Presentation is loading. Please wait.

Presentation is loading. Please wait.

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Published byDulcie Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication."— Presentation transcript:

1 02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication Costs A preliminary version of this paper is presented at PKC 2004

2 2 Background Public Key Infrastructure (PKI) –secure e-mail, authentication system etc.. Certificate revocation problem –The certificate must be revoked if The user’s private key is compromised User’s personal information is changed –The verifier must check the revocation information

3 3 Certificate revocation Compromise of private key, or changing personal information –The certificate must be revoked If a certificate is revoked… –Certificate owner sends a revocation requests to the CA who issues certificates –The CA should publish revocation information –The certificate verifier should check the status of certificate Is this certificate valid? or revoked? Certificate verifier

4 4 Certificate revocation systems Certificate Revocation List (CRL) The list of revoked certificates The size of the CRL is long High communication costs Online Certificate Status Protocol (OCSP) Provide the up-to-date response to certificate status queries Low Communication costs

5 5 Online Certificate Status Protocol (OCSP) Responder checks the status of a certificate instead of users –User requests the status of a certificate –Responder sends the response including the status of requested certificate –Mitigate the load of user –Reduce the communication costs, compared with CRL CA Responder User request response Revocation information Back

6 6 OCSP (cont’d) Security –Responses are signed by OCSP responder Communication costs –A user receives response –Independent on number of revoked certificates problem –High computation costs of OCSP responder  It is vulnerable to Denial-of-Service (DoS) attacks

7 7 Motivation Centralized OCSP Compromise of responder’s private key affects the entire system Protection of the private key Hardware Security Module (FIPS140-2 by NIST) Threshold cryptography :each server holds a shared private key and a predetermined number of servers must cooperate in order to perform the operation unavoidablePrivate key exposures appear to be unavoidable

8 8 Distributed OCSP Minimize the damage caused by responder’s key exposures A Distributed OCSP(D-OCSP) composed of the multiple responders –Each responder has the different private key  If a responder’s private key is compromised, the others are not derived

9 9 Traditional D-OCSP CA responder’s certificate CA’s certificate User response + signature responder 1 responder n responder 2 PK 1, SK 1 PK 2, SK 2 PK n, SK n To eliminate the validation of certificate revocation, the CA issues responder’s certificate with short lifetime

10 10 Challenging issue Responder’s certificate with a short lifetime  In case that the client receives the response, she must download responder’s certificate  Communication costs is inefficient Responder’s certificate with a long lifetime  The client needs to obtain the different responder’s certificates  The client must store the multiple certificates

11 11 Our Proposed Distributed OCSP To mitigate the damage caused by responder’s private key exposure A distributed OCSP (D-OCSP) Propose an efficient D-OCSP –The client can verify any responses by using a single public key  The client just obtains a single certificate

12 12 Our idea To generate the responder’s private keys –Use the Key-Insulated Signature scheme (KIS) [DO03] –Each responder has the different private key, but corresponding public key remains fixed –The client can verify any responses by using a single public key To validate responder’s private key –Use the NOVOMODO [M02] [DO03] Y. Dodis et al., “ Strong Key-Insulated Signature Schemes”, PKC 2003. [M02] S. Micali, “NOVOMODO”, 1 st Annual PKI Research Workshop, 2002.

13 13 The lifetime of protocol is divided into short time periods The beginning of period i, a private key is updated The private key is updated frequently, but the corresponding public key is fixed Even if SK i is exposed, the attacker cannot forge signature for any time periods (key-insulated security) SK 1 Lifetime Period 1Period 2 SK T Period T SK 2 Key-insulated signature scheme (KIS) Period i SK i PK

14 14 The master key SK * is stored on the secure device The Secure-device computes the partial key SK i ’ The user derives Sk i+1 using partial key SK i ’ and SK i Once Sk i+1 is derived, SK i is deleted If an attacker can know SK i, she cannot derive any other private keys (as long as SK* is secure) Secure device SK* SK 1 ’ SK T ’ SK 1 Lifetime Period 1Period 2 SK T Period T SK 2 Update algorithm in KIS signer

15 15 All signatures can be verified by using a fixed public key Key-insulated security Responder’s private keys are generated using Key-Insulated signature scheme n (= the number of responders) private keys are generated at first stage Our method

16 16 The CA stores the master key The CA generates n private keys using key update algorithm in KIS The CA delivers a private key to each responder securely CA responder 1 responder n Decentralization Method Reponder’s public key responder 2 SK 1 SK 2 SK n The user must check that responder’s private key is not revoked

17 17 Use the NOVOMODO [M02] –Using one-way hash function h –Generating the following hash-chain –At period t, the verifier checks the following equation X Input value h XTXT hh X0X0 Validation of responder’s private key X T-1 h

18 18 The CA produces n hash-chains and stores them securely The CA issues responder’s certificate D: certificate data Responder 1 Responder n Issuance of responder’s certificate X T,1 h X T-1, 1 hh X 0, 1 X T-2, 1 h X T,2 h X T-1, 2 hh X 0,2 X T-2, 2 h X T,n h X T-1, n hh X 0, n X T-2, n h Responder 2 C res =Sig CA (D, PK res, X 0, 1, X 0, 2, …, X 0, n )

19 19 If responder’s private key is valid at period t, the CA delivers the hash value to responder The responder sends both the signed response and this hash value The user checks the following equation at period t –The user can verify the responder’s private key using hash function CA responder i Validation process X t, i X 0, i = h t (X t, i )

20 20 CA responder’s certificate CA’s certificate User Our Proposed D-OCSP responder 1 responder n responder 2 SK 1 SK 2 SK n Response + X t, i X t,1 X t,2 X t,i

21 21 Discussions Security –If one private key is exposed, the attacker can not derive the others (Key-insulated security) –If the attacker obtains the hash value, she cannot derive the next hash value (one-way function) Minimize the impact of responder’s private key exposure

22 22 Discussions (cont’d) Communication costs –The client can check any responses using a single public key –The client simply obtains one responder’s certificate  the communication cost is efficient –The client only stores one certificate  the memory space is small Computational costs –Signing cost and verification cost are less efficient

23 23 Efficiency Traditional D-OCSP (DSA) Our proposed D-OCSP (KIS) Size of a response 1750-1950 bytes250-350 bytes Verification costs (# of multiplications) 3+EX|q|t+2+3EX|q| Signature costs (# of multiplications) 2+EX|q|2+2EX|q| ・ OpenSSL ・ CA’s key size : 2048 bit ・ Responder’s key size : 1024 bit ・ EX : # of multiplication required to compute a exponentiation ・ |q| =160 ・ t = (# of responders)

24 24 Conclusion Centralized OCSP –Compromise of private key affects the entire system –Mitigate the damage caused by compromise of responder Efficient distributed OCSP –Apply key-insulated signature scheme and NOVOMODO –Any responses can be checked by using fixed public key

Download ppt "02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication."

Similar presentations

A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSP without Responders Certificate
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Similar presentations

Ads by Google