Cinderella: Turning Shabby X.509 ... - paper.seebug.org Conf/37th... · Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials Antoine Delignat-Lavaud Cédric

Cinderella:TurningShabbyX.509CertificatesintoElegant

AnonymousCredentials

AntoineDelignat-LavaudCédricFournet,MarkulfKohlweiss,

BryanParnoX.509 V.C.

withtheMagicofVerifiableComputation

TheX.509PublicKeyInfrastructure(1988)

EndpointcertificateIntermediateCertificateAuthoritycertificate

RootCertificationAuthoritycertificate

Chain

X.509Authentication

certificatevalidationprogram

authorizedroot

certificates(data)

certificates+privatekeys

OCSP,CertificateTransparency,Perspectives…

(1-3KB/certificate)

CertificateAuthority

X.509Problem:ApplicationHeterogeneity

(1-3KB/certificate)


authorizedroot

certificates(data)



• TLS• S/MIME• 802.1X(Wi-Fi)• Codesigning• Documentsigning• …

BasicValidation

CorrectASN.1encoding(injectiveparsing)

Correctsignaturesfromonecertificatetothenext

Validbasicconstraints

Validkeyusages

Acceptablealgorithmsandkeysizes

TLSvalidation

notBefore <now()<notAfter ?

Domain==SubjectCN?DomaininSubjectAlternativeNames?Matchesawildcardname?DomaincompatiblewithNameConstraints?

EndpointEKUincludesTLSclient/server?ChainallowsTLSEKU?

Notrevokednow

S/MIMEvalidation

notBefore <emaildate<notAfter ?

SubjectemailAddress orAlternativeNamesincludesenderemail?

EndpointEKUincludesS/MIME?ChainallowsS/MIMEEKU?

Notrevokedwhenmailwassent

Cryptofailures RecentPKIFailures

2006200720082009201020112012 201320142015

HashClash rogueCA(MD5collision)Stevensetal.

FlamemalewareNSA/GCHQattack

againstWindowsCABleichenbacher’se=3attackon

PKCS#1signatures

512bitKoreanSchoolCAs

TÜRKTRUST

BERSerk

DigiNotar hack

EKU-unrestrictedVeriSigncertificates

ANSSIComodo hack TrustwaveVeriSign

NetDiscovery

Debian OpenSSLentropybug

Basicconstraintsnotproperlyenforced(recurring&catastrophicbug)

OpenSSLnullprefix

TheSHAppening

DROWNKeyUsage

Nameconstraintsfailures

VeriSignhack

OpenSSLCVE-2015-1793

GnuTLS X509v1

Formatting&semantics

CAfailures

Superfish

IndiaNICStartCom hack

ChinaNNIC

X.509Problem:Privacy

(1-3KB/certificate)


authorizedroot

certificates(data)



NetworkObserver

NetworkObserverLearnsall

certificatecontents

MonitorRequests

Cinderella:MainIdea

evaluationkeyverificationkey

certificates+privatekeys Otherevidence

(OCSP,CT)

certificatevalidationpolicy(Ccode)

authorizedroot

certificates(data)

Geppettocompiler

Proof(288B)Proof

(288B)

ComputationOutsourcingwithPinocchio

SetupPhase

RuntimePhase

CprogramF(priv,pub)

publicverifierinputsprivateprover inputs

+X

XC

D

ArithmeticCircuit

VerificationKeyVk

EvaluationKeyEk

SuccinctProof

Query(pub)

Check(Proof,Vk) F(priv,pub)

Complexprogramscompiletoverylargearithmeticcircuits

[GGP,CRYPTO’10];[GGPR,EUROCRYPT’13];[PGHR;S&P’13];[CFHKKNBZ;S&P’15]

Ek

Proof

Cinderella:Contributions

• Acompilerfromhigh-levelvalidationpolicytemplatestoPinocchio-optimizedcertificatevalidators• Pinocchio-optimizedlibrariesforhashingandRSA-PKCS#1signaturevalidation• SeveralTLSvalidationpoliciesbasedonconcretetemplatesandadditionalevidence(OCSP),testedonrealcertificates• Ane-VotingvalidationpolicybasedonHelioswithEstonianIDcard

BenefitsandCaveats

• CompatiblewithexistingPKI andcertificates(practicality)• Ensuresuniformapplicationofthevalidationpolicybut,allowsflexibleissuancepolicies• Completecontroloverdisclosureofcertificatecontents(anonymity)• Lessexposureoflong-termprivatekeythroughweakalgorithms

• Computationallyexpensive• Initialagreementonthevalidationpolicy• Relianceonsecurityofverifiedcomputationsystem(newexoticcryptoassumption,newtrustedkeygeneration)• Doesnotsolvekeymanagement(onemorelayertomanage)

Cinderella:Soundness

verificationkey


Otherevidence(OCSP,CT)


authorizedroot

certificates(data)

Geppettocompiler

Proof(288B)

Publicinputs


Publicinputs

CompilingCertificateTemplatesseq {seq {#Versiontag<0>:const<2L>;#SerialNumbervar<int,serial,10,20>;#SignatureAlgorithmseq {const<O1.2.840.113549.1.1.5>;const<null>;};

#Issuerseq {set{seq {const<O2.5.4.10>;

const<printable:"AlphaSSL">;};};set{seq {const<O2.5.4.3>;const<printable:"AlphaSSL CA-G2">;};};};

#ValidityPeriodseq {var<date,notbefore,13,13>;var<date,notafter,13,13>;};

#Subjectseq {varlist<subject,2,4>:set{seq {var<oid,subjectoid,3,10>;var<x500,subjectval,2,31>;};};};

[…] Template

UntrustedNativeParserParsecertificate

GenerateProver Inputs

C/QAPverifierConcatenatecompile-timeconstantsandrun-timevars

ComputerunninghashTemplateVerifiercompiler

Variables

Constants

Variablelists

Private inputs

Cverifierprogram

ProducedVerifier(Fragment)

if(in_subject.v[0]>2){append(&buffer,in_subjectval[2].tag);append(&buffer,0+LEN(in_subjectval[2]));for(i=0;i<31;i++)if(i<LEN(in_subjectval[2]))append(&buffer,in_subjectval[2].v[i]);

}

if(buffer.cur >=85)reduce(&buffer,&hash);

Hashingbuffer=2*hashfunctionblocksize

CurrentHash

Append(byte)Add given bytetothehashing buffer

Reduce()compress oneblockofbuffer,updatecurrent hash

Variablelist

Variable

Constants

Compression

Output=hashofASN.1formattedcertificatecontents

VerifyingPKCS#1RSASignaturesS^emodN=1ffffffffff[…]ffffffkkkkk[…]kkkkkkXXXXXXXXXXXXXXXXXXXXX

Hash(computedbefore)

S 120bits 120bits 120bits

S^2 240+bits 240+bits 240+bits 240+bits 240+bits

…

…

S² =Q*N+R

Q*N 240+bits 240+bits 240+bits 240+bits 240+bits …

R 120bits 120bits 120bits …

S<- R

S^e=S(((S^2)^2)…

PrivateinputsQandR->

Assumefixede=65537=2^16+1

Verifytheproverhintsarevalid

Application:TLSClient(withOfflineSigning)

KeyExchangesignedwithEk

PseudoEk

Proof

NochangetoTLS!

ClientCert

Ck,fields

PseudoEk

F(fields)

Geppettocompiler

evaluationkey verificationkey

Proof

PseudoEk

Proof

Offline

SingleTemplateEvaluation(WithSignature)

0.001

0.01

0.1

1

10

100

1000

EstonianEID S/MIME TLSserver OCSP TLSPseudonym

Seconds

Keygentime Prooftime Verifytime

Applicationevaluation

0.001

0.01

0.1

1

10

100

1000

TLS(2intermediates+OCSP)

TLS(1intermediate+OCSP)

TLS(nointermediate,OCSP)

Helios(OCSP)

Seconds

Keygentime Prooftime Verifytime

Conclusions

• Oneofthefirstpracticalapplicationofverifiablecomputing

• WeenhancetheprivacyandintegrityofX.509authentication

• NochangetothePKIortoapplicationprotocols

• WorkingprototypeforTLSandHelios

TheInternetPKI

WithM.Abadi,A.Birrell,I.Mironov,T.WobberandY.Xie (NDSS’14)

CorePinocchioprotocol

𝐾𝑒𝑦𝐺𝑒𝑛(𝑅) 𝐸𝐾, 𝑉𝐾GeneratetheMultiQAP for𝑅Pickrandom𝑠Compute𝐸𝐾 = {𝐸𝐾0}, {𝑔3

4}

𝐸𝐾5 = 𝑔67 3 , 𝑔87 3 , 𝑔97 3

𝑔:;,<67 3 , 𝑔:;,=87 3 , 𝑔:;,>97 3?∈A;

Compute𝑉𝐾 = (𝑔B 3 = 𝑔∏ 3DE�4 )

𝐶𝑜𝑚𝑚𝑖𝑡(𝐸𝐾0, 𝑢0, 𝑜0)Generatethecommitment:𝑣 0 𝑠 = ∑ 𝑢?𝑣? 𝑠�

?∈A; + 𝑜0,8𝑑 𝑠 ,similarlyfor𝑤 and𝑦𝐶0 = (𝑔6 0 , 𝑔8 0 , 𝑔9 0 , 𝑔:;,<6 0 , 𝑔:;,=8 0 , 𝑔:;,>9 0 ).𝑣 𝑠 = ∏𝑣(0) andsimilarlyfor𝑤 and𝑦

𝐶0

𝑉𝑒𝑟𝑖𝑓𝑦(𝑉𝐾0, 𝐶0)𝑒 𝑔6 0 , 𝑔0

:;,< = 𝑒(𝑔:;,<6 0 , 𝑔)andsimilarlyfor𝑤 and𝑦

𝑃𝑟𝑜𝑣𝑒(𝐸𝐾, 𝒖, 𝒐)Findℎ(𝑥) s.t. ℎ 𝑥 ∗ 𝑑 𝑥 = 𝑣 𝑥 ∗ 𝑤 𝑥 − 𝑦(𝑥)

Compute𝑔[(3) = ∏ 𝑔34[4

Proofis(𝑔6 3 , 𝑔8 3 , 𝑔9 3 𝑔[(3))

𝜋

𝑉𝑒𝑟𝑖𝑓𝑦(𝑉𝐾, 𝑪, 𝜋) {Yes,No}^ _< ` ,_= `

^ _> ` ,_=? 𝑒(𝑔[ 3 , 𝑔B(3)) 𝑒(b,b) isapairing:

𝑒 𝑔𝑝, 𝑔𝑞 = 𝑒(𝑔, 𝑔)𝑝𝑞

Workaround:Tunneling

ServerCertificate

DHKeyExchange

Serverauthenticatedchannel

ClientAuthentication

Compoundauthentication

Iseeallcertificatefields

Performanceoverheadoftunneling

• TLSRenegotiation• TLS1.3HandshakeEncryption• Serverstillseesallcontents• Notalwayspossible(S/MIME,codeanddocumentsigning)


UsabilityandPrivacyofPKIAuthentication

ServerCertificate

DHKeyExchange


Channel-boundClientAuthentication

CurrentPrivacyApproach

Authenticationbindinge.g.ChannelIDorRenego Extension

AnonymousClientCertificate CB=sign(tls-unique,cliSk(channel))<user,HMAC(password,CB)>

• UserUnfriendly• Complex• KeyCompromiseImpersonationattacks

TheInternetPKI

PublicKey

PublicKey

PublicKey

Algorithm+Parameters

Signaturevalue


Signaturevalue


Signaturevalue

Issuer

Subject

Subject

Subject

Issuer

Issuer

Signed by

Matches

Deployment:X.509SignatureScheme

CAPublicKey

PublicKey

PublicKey


Signaturevalue


Signaturevalue

Proof

RootCA

IntermediateCA

CN=Peggy,Age=29

IntermediateCA

PseudonymCertificate

Extension:Vk

Peggy’scertC

OCSPcertificateofNon-revocation

Pseudonymcreation

Ek

ASN.1

Binaryencodingstandard

Ancient(1984)

<Tag,Length,Value>

Distinguishedrules(DER):uniqueserialization

CheckingRSASignatures

Assumefixede=65537=2^16+1