Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
LiangWang1,GiladAsharov2,RafaelPass2,ThomasRistenpart2,abhishelat3
BlindCertificateAuthorities
1PrincetonUniversity2CornellTech3NortheasternUniversity
Motivation
CertificateAuthorities(CA)issuecertificates
CA(identityprovider)
• Email• Websitelogin• Anonymouscredentialsystems• ….
User
Validateidentity
Certificatesbindpublickeystoidentities
Requestcert
Identity+
TheusermustrevealtrueidentitytotheCAduringidentityvalidation
Identityissensitive
Whistleblower JournalistIamworkingatUniversityABC...ProfessorXtookbribes!
OK.First,proveyouareworkingatABC…(AfriendofProfessorX?)
CA
Third-partyorfromUniversityABC
?
CA(identityprovider)
• PGP• Websitelogin• Anonymouscredentialsystems• ….
User
Validateidentity
Requestcert
Identity+
[email protected]:[email protected]:cert2…..
CA:singlepointofprivacyfailure
CanwemakeCA“blind”?
Mainchallenge:Validateanidentitywhilenotlearningit
YES!!!
Contributions• SecureChannelInjection(SCI):
o Aprimitiveallowsapartytoinjectasmallamountofinformationintoasecureconnectionbetweentwoparties
o (SCI-TLS)Anefficient,special-purposeMPCprotocolfortwopartiestocomputeaTLSrecord
• AnonymousProofofAccountOwnership(PAO):
o Validateoneownssomeemailaccountsfromagivenorganizationwithoutknowingwhichaccount
• BlindCA:o Validateownershipofanaccountalice@domain.comandissueaX.509certificate
binding“alice”toapublickey,withoutlearningtheaccountandthekey
Emailisthemostcommonidentity
Myemailis:[email protected] To:[email protected]
Emailprovider
Username:alicePassword:???
User
CA
Conventionalemailverification
ProveaccountownershipbyshowingtheabilitytoREADanemailfromanaccount
SecureChannelInjection(SCI)
M1
Alice Bob
Carol
M*
M2 Mn……
M1
Alice Bob
CarolM*
M2 Mn……
MPC
SecureChannelInjection(SCI)
M1
Alice Bob
Carol
M* Mn…………
SecureChannelInjection(SCI)
Alice:LearnsnothingaboutM*Bob:Doesn’tknowM*isfromCarolCarol:LearnsnothingaboutothermessagesfromAlice
Myemailis:[email protected] To:[email protected]
Emailprovider
Username:alicePassword:???
User
CA
Conventionalemailverification
ProveaccountownershipbyshowingtheabilitytoREADanemailfromanaccount
Anonymousproofofaccountownership(PAO)
CA
Sendanemailfrom:[email protected]:alice1
SCI alice1
ProveaccountownershipbyshowingtheabilitytoSENDanemailfromanaccount
Goal:ValidateAliceownssomeemailaccountsfromdomain.com
PAOusecases
Whistleblower Journalist
IcansendanemailfromABC’ssmtpserverEmployee
AnonymousPAOneedstouseMPCtocomputeTLSrecords
SQN + HDR
HMAC tag
HMAC
AES-CBC
Ciphertext
M
M
M
Padding
HDR
IV
TLSAES-CBCwithSHA256
Fora512-byteemailand16-bytechallenge• GenericMPC:32AESand8SHA256operationsà0.94M+ANDgates
Merkle–DamgårdConstruction
f f f
Block1 Bock2 BlockN
IV
Padding
M
Two-partySHA:“Outsource”SHAcomputation
f
BlockX
BlockX+1toX+K
User+CA
f
BlockX+K+1
f
CA UserUser
SendoutputofftoCA SendoutputofftoUser
M*Kblocks
Two-partyAESCBC
BlockX
BlockX+1toX+K
BlockX+K+1
MPC---Alice:keyCA:blocks UserUser
AES
CipherX
SendtoCA
AES
CipherX+1toX+K
AESSendtoUser
Kblocks
User+CA
M*
AnonymousPAOneedstouseMPCtocomputeTLSrecords
SQN + HDR
HMAC tag
HMAC
AES-CBC
Ciphertext
M
M
M
Padding
HDR
IV
TLSAES-CBCmode
Fora512-byteemailand16-bytechallenge• GenericMPC:32AESand8SHA-256operationsà0.94M+ANDgates• Ourprotocol:4AESoperationsà27K+ANDgates;NOMPCforHMAC
AsimplifiedSMTPsessionSMTPclient
STARTTLSSMTPserver
EHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
SMTPclient(user)STARTTLS
SMTPserverEHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
BlindCA:TLSrecordascommitment
TheSMTPAUTHmessagecontainsemailaccount(useridentity)
CA
SMTPclient(user)STARTTLS
SMTPserverEHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
BlindCA:AnonymousPAOCA
SMTPclient(user)STARTTLS
SMTPserverEHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
BlindCA:AnonymousPAOCA
Challenge Commitment …
abc eee… …123 fff… …
... ... …
ProverproducesaZKBooproof
CA:Sharesacertificatetemplatewiththeusero Allfieldsareknownexceptforsubjectandpublickey
Issuer:BlindCASubject:?@abcPublickey:?Version:…
• Theemailaccount(e1)andpublickeyforformingthecertificate• TheopeningoftheTLScommitment:
o secretkeys,emailaccount(e2)andpassword• e1=e2
SingleBooleancircuit!
Giacomelli,Irene,JesperMadsen,andClaudioOrlandi."Zkboo:Fasterzero-knowledgeforbooleancircuits."USENIXSecurity2016.
User:Fillsinmissinginfo,producesthehashofthecert;Generatesazkbooprooftoshowtheknowledgeof:
CAverifiesproofsandsignsChallenge:123Hashofcert:hZKbooproof
User CA
Sign(h)
Challenge Commitment …
abc eee… …123 fff… …
... ... …
BlindCAoverheadLoc1(NoTor) Loc2(NoTor) Loc1(WithTor)
2P-HMAC 0.01 0.03 0.31
2P-CBC 0.20 0.35 0.36
PAO 0.76 1.68 4.31
SMTPBaseline 0.31 0.77 3.33
Themediantime(seconds)tocompletethe2P-HMAC,2P-CBC(withoutoffline),PAO(withoutoffline)andnormalSMTP-TLS
• PAOTestwithGmail,UW-Madison,andCornellSMTPservers:o PAO(withoutoffline):1.01s,1.64s,1.53so WithoutPAO:0.44s,0.94s,0.79s
• BlindCAproof(136ZKBooproofs):o Size:85M+o Generation:2.9so Verification:2.3s
Sessiondurationisnotagooddetector
ThedistributionoftheSMTPdurationsislong-tailed(basedon8K+SMTP-TLSsessions).
15%>10s!
Summary• Wedesignthefirst“blind”CA:aCAthatcanvalidateidentitiesandissuecertificateswithoutlearningtheidentityo SCIforTLSAES-CBCandAES-GCM(seepaper)
• Participationprivacy:doesnotdisclosetoanypartytheidentitiesofusers
• Pleaseseeourpaperformoredetails(securityproofs,securityanalysis,etc.)!
Thankyou!
Title