Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.

Published byReynold Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim."— Presentation transcript:

1 A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim

2 Introduction  Digital certificate –an authorized assertion about a public key –Holder can prove the related ownership by using a corresponding private key –The current PKI: privacy-intrusive Can be linked and traced  Pseudonym certificate –Identifiable by a pseudonym only –Digital certificate contains pseudonym as a subject identifier –Can be used in anonymous transaction

3 Building Blocks  PKI  RSA  Pseudonym  Blind signature  Threshold cryptography  X.509 certificate

4 Basic Model Anonymous Issuer (AI) Blind Issuer (BI) Issuer (PI) iv... UserCA Site 1Site n... iii ii i 1 2 5 6 3 4

5 Basic Model – cnt’d I.User U holds a digital certificate issued by CA  Using a real identity II.User can access service providers SP s III.SP asks revocation of a certificate to PI  PI: pseudonym certificate issuer (AI and BI) IV.AI and BI collaborate to link ID U and PN U  ID U : real identity of user U  PN U : pseudonym of user U

6 Traceable Pseudonym Certificates Version 3 SN RSA PI * * * Extensions Version Serial Number Signature Algorithm ID Issuer Name Validity Period Subject Name Subject Public Key Info. Extensions Version 3 SN RSA PI Validity Period PN ppk U, SIG PN Extensions Critical: ( C i ), * Critical: ( C 1, C 2, …, C m ) (a) x.509 v3 Certificate (c) Traceable Pseudonym Certificate (b) Pseudonym Certificate Skeleton

7 Basic Protocol - I  Basic Assumption –CA and PS’s authentic public keys are respectively available. –User U holds a real identity certificate denoted by {ID U, pk U } SIG CA –RSA private exponent d of PI is split by d 2 for AI and d 1 for BI (In case of single BI)  AI can control and verify the contents of a pseudonym certificate  BI can verify the user’s real identity

8 Basic Protocol - II 1.U → AI: Skeleton Request  Option: U can submit her basic information, so that AI can choose an appropriate BI  AI stores certificate skeleton with index SN 2.AI → U: Certificate Skeleton  b ←  M ←  h = H(M)  u = h r e, r: random number 3.U → BI: {ID U, pk U } SIG CA,{{u} SIG U, ρ} ENC BI  BI verifies {ID U, pk U } SIG CA under pk CA asdf  Decrypt {{u} SIG U, ρ} ENC BI verify u under pk U  Record  Compute w = u d1 mod N

9 Basic Protocol - III 4.BI → U: {w} ENC AI  ρ  U decrypts {w} ENC AI under ρ  Computes {{M} SIG PN, r, {w} ENC AI } ENC AI 5.U → AI: {{M} SIG PN, r, {w} ENC AI } ENC AI  Verify {M} SIG PN under ppk U and compare this with record corresponding SN  Compute z = w d 2 mod N  Check z r -1 mod N under  Record  Send z 6.AI → U: z  Compute z r -1 mod N to recover h d mod N  Verify h d mod N under  Traceable pseudonym certificate:

10 Pseudonym Revocation and Trace  SP asks revocation of a certain Pseudonym to AI –Submit the PN U to AI  AI retrieve –Recover z and send it to BI  BI obtain a real identity ID U –u = z e mod N –From can find ID U  Revoke all pseudonyms of a user U’ –BI retrieve all records –Send u d 1 mod N to AI securely –AI raises d 2 to get z and retrieve all pseudonyms of U’

11 Extended Protocols  Threshold Schemes –In case of multiple BI’s –Apply an RSA (L, k)-threshold signature scheme  Re-blinding Variants –Disable the tracing ability (e.g., e-voting)  Selective Credential Show –User’s digital credential: Flag: 0 – mandatory, 1 – selective h(c i ) : hash value of credential c i –PI should certify all semi-records of which flag is 0, but a hashed value only for flag is 1

12 Conclusion  Can be used on existing PKIs without requiring additional crypto modules  Fully compatible with X.509 certificates  Simple and efficient with versatile privacy-enhancing features  Choice from traceability and absolute anonymity  Threshold variants for more secure applications

13 References  Yongdae Kim, et al. “A Simple Traceable Pseudonym Certificate System for RSA-based PKI”  D. Chaum, “Security without identification: Transactions systems to make big brother obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1035-1044  X.509, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks,” ITU-T Recommendation X.509

Download ppt "A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I

Similar presentations

Ads by Google