Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Framework for Distributed OCSP without Responders Certificate

Published byJaida Nickelson Modified over 10 years ago

Similar presentations

Presentation on theme: "A Framework for Distributed OCSP without Responders Certificate"— Presentation transcript:

1 A Framework for Distributed OCSP without Responders Certificate
Young-Ho Park Kyung-Hyune Rhee Pukyong National University WISA 2004

2 Public Key Certificate
Public Key Infrastructure(PKI) The main architecture for security services over the Internet Public Key Certificate Bind a public key to the owner’s identity information Digitally signed and certified by a trusted certificate authority(CA) Certificates Revocation Compromising of the key or abuse of the owner Certificates Revocation List (CRL) Online Certificate Status Protocol (OCSP) In a PKI, every user must obtain a public key certificate issued by a trusted certificate authority for secure transaction over the Internet. This certificate is digitally signed by the CA and used for authentication to identify the owner of the public key. Certificate is a long term credential, and it may be revoked before the expiration date due to the compromising of the key or abuse of the owner. Hence, before using a certificate, you must check if the certificate is valid or revoked by CRL or OCSP. Lab. of Information security & Internet Applications, PKNU

3 Online Certificate Status Protocol
To check the validity of a certificate at the time of a given transaction OCSP responder provides a digitally signed response Client can retrieve timely certificate status with a moderated resource usage Single Responder Most workloads converge into the responder Digital signature is a computation consuming operation Denial of service CA Responder X.500 directory Request Response Good, Revoked or Unknown Validity Interval Signature Online certificate status protocol is one means to check the validity of a certificate. If a timeliness status information is required, OCSP is preferred. When clients request status information for wanted certificate to OCSP responder, the responder examines the status of the requested certificate and then returns a response including OCSP responder’s digital signature for the response message. At this moment, the status of the response is one of good, revoked ore unknown. When client receives the response message, client first verifies the responder’s signature and then accept the response. Generally, OCSP responder is a single server, and digital signature is a computation consuming operation, so if many clients are converged into the one responder single-point-of-failure problem or DoS is possible because of the heavy burden of all response processing. Lab. of Information security & Internet Applications, PKNU

4 Lab. of Information security & Internet Applications, PKNU
Distributed OCSP Composed of multiple OCSP responders Sharing and balancing the workload of OCSP response Client can choose one responder Certificate of responder is required to verify the signature in response of both OCSP and D-OCSP In D-OCSP Using the same private signing key for every responder Easy key management but high risk for key exposure Using different private key Increasing the complexity of key management Distributed OCSP is a countermeasure to the single OCSP responder. DOCSP is composed of multiple responders and each responder shares the burden of OCSP response. Clients can select one those responders and each responder returns response including its digital signature. To verify the responder’s signature, client must obtain the replying responder’s certificate and check the status of the responder certificate again. Therefore efficient key management is required for multiple responders. If all responders have the same private key for digital signature, key management is easy but the risk of key exposure is very critical to system because the compromising of one responder is equal to the compromising of all responders. However, if every responders have different key, the system is more secure but key management is more complex. Lab. of Information security & Internet Applications, PKNU

5 Lab. of Information security & Internet Applications, PKNU
KIS-D-OCSP (1) [S. Koga and K. Sakurai, PKC 2004] One solution for efficient certificate management of multiple responders Key insulated signature(KIS) scheme and hash chain Different private key for every responders but the same public key for signature verification Only one certificate is required for multiple responders Private key exposure of one responder does not effect other responders Hash chain is used for checking the validity of a responder at the given time period Koga and Sakurai proposed one solution for efficient certificate management scheme in DOCSP. This scheme use key insulated signature and hash chains for responders certificates management. By using key insulated signature scheme, different private key but just one corresponding public key is possible. So only one certificate is needed for every responders. And to check the timeliness of responder, hash chain is used. Lab. of Information security & Internet Applications, PKNU

6 Lab. of Information security & Internet Applications, PKNU
KIS-D-OCSP (2) Key Generation CA distributes private keys for every responders CA Private key for signature R1 Key Generator R2 Master Key Rn Public Key Secure channel To generate and distribute every responders private key for digital signature, CA chooses a master secret and calculates its corresponding public key. Then, if the number of responders is n, CA generates n private keys for responders by applying KIS key generating algorithm and securely distributes the keys to each responder. Lab. of Information security & Internet Applications, PKNU

7 Lab. of Information security & Internet Applications, PKNU
KIS-D-OCSP (3) Hash chain For total time periods and responders CA provides at time period to responder Validity checks at for responder Checking if is true Responder Certificate: CA keeps securely Then, CA generates hash chains to be used for timeliness checking. If the total time periods is T, CA generates T chained hash values for each responder and keeps the first elements securely. Each hash value is used for given time period. If the time period is one day, 365 hash values are generated per responder. Client checks the timeliness of a responder by checking (hash chain) at the given time period. CA issues the certificate for all responders. This certificate includes KIS public key and the first hash values in the hash chain of all responders. SN : serial number I, J : Issuer and Subject V : Valid time period Lab. of Information security & Internet Applications, PKNU

8 Lab. of Information security & Internet Applications, PKNU
KIS-D-OCSP (4) System Responder Certificate - Verifying CA signature and checking expiration of the certificate Checking hash chain - Verifying signature in response Provides hash values for the current time period Generates and distributes private keys for every responders CA Response, KIS-Signature, Requests for service to one responder R1 Rn Lab. of Information security & Internet Applications, PKNU

9 Lab. of Information security & Internet Applications, PKNU
IBS-D-OCSP (1) Applying identity-based signature(IBS) scheme Motivations It is possible to generate different private keys from the same master key with different identifier strings Identifier itself can be used function for public key Removing the overhead of certificate management for responders KIS-D-OCSP requires at least one certificate Date information can be encoded into keying material Date is common knowledge Hash chain is not required to check the validity for the given time period OCSP responders certificates for certificate management? KIS-D-OCSP is one solution for efficient key management for multiple responders. However, it still requires at least one certificate management. Our main contribution is removing the overhead of certificate management for responders, so we applied identity-based signature scheme. Identity-based cryptosystems is an alternative system to reduce the certificate management in a PKI. Recently, identity-based systems is the one of main research issue in public key cryptosystems. In ID-based system, generating different private keys from the same master key with different identifier string is possible. The identifier itself of communicating party can be used for public key function. Therefore, if identifier of the communicating party can be known to the system, a certificate to bind a public key and the owner can be removed. Furthermore, during the key generation processing, date information can be encoded into keying material, a hash chain as in KIS-D-OCSP is not required. Lab. of Information security & Internet Applications, PKNU

10 Lab. of Information security & Internet Applications, PKNU
IBS-D-OCSP (2) Implementing Issues Identity-based Signature Scheme [J. Cha and J. Cheon, PKC2003] Bilinear Pairing Weil and Tate pairing on elliptic curve Identifiers of responders Certificate contains OCSP_URI Certified by the CA Ex.) Keying ID = “CA || Responder_URI || ” ID itself is public key for IBS verification To design our system, we apply the IBS proposed by Cha and Cheon. Most of recently proposed ID-based schemes are based on pairings defined on an elliptic curve. One of the main issues to implement ID-based system is what we can use an identifier for keying material. Generally, when CA issues a certificate, the certificate contains OCSP_URI for OCSP request service and the contents in the certificate is certified by the CA. Therefore we can immediately use the OCSP_URI and current date as keying materials for IBS signature if the time period is one day. Lab. of Information security & Internet Applications, PKNU

11 Lab. of Information security & Internet Applications, PKNU
IBS-D-OCSP (3) Key Generation CA generates private keys for responders’ identifiers CA Date info. R1 Key Generator Master Key identifier1 Secure channel Rn To distribute each responder’s private key, CA first choose its master secret and calculates its corresponding public key. Then, CA computes each responder’s private key from the identifier of each responder and current date and securely distributes the keys. Lab. of Information security & Internet Applications, PKNU

12 Lab. of Information security & Internet Applications, PKNU
IBS-D-OCSP (4) System - Calculating public key with responder identifier and date info. Verifying signature in response Distributes private keys for given time period CA Requests for service to one of responders Response, IBS-Signature R1 Rn Lab. of Information security & Internet Applications, PKNU

13 Lab. of Information security & Internet Applications, PKNU
Security of a signature is relying on the underlying IBS Assuming that CA is a trusted authority Master key is not disclosed Difficult to compute private key from identifier without knowing the master key DLP(Discrete Logarithm Problem) Date information is encoded in keying material Keys are only valid for the given time period Lab. of Information security & Internet Applications, PKNU

14 Lab. of Information security & Internet Applications, PKNU
Efficiency KIS-D-OCSP IBS-D-OCSP Compare KIS-D-OCSP & IBS-D-OCSP Master public key size is proportional to the number of responders Master public key size is constant to the number of responders At least one certificate for responders No certificate for responders CA stores hash values securely CA stores no hash values Return : {response, signature, hash} Return : {response, signature} 2 signature verifications + ( t-I ) hashing 1 signature verification Hash chains to check timely validity Encoding date info. into keying material Refresh private keys every time period Update hash values every time period Lab. of Information security & Internet Applications, PKNU

15 Lab. of Information security & Internet Applications, PKNU
Conclusion Public key certificate is essential for secure Internet Certificate validity checking is required OCSP is one solution Proposed an efficient D-OCSP framework IBS-D-OCSP Remove responders certificate Don’t require additional certificate management Any other efficient IBS schemes can be applied to the system Lab. of Information security & Internet Applications, PKNU

Download ppt "A Framework for Distributed OCSP without Responders Certificate"

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Wireless PKI Shakeel Ahamad Shaik (Research Fellow) Under the supervision of Dr.V.N.Sastry, Associate Professor (IDRBT) & Dr.S.K.Udgata, Reader (UOH) Saturday,

Wireless PKI Shakeel Ahamad Shaik (Research Fellow) Under the supervision of Dr.V.N.Sastry, Associate Professor (IDRBT) & Dr.S.K.Udgata, Reader (UOH) Saturday,
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Similar presentations

Ads by Google