share.

Sakurai Lab. Information Technology & Security Lab. 14 Notable Problems – Question 3  Is the execution of the proactive secret sharing meaningful ? Since a long-term secret is stored in L, the target of adversaries is not one of k islands but L When the long-term secret is kept in the networking island and the proactive secret sharing dose not change it, the proactive secret sharing cannot contribute the security of.

Sakurai Lab. Information Technology & Security Lab. 15 Notable Problems – Question 4  How many peers are necessary to serve a threshold protection in DSEM ? Synchronous communication  Allow at most t-1 servers to be compromised  Need at least t servers to be correct P2P Network  Correct peers in P2P are not always connected to the network

Sakurai Lab. Information Technology & Security Lab. 16 Requirements for modified DSEM To reduce the overhead caused by subsharing, the system must perform a proactive secret sharing without subsharing. To reduce the overhead caused by subsharing, the system must perform a proactive secret sharing without subsharing. DSEM must perform signing or decrypting immediately. That is, the cryptographic service must be independent of migration Only through all of, and shares are periodically renewed at the same time, we can make the execution of the proactive secret sharing meaningful in DSEM. Let be the maximum number of correct peers which are not currently connected to the network. We precisely define the number of servers as, where. So, -secret sharing.

Sakurai Lab. Information Technology & Security Lab. 17 Cryptographic Tools  N-mRSA Remove the insecurity of releasing modulus operator,  Combinatorial Secret Sharing Remove the executing of subsharing No need to compute a polynomial Replication  Server-Assisted Threshold Signature For immediate cryptographic services

Sakurai Lab. Information Technology & Security Lab. 18 N-mRSA  Key Setup (by CA) Splits the private exponent into two halves as follow. Transmits securely to the user, to the server.  Signing User : Server : Candidate Signature ( ) RSA signature 2-bounded coalition offsetting Alg. in [6]

Sakurai Lab. Information Technology & Security Lab. 19 (k,t)-Combinatorial Secret Sharing [9]  Create different sets of servers.  Create a sharing for using -additive secret sharing.  Any server, share set equals For any set of servers, where :

Sakurai Lab. Information Technology & Security Lab. 20 Server-Assisted Threshold Signature  S. Xu et al. [14] A formal method to construct server-assisted threshold signature scheme. Hybrid of threshold signature and two-party signature.  A practical instance Hybrid of N-mRSA and threshold RSA in [6]

Sakurai Lab. Information Technology & Security Lab. 21 (k,t)-Server-Assisted Threshold Signature  Key setup (by CA) Splits the private exponent at the same as N-mRSA => generates k share sets Transmits to the user, and each share set to the corresponding server, respectively  Signing User : At least t servers : Candidate signature ( ) RSA signature (l+1)-bounded coalition offsetting Alg. in [6]

Sakurai Lab. Information Technology & Security Lab. 22 Architecture of our modified DSEM  Key Setup  Peer group (PG) Consists of trustworthy peers. Each peer (Gpeer) has share sets for users’ C A User HSEM Peer group for threshold protection Gpeer Distributed SEM Network

Sakurai Lab. Information Technology & Security Lab. 23 Modified DSEM  Example, (4,3)-combinatorial secret sharing, Peer Group HSEM User N-mRSA ? Periodic Renewal and Recovery Server-Assisted Threshold Signature Recovery

Sakurai Lab. Information Technology & Security Lab. 24 Modified DSEM – Periodic Renewal  Omit the verifiable step Peer Group HSEM User Each Gpeer updates its share set

Sakurai Lab. Information Technology & Security Lab. 25 Desirable Features  Removal of insecurity of releasing  Efficient and timely signing or decrypting  Strong against denial of service attack In DSEM, the user cannot perform signing or decrypting up to finishing MIGRATION In our modified DSEM, the user can still perform signing or decrypting via Server-Assisted Threshold, although the performance is lower than N-mRSA  The cryptographic operation is independent of periodic renewal or recovery

Sakurai Lab. Information Technology & Security Lab. 26 Desirable Features  Meaningful proactive secret sharing Our modified DSEM can appropriately renew a user half, the corresponding half of SEM and shares for the half of SEM.  Simplified renewal and recovery Subsharing is unnecessary

Sakurai Lab. Information Technology & Security Lab. 27 Considerations  Attack on threshold RSA [6] by S. Jarecki et al. [13] Threshold RSA in [6] is a basis of cryptographic tools in our modified DSEM Since proactive scheme in our modified DSEM does not depend on subsharing, an adversary in [13] cannot succeed in learning the private exponent.  The adversary can learn at most MSBs of the private exponent

Sakurai Lab. Information Technology & Security Lab. 28 Considerations  The scheme by S. Koga et al. [12] A solution to prevent DoS attack by picking out malicious requests through one-time ID. The scheme in [12] does not consider the possibility of the corruption of SEM, it did not present a solution for recovering the compromised SEM. S. Koga et al.’s scheme can be used for supporting authentication of users’ requests in our modified DSEM.

Sakurai Lab. Information Technology & Security Lab. 29 Conclusion and Future Work  Reviewed G. Vanrenen et. al.’s DSEM, and Discussed four questions  Derived four requirements to design our modified DSEM  Designed a new model for Distributed Security-Mediator Succeeds to the advantages of the original SEM Provides desirable features  Comparison with original DSEM Amount of speedup Amount of communication cost Thank you for your attention. Useful Comments ?

Sakurai Lab. Information Technology & Security Lab. 30 References 1.Boneh, D., Ding, X., Tsudik, G., Wong, C.M., A method forfast revocation of public key certificates and security capabilities, 10th USENIX Security Symposium, pp , (2001). 2.C. Adams and S. Lloyd, Understanding public-key infrastructure: concepts, standard, and deployment considerations, Indianapolis: Macmillan Technical Publishing, (1999). 3.Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Optimal resilience proactive public key cryptosystems, IEEE Symposium on Foundations of Computer Science, pp , (1997). 4.Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Proactive RSA, Advances in Cryptology-CRYPTO 97, LNCS 1297, pp , (1997). 5.G. Vanrenen, S.W. Smith, Distributing Security-Mediated PKI, 1st European PKI Workshop Research and Applications, LNCS 3093, pp , (2004). 6.Haiyun Luo, Songwu Lu, Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks, UCLA Computer Science Technical Report , Oct. (2000). 7.Herzberg, A., Jakobsson, M., Jarechi, S., Krawczyk, H., Yung, M., Proactive public key and signature systems, ACM Conference on Computer and Communications Security, pp , (1997). 8.Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M., Proactive secret sharing or: How to cope with perpetual leakage, Advanced in Cryptology-CRYPTO 95, LNCS 963, pp , (1995). 9.Lidong Zhou, Towards Fault-Tolerant and Secure On-line Services, PhD Dissertation, Department of Computer Science, Cornell University, Ithaca, NY USA. April (2001). 10.M. Naor and K. Nissim, Certificate revocation and certificate update, Proceedings 7th USENIX Security Symposium, San Antonio, Texas, pp , (1998). 11.P.Felman, A Pracitcal Scheme for Non-Interactive Verifiable Secret Sharing, Proc. of 28th FOCS, (1987). 12.S. Koga, K. Imamoto, and K. Sakurai, Enhancing Security of Security-Mediated PKI by One-time ID, 4 th Annual PKI R&D Workshop, NIST, USA, April 19-21, (2005). 13.S. Jarecki, N. Saxena, and J. H. Yi, An Attack on the Proactive RSA Signature Scheme in the URSA Ad-Hoc Network Access Control Protocol, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), pp.1-9, (2004). 14.S. Xu, R. Sandhu, Two Efficient and Provably Secure Schemes for Server-Assisted Threshold Signatures, CT- RSA, (2003). 15.Tal Rabin, A Simplified Approach to Threshold and Proactive RSA, Advanced in Cryptology-CRYPTO 98, LNCS 1462, pp , (1998).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.