Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

Published byClaud Sims Modified over 8 years ago

Similar presentations

Presentation on theme: "ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering."— Presentation transcript:

1 ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering and Mathematics Universitat Rovira i Virgili

2 Introduction The design of efficient large-scale public-key infrastructures is a hot topic of research Digital certificates consist of a c-statement along with the CA’s signature Two important bottlenecks are: Certificate revocation Design of manageable large-scale certification authorities (CAs)

3 Solutions to deal with revocation Certificate revocation lists (CRL) Certificate revocation trees (CRT), reduce the huge size of CRLs Short-validity certificates are good until their expiration date Certificate revocation system (CRS) Naor-Nissim system Certificate verification trees (CVT): revocation information and the certificate directory are stored in the same Merkle tree

4 Certificate verification trees (1/4) The CA constructs a Merkle B-tree: Each leaf is a c-statement plus the hash of that c- statement Hash values of siblings in the B-tree are hashed together to get a hash value for their parents node The CA signs the hash value of the root node, called RV, together with date and time The cert-path for a c-statement is the path to the root along with the hash values needed to verify that path (the hash values of siblings of nodes along that path)

5 Certificate verification trees (2/4) Sign(RV||Date||Time) RV=h(H 5 ||H 6 ) H 6 =h(H 3 ||H 4 )H 5 =h(H 1 ||H 2 ) H 2 =h(C 2 )H 1 1 ) C 1 C 2 H 3 3 )H 4 4 ) C 3 C 4

6 Certificate verification trees (3/4) A single signature certifies all public keys Tree update is performed on a regular basis Batches of new certificates are incorporated to the Merkle B- tree Each CVT update only needs one signature on RV CVTs allow the CA key to be changed with low computational cost (one signature on RV) CVTs allow to deal with historical queries. The CA should store old CVT roots

7 Certificate verification trees (4/4) CVTs prove certificate non-existence Top levels of a CVT can be cached by verifiers, reducing communication and computation CVTs have the drawback of tying certificate issuance and revocation to CVT updates which are only carried out once in a period

8 Our contribution All advantages of CVTs are preserved In addition, we provide Asynchronous certificate renewal and revocation Implicit revocation

9 CVT-based asynchronous certification Batches of certificates are requested ahead of time without the user having to store the corresponding private keys The user can use a new certificate as soon as the current one has expired  asynchronous certification The signer is represented by a smart card or another tamper-resistant device The scheme is described by three protocols: set-up, signature and implicit revocation

10 Protocol 1: Set-up 1 The signer’s smart card SC generates a key k for a symmetric block cipher (e.g. DES, AES) 2 For i=1 to m : (a) SC generates a public-private key pair (pk i,sk i ) (b) SC encrypts sk i under k to get E k (sk i ) (c) SC sends (pk i,E k (sk i )) to the CA (d) SC deletes pk i, sk i and E k (sk i ) from its memory 3 CA stores the encrypted private keys E k (sk i ) received 4 In the next CVT update, CA adds all received pk i ’s to the CVT

11 Set-up Key pairs are assumed to be valid in consecutive future time intervals Certificate validity intervals are completely independent from CVT update periods Protocol 1 is run frequently enough so that one never runs out of key pairs The larger the batch size m, the less frequently the protocol needs to be run

12 Protocol 2: Signature at time interval t 1 If the user’s SC stores a private key sk t valid for time interval t, the SC does: (a) If necessary get the cert-path for the pk t certificate from CVT directory 2 Otherwise SC does: (a) Delete from its memory the last sk j stored, if any (b) Get E k (sk t ) from the CA (c) Get the certificate and the cert-path of pk t from the CVT directory (d) Decrypt E k (sk t ) to get sk t 3 Sign using sk t

13 Signature SC stores no private key except the current one SC can use a new certificate as soon as the current one has expired Signing implies appending the corresponding cert- path to the signature

14 Protocol 3: Implicit revocation 1 If the SC is stolen or lost, the user informs the CA 2 The CA stops serving encrypted private keys E k (sk i ) to SC

15 Implicit revocation Protocol 3 implicitly revokes all certificates in the CVT which were requested for future time intervals The current certificate is not revoked To eliminate the need for explicit revocation of the current certificate, short-validity certificates can be used An intruder will have little time to tamper with SC in order to have it sign under the private key SC is currently storing Short-validity certificates do not survive more than one CVT update period

16 Efficiency Asynchronous certification. Requesting certificates ahead of time allows the SC to use new certificates as soon as the current one expires Reduced storage. The user can request a batch of certificates, but her SC only stores the current key pair and the key of a symmetric block cipher Implicit revocation. In the event of smart card loss or compromise, all certificates requested by that SC are implicitly revoked and CVT update is not required

17 Implicit vs explicit revocation Explicit revocation forces the CA to distribute CRLs or update CVTs and it also forces the signature verifier to check these CRLs or CVTs before accepting a signature Implicit revocation is a much better alternative which prevents the private key corresponding to a revoked certificate from ever being used to sign Explicit revocation of the current certificate can be made unnecessary if short-validity certificates are used

18 Security If implicit revocation protocol is run by the user at time interval t Her SC will become useless from time interval t+1 onwards Regarding interval t If SC has not yet downloaded sk t, SC is useless to the intruder If SC has already downloaded sk t Short-validity certificates make it unlikely that the intruder can hack SC to sign with sk t before certificate expiration Long-lived certificates need explicit revocation (CRLs or CVT update)

19 Conclusion CVTs are a very convenient data structure for managing large-scale public key directories Their drawback is that certificate issuance and revocation must be synchronized with a CVT update We have proposed a scheme where certificates can be requested ahead of time without decreasing security In the event of loss or compromise of the user’s smart card, implicit revocation is used

Download ppt "ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering."

Similar presentations

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Similar presentations

Ads by Google