1 / 15

A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSP without Responders Certificate. Young-Ho Park (pyhoya@mail1.pknu.ac.kr) Kyung-Hyune Rhee (khrhee@pknu.ac.kr) Pukyong National University WISA 2004. Public Key Certificate. Public Key Infrastructure(PKI)

amable
Download Presentation

A Framework for Distributed OCSP without Responders Certificate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Framework for Distributed OCSPwithout Responders Certificate Young-Ho Park (pyhoya@mail1.pknu.ac.kr) Kyung-Hyune Rhee (khrhee@pknu.ac.kr) Pukyong National University WISA 2004

  2. Public Key Certificate • Public Key Infrastructure(PKI) • The main architecture for security services over the Internet • Public Key Certificate • Bind a public key to the owner’s identity information • Digitally signed and certified by a trusted certificate authority(CA) • Certificates Revocation • Compromising of the key or abuse of the owner • Certificates Revocation List (CRL) • Online Certificate Status Protocol (OCSP) Lab. of Information security & Internet Applications, PKNU

  3. Response Good, Revoked or Unknown Validity Interval . . . . . Signature Request Responder CA X.500directory Online Certificate Status Protocol • To check the validity of a certificate at the time of a given transaction • OCSP responder provides a digitally signed response • Client can retrieve timely certificate status with a moderated resource usage • Single Responder • Most workloads converge intothe responder • Digital signature is a computationconsuming operation • Denial of service Lab. of Information security & Internet Applications, PKNU

  4. Distributed OCSP • Composed of multiple OCSP responders • Sharing and balancing the workload of OCSP response • Client can choose one responder • Certificate of responder is required to verify the signature in response of both OCSP and D-OCSP • In D-OCSP • Using the same private signing key for every responder • Easy key management but high risk for key exposure • Using different private key • Increasing the complexity of key management Lab. of Information security & Internet Applications, PKNU

  5. KIS-D-OCSP (1) • [S. Koga and K. Sakurai, PKC 2004] • One solution for efficient certificate management of multiple responders • Key insulated signature(KIS) scheme and hash chain • Different private key for every responders but the same public key for signature verification • Only one certificate is required for multiple responders • Private key exposure of one responder does not effect other responders • Hash chain is used for checking the validity of a responder at the given time period Lab. of Information security & Internet Applications, PKNU

  6. KIS-D-OCSP (2) • Key Generation • CA distributes private keys for every responders CA R1 Private keyfor signature KeyGenerator R2 . . . . Master Key Rn Public Key Secure channel Lab. of Information security & Internet Applications, PKNU

  7. KIS-D-OCSP (3) • Hash chain • For total time periods and responders • CA provides at time period to responder • Validity checks at for responder • Checking if is true • Responder Certificate: CA keeps securely SN : serial number I, J : Issuer and Subject V : Valid time period Lab. of Information security & Internet Applications, PKNU

  8. Generates and distributes private keys for every responders Provides hash values for the current time period • - Verifying CA signature and checking expiration of the certificate • Checking hash chain • - Verifying signature in response Responder Certificate Requests for service to one responder Response,KIS-Signature, KIS-D-OCSP (4) • System CA . . . . R1 Rn Lab. of Information security & Internet Applications, PKNU

  9. OCSP responders certificates for certificate management? IBS-D-OCSP (1) • Applying identity-based signature(IBS) scheme • Motivations • It is possible to generate different private keys from the same master key with different identifier strings • Identifier itself can be used function for public key • Removing the overhead of certificate management for responders • KIS-D-OCSP requires at least one certificate • Date information can be encoded into keying material • Date is common knowledge • Hash chain is not required to check the validity for the given time period Lab. of Information security & Internet Applications, PKNU

  10. IBS-D-OCSP (2) • Implementing Issues • Identity-based Signature Scheme [J. Cha and J. Cheon, PKC2003] • Bilinear Pairing • Weil and Tate pairing on elliptic curve • Identifiers of responders • Certificate contains OCSP_URI • Certified by the CA • Ex.) Keying ID = “CA || Responder_URI || 20040818” • ID itself is public key for IBS verification Lab. of Information security & Internet Applications, PKNU

  11. IBS-D-OCSP (3) • Key Generation • CA generates private keys for responders’ identifiers CA Date info. R1 KeyGenerator . . . . Master Key identifier1 Rn Secure channel Lab. of Information security & Internet Applications, PKNU

  12. - Calculating public key with responder identifier and date info. • Verifying signature in response Distributes private keys for given time period Requests for service to one of responders Response,IBS-Signature IBS-D-OCSP (4) • System CA . . . . R1 Rn Lab. of Information security & Internet Applications, PKNU

  13. Security • Security of a signature is relying on the underlying IBS • Assuming that CA is a trusted authority • Master key is not disclosed • Difficult to compute private key from identifier without knowing the master key • DLP(Discrete Logarithm Problem) • Date information is encoded in keying material • Keys are only valid for the given time period Lab. of Information security & Internet Applications, PKNU

  14. Master public key size is proportional tothe number of responders • Master public key size is constant tothe number of responders • At least one certificate for responders • No certificate for responders • CA stores hash values securely • CA stores no hash values • Return : {response, signature, hash} • Return : {response, signature} • 2 signature verifications + ( t-I ) hashing • 1 signature verification • Hash chains to check timely validity • Encoding date info. into keying material • Update hash values every time period • Refresh private keys every time period Efficiency KIS-D-OCSP IBS-D-OCSP • Compare KIS-D-OCSP & IBS-D-OCSP Lab. of Information security & Internet Applications, PKNU

  15. Conclusion • Public key certificate is essential for secure Internet • Certificate validity checking is required • OCSP is one solution • Proposed an efficient D-OCSP framework • IBS-D-OCSP • Remove responders certificate • Don’t require additional certificate management • Any other efficient IBS schemes can be applied to the system Lab. of Information security & Internet Applications, PKNU

More Related