Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil

Sakurai Lab.Information Technology & Security

Lab.

Practical Revisits for implementing the Distributing Security-Mediated

PKI

(Ongoing work)

Jong-Phil [email protected] LaboratoryKyushu University

2Sakurai Lab.Information Technology & Security

Lab.

Certificate Revocation in PKI

X.509 certificate in Public Key Infrastructure (PKI) A signed binding a public key to certain properties (e.g., a use

r’s identity) When the binding ceases to hold, the certificate needs to be r

evoked Certificate Revocation techniques

Methods for propagating revocation information to relying parties

Schemes Certificate Revocation Lists : CRLs Online Certificate Status Protocol : OCSP Variants of CRLs : Delta CRLs , Indirect CRLs Certificate Revocation Tree : CRT Certificate Revocation System : CRS


Lab.

Semi-Trusted Mediator (SEM)

Basic Idea : Boneh et. al. [1]

Please help me sign message M

Partial signature

SignatureImmediate Revocation of users’ signing abilityImmediate Revocation of users’ signing ability

Alice

Bob

SEM

CA


Lab.

Mediated RSA (mRSA) Direct application of 2-out-of-2 threshold RSA Let be a user’s public key, be the private key, CA

split ,

The user has SEM has

Signing User’s partial signature SEM’s partial signature RSA signature

),( Ne dd

)(mod Nddd semuser

),( userdN),( semdN

NMPS userduser mod

NMPS semdsem mod

NPSPS semuser mod

)(mod1

1))(,gcd(

Ned

Ne

pqN

RSA Key generation

NSM

NMSe

d

mod?

mod

RSA Sig. / Ver.


Lab.

Distributing Security-Mediated PKI

Disadvantages of SEM : G. Vanrenen et al. [5] Temporary denial of service, if the network is partitioned. Permanent denial of service, if SEM suffers a serious failure. Inability to revoke the key pair, if an adversary compromises S

EM and learn its secrets. Distributed SEM (DSEM)

Consists of trustworthy islands in P2P network. Each island may still become compromised to the adversary. Each island may also become unavailable, due to crash or par

tition.

Thresholdcryptography

ProactiveSecret sharing

MigrationMigration


Lab.

RSA or DL based threshold signatures

Response Time to generate a signature : (5,3) threshold

mRSADL based Two party signatureRSA based Threshold signatureDL based Threshold signature

R.Gennaro, S.Jarecki, and H.Krawczyk, Revisiting the Distributed Key Generation for Discrete-Log Based Cryptosystems,RSA Security' 03 (2003).

T.Rabin, Simplified Approach to Threshold and Proactive RSA,Advances in Cryptology--CRYPTO'98, LNCS 1462 (1998).


Lab.


Response Time to generate a signature : (5,3) threshold

mRSADL based Two party signatureRSA based Threshold signatureDL based Threshold signature


Lab.


Message traffics : 1024 bits keysize

RSA based Threshold signatureDL based Threshold signature

DKG(Distributed Key Generation): to verifiably distribute shares for one-time secret parameter


Lab.

RSA or DL based threshold signatures Which one is a better important factor?

Communication cost Computation cost

For example, Application to large scale MANETs

DL-based threshold signatures are not suitable For Small scale MANETs, suitable

Application to a distributed system with high computing power RSA-based threshold signatures are suitable

In the near future model (using threshold computation) The rapid progress of computing power in mobile device Redundancy of resources

Computation cost > Communication cost


Lab.

DSEM – Key Setup

C A

UserIsland SEM

Server

Distributed SEM Network

random islands

shares of

k

semdk

semduserd

Proactively updated),( tk -secret sharing

mRSA


Lab.

DSEM - Migration

If a user issues a request but the island holding is not available, the user select another island and requests migration.

semd

User Island M


random islandsIsland L down k

userd semd

Reconstruct semd

shares of k

Update shares

M must knows to interpolate a polynomial used in secret sharing )(N


Lab.

Notable Problems – Question 1

How can we make k islands perform efficiently a proactive secret sharing ? After Key setup, k islands periodically participate in a proactiv

e secret sharing for in [3][4][7][8]. The schemes in [7][8]

Based on discrete logarithm The scheme in [4]

instead of The scheme in [3]

Low performance caused by performing subsharings as many times as k.

semd

)1,1()( qplcmN )(N


Lab.


Is DSEM always performed as efficient as SEM ? In case that the scheme in [4] or [15] is used.

(k,k)-additive secret sharing (k,t)-polynomial secret sharing for each share

AIsland

BIsland

Asemd ,

zyxd Asem , x

y

z

reconstruct

M

reconstruct semd

BIsland

x

Alice

DSEM cannot present signing or decrypting before finishing complex migrationcaused by reconstructing the corrupted share.


Lab.


Is the execution of the proactive secret sharing meaningful ? Since a long-term secret is stored in L, the

target of adversaries is not one of k islands but L When the long-term secret is kept in the

networking island and the proactive secret sharing dose not change it, the proactive secret sharing cannot contribute the security of .

semd

semd

semd


Lab.


How many peers are necessary to serve a threshold protection in DSEM ? Synchronous communication

Allow at most t-1 servers to be compromised Need at least t servers to be correct

P2P Network Correct peers in P2P are not always connected to the

network

12 tk


Lab.

Requirements for modified DSEM

To reduce the overhead caused by subsharing, the system must performa proactive secret sharing without subsharing.

To reduce the overhead caused by subsharing, the system must performa proactive secret sharing without subsharing.

DSEM must perform signing or decrypting immediately. That is, the cryptographic service must be independent of migration

Only through all of , and shares are periodically renewedat the same time, we can make the execution of the proactive secret sharingmeaningful in DSEM.

userd semd k

Let be the maximum number of correct peers which are not currently connected to the network. We precisely define the number of servers as , where . So, -secret sharing.

k 12 tk ),( tk


Lab.

Cryptographic Tools

N-mRSA Remove the insecurity of releasing modulus operator,

Combinatorial Secret Sharing Remove the executing of subsharing No need to compute a polynomial Replication

Server-Assisted Threshold Signature For immediate cryptographic services

)(N


Lab.

N-mRSA Key Setup (by CA)

Splits the private exponent into two halves as follow.

Transmits securely to the user, to the server.

Signing User : Server : Candidate Signature ( )

N mod Ns

Nu ddd

Nud

Nsd

N mod Nud

u mPS N mod

Nsd

S mPS 20 t

N mod dNt

su

m

PSPSCS

RSA signature2-bounded coalition

offsetting Alg. in [6]


Lab.

(k,t)-Combinatorial Secret Sharing [9]

Create different sets of servers.

Create a sharing for using -additive secret sharing.

Any server , share set equals

1

t

kl lPP ,,1

},,{ 1 lxx x ),( ll

p pS }1|{ ii Pplis

For any set of servers, where :

For any set of servers, where :

t ||

1|| t

},,,{ 21

P

lp xxxS

},,,{ 21

P

lp xxxS

),,( xtkCSS


Lab.

Server-Assisted Threshold Signature

S. Xu et al. [14] A formal method to construct server-assisted threshold signat

ure scheme. Hybrid of threshold signature and two-party signature.

A practical instance Hybrid of N-mRSA and threshold RSA in [6]


Lab.

(k,t)-Server-Assisted Threshold Signature

Key setup (by CA) Splits the private exponent at the same as N-mRSA

=> generates k share sets Transmits to the user, and each share set to the correspo

nding server, respectively Signing

User : At least t servers : Candidate signature ( )

N mod Ns

Nu ddd

),,( NsdtkCSSNud

lmPSNsdNt

s 1t0 where N, mod 1

N mod Nud

u mPS

10 lt

N mod

1

dNt

ddNtsu

m

mmPSPSCSNu

Ns

RSA signature(l+1)-bounded coalition

offsetting Alg. in [6]


Lab.

Architecture of our modified DSEM

Key Setup

Peer group (PG) Consists of trustworthy peers. Each peer (Gpeer) has share sets for users’

C A

User HSEM

Peer group for threshold protection

Gpeer Gpeer

Gpeer


Nud

),,( NsdtkCSS

Nsd

kNsd


Lab.

Modified DSEM

Example, (4,3)-combinatorial secret sharing

,

2

4l N mod 61 dddN

s

654 ,, ddd

632 ,, ddd

531 ,, ddd

421 ,, ddd

Peer Group

Nsd

HSEM

Nud

UserN-mRSA?

PeriodicRenewal andRecovery

Server-Assisted Threshold Signature

Recovery


Lab.

Modified DSEM – Periodic Renewal

Omit the verifiable step

Peer Group

Nsd

HSEM

Nud

User

654 ,, ddd

632 ,, ddd

531 ,, ddd

421 ,, ddd

],[ NN

),3,4( CSS

61

Each Gpeer updates its share set

665544 ,, ddd

N mod Nu

Newu dd

N mod Ns

News dd


Lab.

Desirable Features

Removal of insecurity of releasing Efficient and timely signing or decrypting Strong against denial of service attack

In DSEM, the user cannot perform signing or decrypting up to finishing MIGRATION

In our modified DSEM, the user can still perform signing or decrypting via Server-Assisted Threshold, although the performance is lower than N-mRSA The cryptographic operation is independent of periodic renewal o

r recovery

)(N


Lab.

Desirable Features

Meaningful proactive secret sharing Our modified DSEM can appropriately renew a user half, the c

orresponding half of SEM and shares for the half of SEM. Simplified renewal and recovery

Subsharing is unnecessary


Lab.

Considerations

Attack on threshold RSA [6] by S. Jarecki et al. [13] Threshold RSA in [6] is a basis of cryptographic tools in our m

odified DSEM Since proactive scheme in our modified DSEM does not depe

nd on subsharing, an adversary in [13] cannot succeed in learning the private exponent. The adversary can learn at most MSBs of the privat

e exponent)lg( k


Lab.

Considerations

The scheme by S. Koga et al. [12] A solution to prevent DoS attack by picking out malicious requ

ests through one-time ID. The scheme in [12] does not consider the possibility of the co

rruption of SEM, it did not present a solution for recovering the compromised SEM.

S. Koga et al.’s scheme can be used for supporting authentication of users’ requests in our modified DSEM.


Lab.

Conclusion and Future Work

Reviewed G. Vanrenen et. al.’s DSEM, and Discussed four questions

Derived four requirements to design our modified DSEM Designed a new model for Distributed Security-Mediator

Succeeds to the advantages of the original SEM Provides desirable features

Comparison with original DSEM Amount of speedup Amount of communication cost

Thank you for your attention.Useful Comments ?


Lab.

References1. Boneh, D., Ding, X., Tsudik, G., Wong, C.M., A method forfast revocation of public key certificates and security

capabilities, 10th USENIX Security Symposium, pp.297-308, (2001).2. C. Adams and S. Lloyd, Understanding public-key infrastructure: concepts, standard, and deployment consider

ations, Indianapolis: Macmillan Technical Publishing, (1999).3. Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Optimal resilience proactive public key cryptosystems, IE

EE Symposium on Foundations of Computer Science, pp.440-454, (1997).4. Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Proactive RSA, Advances in Cryptology-CRYPTO 97, LNC

S 1297, pp.440-454, (1997).5. G. Vanrenen, S.W. Smith, Distributing Security-Mediated PKI, 1st European PKI Workshop Research and Appli

cations, LNCS 3093, pp.213-231, (2004).6. Haiyun Luo, Songwu Lu, Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks, UCLA

Computer Science Technical Report 200030, Oct. (2000).7. Herzberg, A., Jakobsson, M., Jarechi, S., Krawczyk, H., Yung, M., Proactive public key and signature systems,

ACM Conference on Computer and Communications Security, pp.100-110, (1997).8. Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M., Proactive secret sharing or: How to cope with perpetual leak

age, Advanced in Cryptology-CRYPTO 95, LNCS 963, pp.339-352, (1995).9. Lidong Zhou, Towards Fault-Tolerant and Secure On-line Services, PhD Dissertation, Department of Computer

Science, Cornell University, Ithaca, NY USA. April (2001).10. M. Naor and K. Nissim, Certificate revocation and certificate update, Proceedings 7th USENIX Security Sympo

sium, San Antonio, Texas, pp.217-228, (1998).11. P.Felman, A Pracitcal Scheme for Non-Interactive Verifiable Secret Sharing, Proc. of 28th FOCS, (1987).12. S. Koga, K. Imamoto, and K. Sakurai, Enhancing Security of Security-Mediated PKI by One-time ID, 4 th Annual

PKI R&D Workshop, NIST, USA, April 19-21, (2005).13. S. Jarecki, N. Saxena, and J. H. Yi, An Attack on the Proactive RSA Signature Scheme in the URSA Ad-Hoc Net

work Access Control Protocol, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), pp.1-9, (2004).

14. S. Xu, R. Sandhu, Two Efficient and Provably Secure Schemes for Server-Assisted Threshold Signatures, CT-RSA, (2003).

15. Tal Rabin, A Simplified Approach to Threshold and Proactive RSA, Advanced in Cryptology-CRYPTO 98, LNCS 1462, pp.89-104, (1998).

Documents

Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil