Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at.

Slides:

Advertisements

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Advertisements

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Computer and Network Security Mini Lecture by Milica Barjaktarovic.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Chapter 5 Cryptography Protecting principals communication in systems.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Quantum Public Key Cryptography with Information- Theoretic Security Daniel Gottesman Perimeter Institute.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

By Jyh-haw Yeh Boise State University ICIKM 2013.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

8. Data Integrity Techniques

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Chapter 4: Intermediate Protocols

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Chapter 17 Security. Information Systems Cryptography Key Exchange Protocols Password Combinatorics Other Security Issues 12-2.

Types of Electronic Infection

IS 302: Information Security and Trust Week 5: Integrity 2012.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.

1 一個新的代理簽章法 A New Proxy Signature Scheme 作者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡報告者 : 郭淑娟.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 2: Message integrity.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Lecture 2: Introduction to Cryptography

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

Computer and Network Security - Message Digests, Kerberos, PKI –

Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Covert Channels Eric Pennington COSC480. Common Network Threats  Viruses, Trojans, Worms, etc.  Password Attacks  Eavesdropping  Port Scanning  Not.

Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

Cryptography Lecture 26.

Presentation transcript:

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research Center Markus Jakobsson School of Informatics Indiana University at Bloomington

Page 1 Threats to Certificate Authorities Stealing private key –Malicious attack such as Trojan horse, virus –Leaking CA’s private key via covert-channel Hidden communication channel –CAs use lots of random numbers –Hard to prove randomness since it is directly related to privacy

Page 2 What is a covert channel? Hidden communication channel Steganography – Information hiding Original ImageExtracted Image

Page 3 Prisoners' problem [Simmons,’93] Two prisoners want to exchange messages, but must do so through the warden Subliminal channel in DSA What Plan? Plan A

Page 4 Leaking attack on RSA-PSS A random salt is used as a padding string in a signature In verification process, the salt is extracted from the message Hidden information can be embedded in the salt RSA-PSS : PKCS #1 V2.1

Page 5 Approaches Need an observer to detect leaking An observer investigates outputs from CA mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority Malicious attack Replacement of function

Page 6 Hindsight Observing is not easy because of a random number –looking innocuous –Not revealing any state Fine as long as a random number is generated in a designated way Using hindsight, we detect abnormal behavior generating a random number

Page 7 Weakness of an observer An observer can be attacked, causing a single point of failure mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority  Public verifiability with multiple observers

Page 8 Undercover observer CA outputs non-interactive proof as well as signature Ambushes until verification is invalid mkmk Pseudo Random Number Generator Sig k

Page 9 Tamper-evident Chain Predefined set of random values in lieu of random number on the fly Hash chain verification s1s1 s2s2 s3s3 …. snsn Seed Sig 1 Sig 2 …. Sig n h() ? s 1 =h(s 2 ) ? s n-1 =h(s n ) s’ 3 Sig’ 3 ? s 2 =h(s 3 ) ? s 0 =h(s 1 ) s0s0 h()

Page 10 DSA Signature Scheme Gen : x  y = g x mod p Sign : m  (s, r) where r = (g k mod p) mod q and s = k -1 (h(m) + x r) for random value k Verify : For given signature (s, r), u 1 = h(m) s -1 u 2 = r s -1 and check r=g u 1 y u 2 mod p mod q

Page 11 Hash chain construction k1k1 k2k2 k3k3 …. knkn PRNG Sig 1 Sig 2 …. Sig n h() ? w 1 =h(r 2 ||w 2 ) ? w n-1 =h(r n ||w n ) k’ 3 Sig’ 3 ? w 2 =h(r 3 ||w 3 ) r 1 =g k 1 r 2 =g k 2 …. r n =g k n r 3 =g k 3 w1w1 w2w2 …. wnwn w3w3 r 3 ’=g k 3 w0w0 ? w 0 =h(r 1 ||w 1 ) Seed

Page 12 Conclusion Any leakage from CAs is dangerous CAs are not strong enough from malicious attacks We need observers which are under-cover A small additional cost for proofs Or, Send me s :