Presentation is loading. Please wait.

Presentation is loading. Please wait.

Josep Domingo-Ferrer Universitat Rovira i Virgili

Published byBarry Carter Modified over 6 years ago

Similar presentations

Presentation on theme: "Josep Domingo-Ferrer Universitat Rovira i Virgili "— Presentation transcript:

1 Certification asynchrone à grande échelle avec des arbres de vérification de certificats
Josep Domingo-Ferrer Universitat Rovira i Virgili Louvain-la-Neuve, le 17 janvier 2003

2 Contents Introduction A new proposal Assessment Summary and conclusion
Certificates and revocation CVTs A new proposal Implicit revocation Assessment Summary and conclusion

3 Introduction Safe use of digital signatures requires certification of public keys A digital certificate consists of a ‘certificate statement’ (c-statement) and its signature by the CA Important issues: Revocation Large-scale certificate management

4 Approaches to Revocation
Certificate Revocation Lists (CRL, X ) Certificate Revocation Trees (CRT, Kocher 1999) Naor-Nissim Scheme (2-3 trees, 1998) Certificate Revocation System (CRS, Micali 1997) Short-validity certificates: they are valid until their expiration date (Rivest 2000) Certificate Verification Trees (CVT): certificates and revocation information are combined in a single Merkle tree (Gassko et al., 2000)

5 CVTs (1/3) CA builds a Merkle tree:
Every leaf is a c-statement together with its hash value The hash values of sibling nodes are joined and the hash of the joint value is assigned to their parent node; this procedure iterates until the root node is reached. CA signs the root node together with the date and additional information The cert-path of a c-statement is the path from the corresponding leaf node to the root, along with the necessary nodes to verify the leaf node hash

6 Sign(RV||Date||Time)
CVTs (2/3) Sign(RV||Date||Time) RV=h(H 5 || H 6 ) =h(H 3 4 1 2 =h(C C

7 CVTs (3/3) A single signature certifies all public keys in the CVT (easy to change CA key) The CVT is updated on a regular basis: Certificates are appended to the tree in batches Updating the CVT only requires recomputing one signature; the rest of work are hash value computations. Historical queries can be handled easily Proof of certificate non-existence

8 A New Proposal All advantages of CVTs are maintained
The following features are added: Batches of certificates can be requested without requiring substantial storage on the signer’s side Convenient for short-validity certificates Convenient when the signer’s device is a smart card Implicit revocation

9 Asynchronous Certification Based on CVTs
The signer requests batches of certificates without being forced to store the corresponding private keys Certificates can have a short validity The signer can use a new certificate as soon as the old one has expired It is assumed that the signer’s device is a smart card SC The scheme consists of three protocols: generation, signature and implicit revocation

10 Protocol 1: Generation 1 The signer’s SC generates a key k corresponding to a block symmetric cipher (e.g.: DES, AES). 2 For i=1 to m: (a) SC generates a pair of public-private keys (pki,ski) (b) SC encrypts ski under k and obtains Ek(ski) (c) SC sends (pki,Ek(ski)) to CA (d) SC deletes pki, ski and Ek(ski) from its memory 3 CA stores the Ek(ski) in a safe place 4 In the next CVT update, CA appends the pki received to CVT

11 Generation CVT CA ... ... pki, E(ski) SC k (m times) pk1 pkm E(sk1)
E(skm) ... (m times) pki, E(ski) SC k

12 Generation The key pairs will be valid in consecutive time intervals
Protocol 1 is run often enough to avoid running out of keys The larger the batch size m, the less often must Protocol 1 be run

13 Protocol 2: Signature at Interval t
1 If the signer’s SC already stores skt, then, if necessary, obtain the cert-path for pkt 2 Otherwise: (a) Delete the last stored skj (b) Obtain Ek(skt) from CA (c) Decrypt Ek(skt) to obtain skt (d) Obtain the certificate and the cert-path for pkt from the CVT 3 Sign using skt

14 Signature (Interval t)
CVT CA pk1 pkm ... cert(pkt) SC E(sk1) E(skm) ... E(skt) K skt skj cert(pkj) signature

15 Signature SC only stores the current private key
SC obtains a new certificate and its private key when the current one expires When signing, the cert-path must be appended to the signature

16 Protocol 3: Implicit Revocation
1 If SC is compromised or stolen, the CA is informed by the signer 2 CA stops serving encrypted private keys Ek(ski) to SC

17 Implicit Revocation (t)
CVT CA pk1 pkm ... SC E(sk1) E(skm) ... E(skt) K skj cert(pkj) signature

18 Implicit Revocation Protocol 3 implicitly revokes all certificates issued for future time intervals The current certificate is not revoked To eliminate the need for explicit revocation of the current certificate, short-validity certificates can be used A short-validity certificate is like to expire before the intruder has time to tamper with SC and use it

19 Efficiency Assessment
Asynchronous certification. By requesting batches of certificates ahead of time, a new certificate can be used as soon as the current one expires Reduced storage. SC only stores a secret symmetric key (k), the current private key and the current certificate Implicit revocation. It allows certificates to be revoked without updating the CVT nor publishing revocation information

20 Explicit vs Implicit Revocation
Explicit revocation forces CA to publish revocation information. Even worse, it forces verifiers to check that information before accepting a signature as valid. Implicit revocation is better in that it prevents the private key corresponding to a revoked certificate from being used to sign Explicit revocation can be completely eliminated if our scheme is combined with short-validity certificates

21 Summary and Conclusion
CVTs are a good data structure to manage large-scale CAs A scheme has been proposed which allows batches of certificates to be requested ahead of time without degrading security In case the SC is stolen or compromised, implicit revocation is used

22 Further Details in J.Domingo, M.Alba and F.Sebé, “Asynchronous Large-Scale Certification Based on Certificate Verification Trees”, Procs. of CMS’2001. Kluwer Academic Publishers, 2001, pp

Download ppt "Josep Domingo-Ferrer Universitat Rovira i Virgili "

Similar presentations

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
1 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 John Solis and Gene Tsudik University of California, Irvine 6th Workshop on Privacy.

1 6 th Workshop on Privacy Enhancing Technologies, June 28-30, 2006 John Solis and Gene Tsudik University of California, Irvine 6th Workshop on Privacy.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008.

Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008.

Similar presentations

Ads by Google