Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at.

Published bySusanna Wilcox Modified over 9 years ago

Similar presentations

Presentation on theme: "Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at."— Presentation transcript:

1 Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research Center Markus Jakobsson School of Informatics Indiana University at Bloomington jychoi@cs.indiana.edupgolle@parc.commarkus@indiana.edu

2 Page 1 Threats to Certificate Authorities Stealing private key –Malicious attack such as Trojan horse, virus –Leaking CA’s private key via covert-channel Hidden communication channel –CAs use lots of random numbers –Hard to prove randomness since it is directly related to privacy

3 Page 2 What is a covert channel? Hidden communication channel Steganography – Information hiding Original ImageExtracted Image

4 Page 3 Prisoners' problem [Simmons,’93] Two prisoners want to exchange messages, but must do so through the warden Subliminal channel in DSA What Plan? Plan A

5 Page 4 Leaking attack on RSA-PSS A random salt is used as a padding string in a signature In verification process, the salt is extracted from the message Hidden information can be embedded in the salt RSA-PSS : PKCS #1 V2.1

6 Page 5 Approaches Need an observer to detect leaking An observer investigates outputs from CA mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority Malicious attack Replacement of function

7 Page 6 Hindsight Observing is not easy because of a random number –looking innocuous –Not revealing any state Fine as long as a random number is generated in a designated way Using hindsight, we detect abnormal behavior generating a random number

8 Page 7 Weakness of an observer An observer can be attacked, causing a single point of failure mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority  Public verifiability with multiple observers

9 Page 8 Undercover observer CA outputs non-interactive proof as well as signature Ambushes until verification is invalid mkmk Pseudo Random Number Generator Sig k

10 Page 9 Tamper-evident Chain Predefined set of random values in lieu of random number on the fly Hash chain verification s1s1 s2s2 s3s3 …. snsn Seed Sig 1 Sig 2 …. Sig n h() ? s 1 =h(s 2 ) ? s n-1 =h(s n ) s’ 3 Sig’ 3 ? s 2 =h(s 3 ) ? s 0 =h(s 1 ) s0s0 h()

11 Page 10 DSA Signature Scheme Gen : x  y = g x mod p Sign : m  (s, r) where r = (g k mod p) mod q and s = k -1 (h(m) + x r) for random value k Verify : For given signature (s, r), u 1 = h(m) s -1 u 2 = r s -1 and check r=g u 1 y u 2 mod p mod q

12 Page 11 Hash chain construction k1k1 k2k2 k3k3 …. knkn PRNG Sig 1 Sig 2 …. Sig n h() ? w 1 =h(r 2 ||w 2 ) ? w n-1 =h(r n ||w n ) k’ 3 Sig’ 3 ? w 2 =h(r 3 ||w 3 ) r 1 =g k 1 r 2 =g k 2 …. r n =g k n r 3 =g k 3 w1w1 w2w2 …. wnwn w3w3 r 3 ’=g k 3 w0w0 ? w 0 =h(r 1 ||w 1 ) Seed

13 Page 12 Conclusion Any leakage from CAs is dangerous CAs are not strong enough from malicious attacks We need observers which are under-cover A small additional cost for proofs Or, Send me emails : jychoi@cs.indiana.edu

Download ppt "Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at."

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington.

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Computer and Network Security Mini Lecture by Milica Barjaktarovic.

Computer and Network Security Mini Lecture by Milica Barjaktarovic.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Similar presentations

Ads by Google