Download presentation

Presentation is loading. Please wait.

Published byMagdalena Hodgetts Modified about 1 year ago

1
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington Philippe Golle Palo Alto Research Center CA, USA Markus Jakobsson School of Informatics Indiana University at Bloomington

2
Page 1 Threats to Certificate Authorities Certificate repudiation –A user chooses weak private key –Intentionally let his private key be leaking discretely for forgery Certificate private key leaking –Malicious attack such as Trojan horse –Leaking CA’s private via covert-channel

3
Page 2 What is a covert channel? Hidden communication channel Steganography – Information hiding Original ImageExtracted Image

4
Page 3 Prisoners' problem [Simmons,’93] Two prisoners want to exchange messages, but must do so through the warden Subliminal channel in DSA What Plan? Plan A

5
Page 4 Leaking attack on RSA-PSS Random salt is used for padding string in encryption In verification process, salt is extracted from EM Hidden information can be embedded in salt value RSA-PSS : PKCS #1 V2.1

6
Page 5 Approaches Detect leaking A warden observes outputs from CA mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority Malicious attack Replacement of function

7
Page 6 Approaches (Cont’d) Observing is not so easy because random number... –looks innocuous –Or, doesn’t reveal any state A warden (observer) can be attacked mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority

8
Page 7 Undercover observer Signer outputs non-interactive proof as well as signature Ambushes until verification is invalid mkmk Pseudo Random Number Generator Sig k

9
Page 8 Tamper-evident Chain Predefined set of random values in lieu of random number on the fly Hash chain verification x1x1 x2x2 x3x3 …. xnxn X n+1 Sig 1 Sig 2 …. Sig n Hash() ? X 1 =Hash(X 2 ) ? X n-1 =Hash(X n ) x’ 3 Sig’ 3 ? X2=Hash(X3)

10
Page 9 DSA Signature Scheme Gen : x y = g x mod p Sign : m (s, r) where r = (g k mod p) mod q and s = k -1 (h(m) + x r) for random value k Verify : For given signature (s, r), u 1 = h(m) s -1 u 2 = r s -1 and check r=g u 1 y u 2 mod p mod q

11
Page 10 Hash chain construction k1k1 k2k2 k3k3 …. knkn k n+1 Sig 1 Sig 2 …. Sig n Hash() ? X 1 =Hash(X 2 ) ? X n-1 =Hash(X n ) k’ 3 Sig’ 3 ? X2=Hash(X3) r=g k 1 r=g k 2 …. r=g k n r=gk3 P1P1 P2P2 …. PnPn P3P3 P n+1 r’=g k 3

12
Page 11 Conclusion Any leakage from CAs is dangerous CAs are not strong enough from malicious attacks We need observers which are under-cover A small additional cost for proofs Or, Send me email : jychoi@cs.indiana.edu

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google