A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSPwithout Responders Certificate

Young-Ho Park ([email protected])

Kyung-Hyune Rhee ([email protected])

Pukyong National University

WISA 2004

Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 22

Public Key Certificate

Public Key Infrastructure(PKI) The main architecture for security services over the

Internet Public Key Certificate

Bind a public key to the owner’s identity information Digitally signed and certified by a trusted certificate

authority(CA) Certificates Revocation

Compromising of the key or abuse of the owner Certificates Revocation List (CRL) Online Certificate Status Protocol (OCSP)


Online Certificate Status Protocol

To check the validity of a certificate at the time of a given transaction OCSP responder provides a digitally signed response Client can retrieve timely certificate status with a

moderated resource usage

Single Responder Most workloads converge into

the responder Digital signature is a computation

consuming operation Denial of service CA

Responder

X.500directory

Request

Response

Good, Revoked or UnknownValidity Interval

. . . . .Signature


Distributed OCSP

Composed of multiple OCSP responders Sharing and balancing the workload of OCSP response Client can choose one responder

Certificate of responder is required to verify the signature in response of both OCSP and D-OCSP

In D-OCSP Using the same private signing key for every responder

Easy key management but high risk for key exposure Using different private key

Increasing the complexity of key management


KIS-D-OCSP (1)

[S. Koga and K. Sakurai, PKC 2004] One solution for efficient certificate management of

multiple responders Key insulated signature(KIS) scheme and hash chain Different private key for every responders but the same

public key for signature verification Only one certificate is required for multiple responders Private key exposure of one responder does not effect

other responders Hash chain is used for checking the validity of a

responder at the given time period


KIS-D-OCSP (2)

Key Generation CA distributes private keys for every responders

CA

Master Key. . . .

R1

R2

Rn

KeyGenerator

12such that qp

number prime be and Let qp

qnn Zyxyx *

1*

1*0

*0 ,,.....,,

qZg,hhgv pyi

xii

ii order with ; ***

),,.....,,(key Mastr *1

*1

*0

*0

* nn yxyxSK

),....,,,(key Public *1

*1 nres vvhgPK

1

1

* ))1(('n

k

kkki iixx

1

1

* ))1(('n

k

kkki iiyy

)( ' *001 xxxxx iii

)( ' *01 oiii yyyyy

),(key privateresponder Each iii yxSK

Private keyfor signature

1SK

2SK

nSK

*SK

Public Key resPK Secure channel


KIS-D-OCSP (3)

Hash chain For total time periods and responders

CA provides at time period to responder Validity checks at for responder

Checking if is true Responder Certificate:

)(....)()( 13

221 t

t XHXHXHX

T n11

111

1 ............ XXXX tTT 2

122

12 ............ XXXX tTT

......nn

tnT

nT XXXX 11 ............

Tt th-i)(1

1it

ti XHX

itX Tt th-i

),....,,,,,( 111

nresCA XXVJISNPKSigCert

SN : serial number I, J : Issuer and Subject V : Valid time period

CA keeps securely


KIS-D-OCSP (4)

System

. . . .

CA

R1 Rn

1SKnSK

Generates and distributes private keys for every responders

1tX

ntX

Provides hash values for the current time period

Requests for service to one responder

*21, qR Zrr

21 rr hgw),,( wmiH

ixra 1

iyrb 2

),,,( bawiSig i

Response,KIS-Signature,

itX

1

0

*)(n

k

iii

k

vv

),,( wmiHi

ba vhgw ifcheck

Responder Certificate

- Verifying CA signature and checking expiration of the certificate- Checking hash chain- Verifying signature in response

),....,,,,,( 111

nresCA XXVJISNPKSigCert

)(11

it

ti XHX


Motivations It is possible to generate different private keys from the

same master key with different identifier strings Identifier itself can be used function for public key

Removing the overhead of certificate management for responders

KIS-D-OCSP requires at least one certificate Date information can be encoded into keying material

Date is common knowledge Hash chain is not required to check the validity for the

given time period

IBS-D-OCSP (1)

Applying identity-based signature(IBS) scheme

OCSP responders certificates for certificate management?


IBS-D-OCSP (2)

Implementing Issues Identity-based Signature Scheme

[J. Cha and J. Cheon, PKC2003] Bilinear Pairing

Weil and Tate pairing on elliptic curve

Identifiers of responders Certificate contains OCSP_URI Certified by the CA Ex.) Keying ID = “CA || Responder_URI || 20040818”

ID itself is public key for IBS verification


IBS-D-OCSP (3)

Key Generation CA generates private keys for responders’ identifiers

CA

Master Key

identifier1

. . . .

Date info.

R1

Rn

KeyGenerator

1SK

nSK

Secure channel

211 pairing GGe:G

curve elliptican on points of group additive:1G

field finite a of group tivemultiplica:2G

**secret Master CA qR ZsSK

11* ;key publicCA GPGPsPK

1*

i 10 ; Date)||identifier( G},f:{fQi

1key privateresponder Each GQsSK ii

function mappingway -one : )(f


IBS-D-OCSP (4)

System

. . . .

CA

R1 Rn

1SKnSK

Distributes private keys for given time period

Requests for service to one of responders

Response,IBS-Signature

qR Zr

1i1 )||_URIRes||( GdateCAHrU ),(2 UmHh

iSKhrV )( ),( VUSigi

- Calculating public key with responder identifier and date info.-Verifying signature in response

date)||_URIRes||CA( i1HQ ),(2 UmHh

),(),( if checks hQUPeVPe CA


Security

Security of a signature is relying on the underlying IBS Assuming that CA is a trusted authority

Master key is not disclosed Difficult to compute private key from identifier without

knowing the master key DLP(Discrete Logarithm Problem)

Date information is encoded in keying material Keys are only valid for the given time period


Efficiency

Compare KIS-D-OCSP & IBS-D-OCSP

Master public key size is proportional tothe number of responders

Master public key size is constant tothe number of responders

At least one certificate for responders No certificate for responders

CA stores hash values securely CA stores no hash values

Return : {response, signature, hash} Return : {response, signature}

2 signature verifications + ( t-I ) hashing 1 signature verification

Hash chains to check timely validity Encoding date info. into keying material

Refresh private keys every time period Update hash values every time period

KIS-D-OCSPKIS-D-OCSP IBS-D-OCSPIBS-D-OCSP


Conclusion

Public key certificate is essential for secure Internet Certificate validity checking is required OCSP is one solution

Proposed an efficient D-OCSP framework IBS-D-OCSP Remove responders certificate

Don’t require additional certificate management Any other efficient IBS schemes can be applied to the

system

Documents

A Framework for Distributed OCSP without Responders Certificate