120 likes | 283 Views
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware. Jong Youl Choi Computer Science Dept. Indiana University at Bloomington. Philippe Golle Palo Alto Research Center CA, USA. Markus Jakobsson School of Informatics Indiana University at Bloomington.
E N D
Tamper-Evident Digital Signatures:Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington Philippe Golle Palo Alto Research Center CA, USA Markus Jakobsson School of Informatics Indiana University at Bloomington
Threats to Certificate Authorities • Certificate repudiation • A user chooses weak private key • Intentionally let his private key be leaking discretely for forgery • Certificate private key leaking • Malicious attack such as Trojan horse • Leaking CA’s private via covert-channel
What is a covert channel? • Hidden communication channel • Steganography – Information hiding Original Image Extracted Image
Prisoners' problem [Simmons,’93] • Two prisoners want to exchange messages, but must do so through the warden • Subliminal channel in DSA What Plan? Plan A
Leaking attack on RSA-PSS • Random salt is usedfor padding string in encryption • In verification process, salt is extracted from EM • Hidden informationcan be embedded insalt value RSA-PSS : PKCS #1 V2.1
Approaches • Detect leaking • A warden observes outputs from CA Something hidden? • Malicious attack • Replacement of function Pseudo Random Number Generator Certificate Authority mk Sigk
Approaches (Cont’d) • Observing is not so easy because random number ... • looks innocuous • Or, doesn’t reveal any state • A warden (observer) can be attacked Something hidden? Pseudo Random Number Generator Certificate Authority mk Sigk
Undercover observer • Signer outputs non-interactive proof as well as signature • Ambushes until verification is invalid Pseudo Random Number Generator mk Sigk
Tamper-evident Chain • Predefined set of random values in lieu of random number on the fly • Hash chain verification Hash() Hash() Hash() Hash() Hash() xn …. x3 x2 x’3 Xn+1 x1 Sign …. Sig2 Sig1 Sig’3 ? X1=Hash(X2) ? X2=Hash(X3) ? Xn-1=Hash(Xn)
DSA Signature Scheme • Gen : x y = gx mod p • Sign : m (s, r) where r = (gk mod p) mod q and s = k-1(h(m) + x r) for random value k • Verify : For given signature (s, r), u1 = h(m) s-1 u2 = r s-1 and check r=gu1 yu2 mod p mod q
Hash chain construction Hash() Hash() Hash() Hash() Hash() k’3 k1 k2 k3 …. kn kn+1 …. r’=gk3 r=gk1 r=gk2 r=gk3 r=gkn P1 P2 P3 Pn Pn+1 …. Sign …. Sig2 Sig’3 Sig1 ? X1=Hash(X2) ? X2=Hash(X3) ? Xn-1=Hash(Xn)
Conclusion • Any leakage from CAs is dangerous • CAs are not strong enough from malicious attacks • We need observers which are under-cover • A small additional cost for proofs Or, Send me email : jychoi@cs.indiana.edu