Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington.

Slides:

Advertisements

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Advertisements

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.

Design and Security Analysis of Marked Blind Signature

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Cryptography and Network Security

Computer and Network Security Mini Lecture by Milica Barjaktarovic.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Chapter 5 Cryptography Protecting principals communication in systems.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

Chapter 3 Encryption Algorithms & Systems (Part C)

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

8. Data Integrity Techniques

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Bob can sign a message using a digital signature generation algorithm

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

An Efficient and Secure Event Signature (EASES) Protocol for Peer-to-Peer Massively Multiplayer Online Games Mo-Che Chan, Shun-Yun Hu and Jehn-Ruey Jiang.

Chapter 4: Intermediate Protocols

1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen.

Topic 22: Digital Schemes (2)

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

IS 302: Information Security and Trust Week 5: Integrity 2012.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.

1 一個新的代理簽章法 A New Proxy Signature Scheme 作者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡報告者 : 郭淑娟.

15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at.

Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

Prepared by Dr. Lamiaa Elshenawy

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

Computer and Network Security - Message Digests, Kerberos, PKI –

Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.

Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

COM 5336 Lecture 8 Digital Signatures

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

1/18 Talking to Strangers: Authentication in Ad-Hoc Wireless Networks Dirk Balfanz 외 2 명 in Xerox Palo Alto Research Center Presentation: Lee Youn-ho.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

Chapter 9 Security 9.1 The security environment

Cryptography Lecture 26.

Presentation transcript:

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington Philippe Golle Palo Alto Research Center CA, USA Markus Jakobsson School of Informatics Indiana University at Bloomington

Page 1 Threats to Certificate Authorities Certificate repudiation –A user chooses weak private key –Intentionally let his private key be leaking discretely for forgery Certificate private key leaking –Malicious attack such as Trojan horse –Leaking CA’s private via covert-channel

Page 2 What is a covert channel? Hidden communication channel Steganography – Information hiding Original ImageExtracted Image

Page 3 Prisoners' problem [Simmons,’93] Two prisoners want to exchange messages, but must do so through the warden Subliminal channel in DSA What Plan? Plan A

Page 4 Leaking attack on RSA-PSS Random salt is used for padding string in encryption In verification process, salt is extracted from EM Hidden information can be embedded in salt value RSA-PSS : PKCS #1 V2.1

Page 5 Approaches Detect leaking A warden observes outputs from CA mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority Malicious attack Replacement of function

Page 6 Approaches (Cont’d) Observing is not so easy because random number... –looks innocuous –Or, doesn’t reveal any state A warden (observer) can be attacked mkmk Pseudo Random Number Generator Sig k Something hidden? Certificate Authority

Page 7 Undercover observer Signer outputs non-interactive proof as well as signature Ambushes until verification is invalid mkmk Pseudo Random Number Generator Sig k

Page 8 Tamper-evident Chain Predefined set of random values in lieu of random number on the fly Hash chain verification x1x1 x2x2 x3x3 …. xnxn X n+1 Sig 1 Sig 2 …. Sig n Hash() ? X 1 =Hash(X 2 ) ? X n-1 =Hash(X n ) x’ 3 Sig’ 3 ? X2=Hash(X3)

Page 9 DSA Signature Scheme Gen : x  y = g x mod p Sign : m  (s, r) where r = (g k mod p) mod q and s = k -1 (h(m) + x r) for random value k Verify : For given signature (s, r), u 1 = h(m) s -1 u 2 = r s -1 and check r=g u 1 y u 2 mod p mod q

Page 10 Hash chain construction k1k1 k2k2 k3k3 …. knkn k n+1 Sig 1 Sig 2 …. Sig n Hash() ? X 1 =Hash(X 2 ) ? X n-1 =Hash(X n ) k’ 3 Sig’ 3 ? X2=Hash(X3) r=g k 1 r=g k 2 …. r=g k n r=gk3 P1P1 P2P2 …. PnPn P3P3 P n+1 r’=g k 3

Page 11 Conclusion Any leakage from CAs is dangerous CAs are not strong enough from malicious attacks We need observers which are under-cover A small additional cost for proofs Or, Send me