Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil.

Published byBenedict Wilson Modified over 9 years ago

Similar presentations

Presentation on theme: "Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil."— Presentation transcript:

1 Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil Yang bogus@itslab.csce.kyushu-u.ac.jp Sakurai Laboratory Kyushu University

2 Sakurai Lab. Information Technology & Security Lab. 2 Certificate Revocation in PKI  X.509 certificate in Public Key Infrastructure (PKI) A signed binding a public key to certain properties (e.g., a user’s identity) When the binding ceases to hold, the certificate needs to be revoked  Certificate Revocation techniques Methods for propagating revocation information to relying parties Schemes  Certificate Revocation Lists : CRLs  Online Certificate Status Protocol : OCSP  Variants of CRLs : Delta CRLs, Indirect CRLs  Certificate Revocation Tree : CRT  Certificate Revocation System : CRS

3 Sakurai Lab. Information Technology & Security Lab. 3 Semi-Trusted Mediator (SEM)  Basic Idea : Boneh et. al. [1] Please help me sign message M Partial signature Signature Immediate Revocation of users’ signing ability Alice Bob SEM CA

4 Sakurai Lab. Information Technology & Security Lab. 4 Mediated RSA (mRSA)  Direct application of 2-out-of-2 threshold RSA  Let be a user’s public key, be the private key, CA split, The user has SEM has  Signing User’s partial signature SEM’s partial signature RSA signature RSA Key generation RSA Sig. / Ver.

5 Sakurai Lab. Information Technology & Security Lab. 5 Distributing Security-Mediated PKI  Disadvantages of SEM : G. Vanrenen et al. [5] Temporary denial of service, if the network is partitioned. Permanent denial of service, if SEM suffers a serious failure. Inability to revoke the key pair, if an adversary compromises SEM and learn its secrets.  Distributed SEM (DSEM) Consists of trustworthy islands in P2P network. Each island may still become compromised to the adversary. Each island may also become unavailable, due to crash or partition. Threshold cryptography Proactive Secret sharing Migration

6 Sakurai Lab. Information Technology & Security Lab. 6 RSA or DL based threshold signatures  Response Time to generate a signature : (5,3) threshold mRSA DL based Two party signature RSA based Threshold signature DL based Threshold signature R.Gennaro, S.Jarecki, and H.Krawczyk, Revisiting the Distributed Key Generation for Discrete-Log Based Cryptosystems, RSA Security' 03 (2003). T.Rabin, Simplified Approach to Threshold and Proactive RSA, Advances in Cryptology--CRYPTO'98, LNCS 1462 (1998).

7 Sakurai Lab. Information Technology & Security Lab. 7 RSA or DL based threshold signatures  Response Time to generate a signature : (5,3) threshold mRSA DL based Two party signature RSA based Threshold signature DL based Threshold signature

8 Sakurai Lab. Information Technology & Security Lab. 8 RSA or DL based threshold signatures  Message traffics : 1024 bits keysize RSA based Threshold signature DL based Threshold signature DKG(Distributed Key Generation) : to verifiably distribute shares for one-time secret parameter

9 Sakurai Lab. Information Technology & Security Lab. 9 RSA or DL based threshold signatures  Which one is a better important factor? Communication cost Computation cost  For example, Application to large scale MANETs  DL-based threshold signatures are not suitable  For Small scale MANETs, suitable Application to a distributed system with high computing power  RSA-based threshold signatures are suitable  In the near future model (using threshold computation) The rapid progress of computing power in mobile device Redundancy of resources  Computation cost > Communication cost

10 Sakurai Lab. Information Technology & Security Lab. 10 DSEM – Key Setup C A User Island SEM Server Distributed SEM Network random islands shares of Proactively updated -secret sharing mRSA

11 Sakurai Lab. Information Technology & Security Lab. 11 DSEM - Migration  If a user issues a request but the island holding is not available, the user select another island and requests migration. User Island M Distributed SEM Network random islands Island L down Reconstruct shares of Update shares M must knows to interpolate a polynomial used in secret sharing

12 Sakurai Lab. Information Technology & Security Lab. 12 Notable Problems – Question 1  How can we make k islands perform efficiently a proactive secret sharing ? After Key setup, k islands periodically participate in a proactive secret sharing for in [3][4][7][8]. The schemes in [7][8]  Based on discrete logarithm The scheme in [4]  instead of The scheme in [3]  Low performance caused by performing subsharings as many times as k.

13 Sakurai Lab. Information Technology & Security Lab. 13 Notable Problems – Question 2  Is DSEM always performed as efficient as SEM ? In case that the scheme in [4] or [15] is used.  (k,k)-additive secret sharing  (k,t)-polynomial secret sharing for each share A Island B Island reconstruct M B Island Alice DSEM cannot present signing or decrypting before finishing complex migration caused by reconstructing the corrupted share.

14 Sakurai Lab. Information Technology & Security Lab. 14 Notable Problems – Question 3  Is the execution of the proactive secret sharing meaningful ? Since a long-term secret is stored in L, the target of adversaries is not one of k islands but L When the long-term secret is kept in the networking island and the proactive secret sharing dose not change it, the proactive secret sharing cannot contribute the security of.

15 Sakurai Lab. Information Technology & Security Lab. 15 Notable Problems – Question 4  How many peers are necessary to serve a threshold protection in DSEM ? Synchronous communication  Allow at most t-1 servers to be compromised  Need at least t servers to be correct P2P Network  Correct peers in P2P are not always connected to the network

16 Sakurai Lab. Information Technology & Security Lab. 16 Requirements for modified DSEM To reduce the overhead caused by subsharing, the system must perform a proactive secret sharing without subsharing. To reduce the overhead caused by subsharing, the system must perform a proactive secret sharing without subsharing. DSEM must perform signing or decrypting immediately. That is, the cryptographic service must be independent of migration Only through all of, and shares are periodically renewed at the same time, we can make the execution of the proactive secret sharing meaningful in DSEM. Let be the maximum number of correct peers which are not currently connected to the network. We precisely define the number of servers as, where. So, -secret sharing.

17 Sakurai Lab. Information Technology & Security Lab. 17 Cryptographic Tools  N-mRSA Remove the insecurity of releasing modulus operator,  Combinatorial Secret Sharing Remove the executing of subsharing No need to compute a polynomial Replication  Server-Assisted Threshold Signature For immediate cryptographic services

18 Sakurai Lab. Information Technology & Security Lab. 18 N-mRSA  Key Setup (by CA) Splits the private exponent into two halves as follow. Transmits securely to the user, to the server.  Signing User : Server : Candidate Signature ( ) RSA signature 2-bounded coalition offsetting Alg. in [6]

19 Sakurai Lab. Information Technology & Security Lab. 19 (k,t)-Combinatorial Secret Sharing [9]  Create different sets of servers.  Create a sharing for using -additive secret sharing.  Any server, share set equals For any set of servers, where :

20 Sakurai Lab. Information Technology & Security Lab. 20 Server-Assisted Threshold Signature  S. Xu et al. [14] A formal method to construct server-assisted threshold signature scheme. Hybrid of threshold signature and two-party signature.  A practical instance Hybrid of N-mRSA and threshold RSA in [6]

21 Sakurai Lab. Information Technology & Security Lab. 21 (k,t)-Server-Assisted Threshold Signature  Key setup (by CA) Splits the private exponent at the same as N-mRSA => generates k share sets Transmits to the user, and each share set to the corresponding server, respectively  Signing User : At least t servers : Candidate signature ( ) RSA signature (l+1)-bounded coalition offsetting Alg. in [6]

22 Sakurai Lab. Information Technology & Security Lab. 22 Architecture of our modified DSEM  Key Setup  Peer group (PG) Consists of trustworthy peers. Each peer (Gpeer) has share sets for users’ C A User HSEM Peer group for threshold protection Gpeer Distributed SEM Network

23 Sakurai Lab. Information Technology & Security Lab. 23 Modified DSEM  Example, (4,3)-combinatorial secret sharing, Peer Group HSEM User N-mRSA ? Periodic Renewal and Recovery Server-Assisted Threshold Signature Recovery

24 Sakurai Lab. Information Technology & Security Lab. 24 Modified DSEM – Periodic Renewal  Omit the verifiable step Peer Group HSEM User Each Gpeer updates its share set

25 Sakurai Lab. Information Technology & Security Lab. 25 Desirable Features  Removal of insecurity of releasing  Efficient and timely signing or decrypting  Strong against denial of service attack In DSEM, the user cannot perform signing or decrypting up to finishing MIGRATION In our modified DSEM, the user can still perform signing or decrypting via Server-Assisted Threshold, although the performance is lower than N-mRSA  The cryptographic operation is independent of periodic renewal or recovery

26 Sakurai Lab. Information Technology & Security Lab. 26 Desirable Features  Meaningful proactive secret sharing Our modified DSEM can appropriately renew a user half, the corresponding half of SEM and shares for the half of SEM.  Simplified renewal and recovery Subsharing is unnecessary

27 Sakurai Lab. Information Technology & Security Lab. 27 Considerations  Attack on threshold RSA [6] by S. Jarecki et al. [13] Threshold RSA in [6] is a basis of cryptographic tools in our modified DSEM Since proactive scheme in our modified DSEM does not depend on subsharing, an adversary in [13] cannot succeed in learning the private exponent.  The adversary can learn at most MSBs of the private exponent

28 Sakurai Lab. Information Technology & Security Lab. 28 Considerations  The scheme by S. Koga et al. [12] A solution to prevent DoS attack by picking out malicious requests through one-time ID. The scheme in [12] does not consider the possibility of the corruption of SEM, it did not present a solution for recovering the compromised SEM. S. Koga et al.’s scheme can be used for supporting authentication of users’ requests in our modified DSEM.

29 Sakurai Lab. Information Technology & Security Lab. 29 Conclusion and Future Work  Reviewed G. Vanrenen et. al.’s DSEM, and Discussed four questions  Derived four requirements to design our modified DSEM  Designed a new model for Distributed Security-Mediator Succeeds to the advantages of the original SEM Provides desirable features  Comparison with original DSEM Amount of speedup Amount of communication cost Thank you for your attention. Useful Comments ?

30 Sakurai Lab. Information Technology & Security Lab. 30 References 1.Boneh, D., Ding, X., Tsudik, G., Wong, C.M., A method forfast revocation of public key certificates and security capabilities, 10th USENIX Security Symposium, pp.297-308, (2001). 2.C. Adams and S. Lloyd, Understanding public-key infrastructure: concepts, standard, and deployment considerations, Indianapolis: Macmillan Technical Publishing, (1999). 3.Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Optimal resilience proactive public key cryptosystems, IEEE Symposium on Foundations of Computer Science, pp.440-454, (1997). 4.Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Proactive RSA, Advances in Cryptology-CRYPTO 97, LNCS 1297, pp.440-454, (1997). 5.G. Vanrenen, S.W. Smith, Distributing Security-Mediated PKI, 1st European PKI Workshop Research and Applications, LNCS 3093, pp.213-231, (2004). 6.Haiyun Luo, Songwu Lu, Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks, UCLA Computer Science Technical Report 200030, Oct. (2000). 7.Herzberg, A., Jakobsson, M., Jarechi, S., Krawczyk, H., Yung, M., Proactive public key and signature systems, ACM Conference on Computer and Communications Security, pp.100-110, (1997). 8.Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M., Proactive secret sharing or: How to cope with perpetual leakage, Advanced in Cryptology-CRYPTO 95, LNCS 963, pp.339-352, (1995). 9.Lidong Zhou, Towards Fault-Tolerant and Secure On-line Services, PhD Dissertation, Department of Computer Science, Cornell University, Ithaca, NY USA. April (2001). 10.M. Naor and K. Nissim, Certificate revocation and certificate update, Proceedings 7th USENIX Security Symposium, San Antonio, Texas, pp.217-228, (1998). 11.P.Felman, A Pracitcal Scheme for Non-Interactive Verifiable Secret Sharing, Proc. of 28th FOCS, (1987). 12.S. Koga, K. Imamoto, and K. Sakurai, Enhancing Security of Security-Mediated PKI by One-time ID, 4 th Annual PKI R&D Workshop, NIST, USA, April 19-21, (2005). 13.S. Jarecki, N. Saxena, and J. H. Yi, An Attack on the Proactive RSA Signature Scheme in the URSA Ad-Hoc Network Access Control Protocol, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), pp.1-9, (2004). 14.S. Xu, R. Sandhu, Two Efficient and Provably Secure Schemes for Server-Assisted Threshold Signatures, CT- RSA, (2003). 15.Tal Rabin, A Simplified Approach to Threshold and Proactive RSA, Advanced in Cryptology-CRYPTO 98, LNCS 1462, pp.89-104, (1998).

Download ppt "Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil."

Similar presentations

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.

Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.

 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
URSA: Providing Ubiquitous and Robust Security Support for MANET

URSA: Providing Ubiquitous and Robust Security Support for MANET
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.

1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.

Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine

1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 1 (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.

L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

Similar presentations

Ads by Google