Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington.

Published byMagdalena Hodgetts Modified over 9 years ago

Similar presentations

Presentation on theme: "Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington."— Presentation transcript:

1 Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington Philippe Golle Palo Alto Research Center CA, USA Markus Jakobsson School of Informatics Indiana University at Bloomington

2 Page 1 Threats to Certificate Authorities Certificate repudiation –A user chooses weak private key –Intentionally let his private key be leaking discretely for forgery Certificate private key leaking –Malicious attack such as Trojan horse –Leaking CA’s private via covert-channel

3 Page 2 What is a covert channel? Hidden communication channel Steganography – Information hiding Original ImageExtracted Image

4 Page 3 Prisoners' problem [Simmons,’93] Two prisoners want to exchange messages, but must do so through the warden Subliminal channel in DSA What Plan? Plan A

5 Page 4 Leaking attack on RSA-PSS Random salt is used for padding string in encryption In verification process, salt is extracted from EM Hidden information can be embedded in salt value RSA-PSS : PKCS #1 V2.1

6 Page 5 Approaches Detect leaking A warden observes outputs from CA mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority Malicious attack Replacement of function

7 Page 6 Approaches (Cont’d) Observing is not so easy because random number... –looks innocuous –Or, doesn’t reveal any state A warden (observer) can be attacked mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority

8 Page 7 Undercover observer Signer outputs non-interactive proof as well as signature Ambushes until verification is invalid mkmk Pseudo Random Number Generator Sig k

9 Page 8 Tamper-evident Chain Predefined set of random values in lieu of random number on the fly Hash chain verification x1x1 x2x2 x3x3 …. xnxn X n+1 Sig 1 Sig 2 …. Sig n Hash() ? X 1 =Hash(X 2 ) ? X n-1 =Hash(X n ) x’ 3 Sig’ 3 ? X2=Hash(X3)

10 Page 9 DSA Signature Scheme Gen : x  y = g x mod p Sign : m  (s, r) where r = (g k mod p) mod q and s = k -1 (h(m) + x r) for random value k Verify : For given signature (s, r), u 1 = h(m) s -1 u 2 = r s -1 and check r=g u 1 y u 2 mod p mod q

11 Page 10 Hash chain construction k1k1 k2k2 k3k3 …. knkn k n+1 Sig 1 Sig 2 …. Sig n Hash() ? X 1 =Hash(X 2 ) ? X n-1 =Hash(X n ) k’ 3 Sig’ 3 ? X2=Hash(X3) r=g k 1 r=g k 2 …. r=g k n r=gk3 P1P1 P2P2 …. PnPn P3P3 P n+1 r’=g k 3

12 Page 11 Conclusion Any leakage from CAs is dangerous CAs are not strong enough from malicious attacks We need observers which are under-cover A small additional cost for proofs Or, Send me email : jychoi@cs.indiana.edu

Download ppt "Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington."

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Design and Security Analysis of Marked Blind Signature

Design and Security Analysis of Marked Blind Signature
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Cryptography and Network Security

Cryptography and Network Security
Computer and Network Security Mini Lecture by Milica Barjaktarovic.

Computer and Network Security Mini Lecture by Milica Barjaktarovic.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Security Chapter 9 9.1 The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

Similar presentations

Ads by Google