Upload
benedict-wilson
View
215
Download
0
Embed Size (px)
Citation preview
Sakurai Lab.Information Technology & Security
Lab.
Practical Revisits for implementing the Distributing Security-Mediated
PKI
(Ongoing work)
Jong-Phil [email protected] LaboratoryKyushu University
2Sakurai Lab.Information Technology & Security
Lab.
Certificate Revocation in PKI
X.509 certificate in Public Key Infrastructure (PKI) A signed binding a public key to certain properties (e.g., a use
r’s identity) When the binding ceases to hold, the certificate needs to be r
evoked Certificate Revocation techniques
Methods for propagating revocation information to relying parties
Schemes Certificate Revocation Lists : CRLs Online Certificate Status Protocol : OCSP Variants of CRLs : Delta CRLs , Indirect CRLs Certificate Revocation Tree : CRT Certificate Revocation System : CRS
3Sakurai Lab.Information Technology & Security
Lab.
Semi-Trusted Mediator (SEM)
Basic Idea : Boneh et. al. [1]
Please help me sign message M
Partial signature
SignatureImmediate Revocation of users’ signing abilityImmediate Revocation of users’ signing ability
Alice
Bob
SEM
CA
4Sakurai Lab.Information Technology & Security
Lab.
Mediated RSA (mRSA) Direct application of 2-out-of-2 threshold RSA Let be a user’s public key, be the private key, CA
split ,
The user has SEM has
Signing User’s partial signature SEM’s partial signature RSA signature
),( Ne dd
)(mod Nddd semuser
),( userdN),( semdN
NMPS userduser mod
NMPS semdsem mod
NPSPS semuser mod
)(mod1
1))(,gcd(
Ned
Ne
pqN
RSA Key generation
NSM
NMSe
d
mod?
mod
RSA Sig. / Ver.
5Sakurai Lab.Information Technology & Security
Lab.
Distributing Security-Mediated PKI
Disadvantages of SEM : G. Vanrenen et al. [5] Temporary denial of service, if the network is partitioned. Permanent denial of service, if SEM suffers a serious failure. Inability to revoke the key pair, if an adversary compromises S
EM and learn its secrets. Distributed SEM (DSEM)
Consists of trustworthy islands in P2P network. Each island may still become compromised to the adversary. Each island may also become unavailable, due to crash or par
tition.
Thresholdcryptography
ProactiveSecret sharing
MigrationMigration
6Sakurai Lab.Information Technology & Security
Lab.
RSA or DL based threshold signatures
Response Time to generate a signature : (5,3) threshold
mRSADL based Two party signatureRSA based Threshold signatureDL based Threshold signature
R.Gennaro, S.Jarecki, and H.Krawczyk, Revisiting the Distributed Key Generation for Discrete-Log Based Cryptosystems,RSA Security' 03 (2003).
T.Rabin, Simplified Approach to Threshold and Proactive RSA,Advances in Cryptology--CRYPTO'98, LNCS 1462 (1998).
7Sakurai Lab.Information Technology & Security
Lab.
RSA or DL based threshold signatures
Response Time to generate a signature : (5,3) threshold
mRSADL based Two party signatureRSA based Threshold signatureDL based Threshold signature
8Sakurai Lab.Information Technology & Security
Lab.
RSA or DL based threshold signatures
Message traffics : 1024 bits keysize
RSA based Threshold signatureDL based Threshold signature
DKG(Distributed Key Generation): to verifiably distribute shares for one-time secret parameter
9Sakurai Lab.Information Technology & Security
Lab.
RSA or DL based threshold signatures Which one is a better important factor?
Communication cost Computation cost
For example, Application to large scale MANETs
DL-based threshold signatures are not suitable For Small scale MANETs, suitable
Application to a distributed system with high computing power RSA-based threshold signatures are suitable
In the near future model (using threshold computation) The rapid progress of computing power in mobile device Redundancy of resources
Computation cost > Communication cost
10Sakurai Lab.Information Technology & Security
Lab.
DSEM – Key Setup
C A
UserIsland SEM
Server
Distributed SEM Network
random islands
shares of
k
semdk
semduserd
Proactively updated),( tk -secret sharing
mRSA
11Sakurai Lab.Information Technology & Security
Lab.
DSEM - Migration
If a user issues a request but the island holding is not available, the user select another island and requests migration.
semd
User Island M
Distributed SEM Network
random islandsIsland L down k
userd semd
Reconstruct semd
shares of k
Update shares
M must knows to interpolate a polynomial used in secret sharing )(N
12Sakurai Lab.Information Technology & Security
Lab.
Notable Problems – Question 1
How can we make k islands perform efficiently a proactive secret sharing ? After Key setup, k islands periodically participate in a proactiv
e secret sharing for in [3][4][7][8]. The schemes in [7][8]
Based on discrete logarithm The scheme in [4]
instead of The scheme in [3]
Low performance caused by performing subsharings as many times as k.
semd
)1,1()( qplcmN )(N
13Sakurai Lab.Information Technology & Security
Lab.
Notable Problems – Question 2
Is DSEM always performed as efficient as SEM ? In case that the scheme in [4] or [15] is used.
(k,k)-additive secret sharing (k,t)-polynomial secret sharing for each share
AIsland
BIsland
Asemd ,
zyxd Asem , x
y
z
reconstruct
M
reconstruct semd
BIsland
x
Alice
DSEM cannot present signing or decrypting before finishing complex migrationcaused by reconstructing the corrupted share.
14Sakurai Lab.Information Technology & Security
Lab.
Notable Problems – Question 3
Is the execution of the proactive secret sharing meaningful ? Since a long-term secret is stored in L, the
target of adversaries is not one of k islands but L When the long-term secret is kept in the
networking island and the proactive secret sharing dose not change it, the proactive secret sharing cannot contribute the security of .
semd
semd
semd
15Sakurai Lab.Information Technology & Security
Lab.
Notable Problems – Question 4
How many peers are necessary to serve a threshold protection in DSEM ? Synchronous communication
Allow at most t-1 servers to be compromised Need at least t servers to be correct
P2P Network Correct peers in P2P are not always connected to the
network
12 tk
16Sakurai Lab.Information Technology & Security
Lab.
Requirements for modified DSEM
To reduce the overhead caused by subsharing, the system must performa proactive secret sharing without subsharing.
To reduce the overhead caused by subsharing, the system must performa proactive secret sharing without subsharing.
DSEM must perform signing or decrypting immediately. That is, the cryptographic service must be independent of migration
Only through all of , and shares are periodically renewedat the same time, we can make the execution of the proactive secret sharingmeaningful in DSEM.
userd semd k
Let be the maximum number of correct peers which are not currently connected to the network. We precisely define the number of servers as , where . So, -secret sharing.
k 12 tk ),( tk
17Sakurai Lab.Information Technology & Security
Lab.
Cryptographic Tools
N-mRSA Remove the insecurity of releasing modulus operator,
Combinatorial Secret Sharing Remove the executing of subsharing No need to compute a polynomial Replication
Server-Assisted Threshold Signature For immediate cryptographic services
)(N
18Sakurai Lab.Information Technology & Security
Lab.
N-mRSA Key Setup (by CA)
Splits the private exponent into two halves as follow.
Transmits securely to the user, to the server.
Signing User : Server : Candidate Signature ( )
N mod Ns
Nu ddd
Nud
Nsd
N mod Nud
u mPS N mod
Nsd
S mPS 20 t
N mod dNt
su
m
PSPSCS
RSA signature2-bounded coalition
offsetting Alg. in [6]
19Sakurai Lab.Information Technology & Security
Lab.
(k,t)-Combinatorial Secret Sharing [9]
Create different sets of servers.
Create a sharing for using -additive secret sharing.
Any server , share set equals
1
t
kl lPP ,,1
},,{ 1 lxx x ),( ll
p pS }1|{ ii Pplis
For any set of servers, where :
For any set of servers, where :
t ||
1|| t
},,,{ 21
P
lp xxxS
},,,{ 21
P
lp xxxS
),,( xtkCSS
20Sakurai Lab.Information Technology & Security
Lab.
Server-Assisted Threshold Signature
S. Xu et al. [14] A formal method to construct server-assisted threshold signat
ure scheme. Hybrid of threshold signature and two-party signature.
A practical instance Hybrid of N-mRSA and threshold RSA in [6]
21Sakurai Lab.Information Technology & Security
Lab.
(k,t)-Server-Assisted Threshold Signature
Key setup (by CA) Splits the private exponent at the same as N-mRSA
=> generates k share sets Transmits to the user, and each share set to the correspo
nding server, respectively Signing
User : At least t servers : Candidate signature ( )
N mod Ns
Nu ddd
),,( NsdtkCSSNud
lmPSNsdNt
s 1t0 where N, mod 1
N mod Nud
u mPS
10 lt
N mod
1
dNt
ddNtsu
m
mmPSPSCSNu
Ns
RSA signature(l+1)-bounded coalition
offsetting Alg. in [6]
22Sakurai Lab.Information Technology & Security
Lab.
Architecture of our modified DSEM
Key Setup
Peer group (PG) Consists of trustworthy peers. Each peer (Gpeer) has share sets for users’
C A
User HSEM
Peer group for threshold protection
Gpeer Gpeer
Gpeer
Distributed SEM Network
Nud
),,( NsdtkCSS
Nsd
kNsd
23Sakurai Lab.Information Technology & Security
Lab.
Modified DSEM
Example, (4,3)-combinatorial secret sharing
,
2
4l N mod 61 dddN
s
654 ,, ddd
632 ,, ddd
531 ,, ddd
421 ,, ddd
Peer Group
Nsd
HSEM
Nud
UserN-mRSA?
PeriodicRenewal andRecovery
Server-Assisted Threshold Signature
Recovery
24Sakurai Lab.Information Technology & Security
Lab.
Modified DSEM – Periodic Renewal
Omit the verifiable step
Peer Group
Nsd
HSEM
Nud
User
654 ,, ddd
632 ,, ddd
531 ,, ddd
421 ,, ddd
],[ NN
),3,4( CSS
61
Each Gpeer updates its share set
665544 ,, ddd
N mod Nu
Newu dd
N mod Ns
News dd
25Sakurai Lab.Information Technology & Security
Lab.
Desirable Features
Removal of insecurity of releasing Efficient and timely signing or decrypting Strong against denial of service attack
In DSEM, the user cannot perform signing or decrypting up to finishing MIGRATION
In our modified DSEM, the user can still perform signing or decrypting via Server-Assisted Threshold, although the performance is lower than N-mRSA The cryptographic operation is independent of periodic renewal o
r recovery
)(N
26Sakurai Lab.Information Technology & Security
Lab.
Desirable Features
Meaningful proactive secret sharing Our modified DSEM can appropriately renew a user half, the c
orresponding half of SEM and shares for the half of SEM. Simplified renewal and recovery
Subsharing is unnecessary
27Sakurai Lab.Information Technology & Security
Lab.
Considerations
Attack on threshold RSA [6] by S. Jarecki et al. [13] Threshold RSA in [6] is a basis of cryptographic tools in our m
odified DSEM Since proactive scheme in our modified DSEM does not depe
nd on subsharing, an adversary in [13] cannot succeed in learning the private exponent. The adversary can learn at most MSBs of the privat
e exponent)lg( k
28Sakurai Lab.Information Technology & Security
Lab.
Considerations
The scheme by S. Koga et al. [12] A solution to prevent DoS attack by picking out malicious requ
ests through one-time ID. The scheme in [12] does not consider the possibility of the co
rruption of SEM, it did not present a solution for recovering the compromised SEM.
S. Koga et al.’s scheme can be used for supporting authentication of users’ requests in our modified DSEM.
29Sakurai Lab.Information Technology & Security
Lab.
Conclusion and Future Work
Reviewed G. Vanrenen et. al.’s DSEM, and Discussed four questions
Derived four requirements to design our modified DSEM Designed a new model for Distributed Security-Mediator
Succeeds to the advantages of the original SEM Provides desirable features
Comparison with original DSEM Amount of speedup Amount of communication cost
Thank you for your attention.Useful Comments ?
30Sakurai Lab.Information Technology & Security
Lab.
References1. Boneh, D., Ding, X., Tsudik, G., Wong, C.M., A method forfast revocation of public key certificates and security
capabilities, 10th USENIX Security Symposium, pp.297-308, (2001).2. C. Adams and S. Lloyd, Understanding public-key infrastructure: concepts, standard, and deployment consider
ations, Indianapolis: Macmillan Technical Publishing, (1999).3. Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Optimal resilience proactive public key cryptosystems, IE
EE Symposium on Foundations of Computer Science, pp.440-454, (1997).4. Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Proactive RSA, Advances in Cryptology-CRYPTO 97, LNC
S 1297, pp.440-454, (1997).5. G. Vanrenen, S.W. Smith, Distributing Security-Mediated PKI, 1st European PKI Workshop Research and Appli
cations, LNCS 3093, pp.213-231, (2004).6. Haiyun Luo, Songwu Lu, Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks, UCLA
Computer Science Technical Report 200030, Oct. (2000).7. Herzberg, A., Jakobsson, M., Jarechi, S., Krawczyk, H., Yung, M., Proactive public key and signature systems,
ACM Conference on Computer and Communications Security, pp.100-110, (1997).8. Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M., Proactive secret sharing or: How to cope with perpetual leak
age, Advanced in Cryptology-CRYPTO 95, LNCS 963, pp.339-352, (1995).9. Lidong Zhou, Towards Fault-Tolerant and Secure On-line Services, PhD Dissertation, Department of Computer
Science, Cornell University, Ithaca, NY USA. April (2001).10. M. Naor and K. Nissim, Certificate revocation and certificate update, Proceedings 7th USENIX Security Sympo
sium, San Antonio, Texas, pp.217-228, (1998).11. P.Felman, A Pracitcal Scheme for Non-Interactive Verifiable Secret Sharing, Proc. of 28th FOCS, (1987).12. S. Koga, K. Imamoto, and K. Sakurai, Enhancing Security of Security-Mediated PKI by One-time ID, 4 th Annual
PKI R&D Workshop, NIST, USA, April 19-21, (2005).13. S. Jarecki, N. Saxena, and J. H. Yi, An Attack on the Proactive RSA Signature Scheme in the URSA Ad-Hoc Net
work Access Control Protocol, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), pp.1-9, (2004).
14. S. Xu, R. Sandhu, Two Efficient and Provably Secure Schemes for Server-Assisted Threshold Signatures, CT-RSA, (2003).
15. Tal Rabin, A Simplified Approach to Threshold and Proactive RSA, Advanced in Cryptology-CRYPTO 98, LNCS 1462, pp.89-104, (1998).