140 likes | 311 Views
A Simple Traceable Pseudonym Certificate System for RSA-based PKI. SCGroup Jinhae Kim. Introduction. Digital certificate an authorized assertion about a public key Holder can prove the related ownership by using a corresponding private key The current PKI: privacy-intrusive
E N D
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim
Introduction • Digital certificate • an authorized assertion about a public key • Holder can prove the related ownership by using a corresponding private key • The current PKI: privacy-intrusive • Can be linked and traced • Pseudonym certificate • Identifiable by a pseudonym only • Digital certificate contains pseudonym as a subject identifier • Can be used in anonymous transaction
Building Blocks • PKI • RSA • Pseudonym • Blind signature • Threshold cryptography • X.509 certificate
CA User Anonymous Issuer (AI) Blind Issuer (BI) Site n Site 1 Basic Model Issuer (PI) 1 2 5 i 6 iv 3 ii 4 . . . iii . . .
Basic Model – cnt’d • User U holds a digital certificate issued by CA • Using a real identity • User can access service providers SPs • SP asks revocation of a certificate to PI • PI: pseudonym certificate issuer (AI and BI) • AI and BI collaborate to link IDU and PNU • IDU: real identity of user U • PNU: pseudonym of user U
Traceable Pseudonym Certificates Critical: (Ci), * Critical: (C1, C2, … , Cm) (a) x.509 v3 Certificate (b) Pseudonym Certificate Skeleton (c) Traceable Pseudonym Certificate
Basic Protocol - I • Basic Assumption • CA and PS’s authentic public keys are respectively available. • User U holds a real identity certificate denoted by {IDU, pkU}SIGCA • RSA private exponent d of PI is split by d2 for AI and d1 for BI (In case of single BI) • AI can control and verify the contents of a pseudonym certificate • BI can verify the user’s real identity
Basic Protocol - II • U → AI: Skeleton Request • Option: U can submit her basic information, so that AI can choose an appropriate BI • AI stores certificate skeleton with index SN • AI → U: Certificate Skeleton • b ← <PNU, ppkU, SIGU> • M ← <b, (ci)> • h = H(M) • u = h re, r: random number • U → BI: {IDU, pkU}SIGCA ,{{u} SIGU, ρ} ENCBI • BI verifies {IDU, pkU}SIGCA under pkCA asdf • Decrypt {{u} SIGU, ρ} ENCBI verify u under pkU • Record < {u} ENCBI :IDU > • Compute w = ud1 mod N
Basic Protocol - III • BI → U: {w} ENCAIρ • U decrypts {w} ENCAI under ρ • Computes {{M}SIGPN, r, {w}ENCAI }ENCAI • U → AI: {{M}SIGPN, r, {w}ENCAI }ENCAI • Verify {M}SIGPN under ppkU and compare this with record corresponding SN • Compute z = wd2 mod N • Check z r-1 mod N under <M, e, N> • Record <PNU: {z}ENCAI > • Send z • AI → U: z • Compute z r-1 mod N to recover hd mod N • Verify hd mod N under <M, e, N> • Traceable pseudonym certificate: <M, hd mod N>
Pseudonym Revocation and Trace • SP asks revocation of a certain Pseudonym to AI • Submit the PNU to AI • AI retrieve <PNU: {z}ENCAI > • Recover z and send it to BI • BI obtain a real identity IDU • u = ze mod N • From < {u} ENCBI :IDU > can find IDU • Revoke all pseudonyms of a user U’ • BI retrieve all records < {u} ENCBI :IDU’ > • Send ud1 mod N to AI securely • AI raises d2 to get z and retrieve all pseudonyms of U’
Extended Protocols • Threshold Schemes • In case of multiple BI’s • Apply an RSA (L, k)-threshold signature scheme • Re-blinding Variants • Disable the tracing ability (e.g., e-voting) • Selective Credential Show • User’s digital credential: <flag, ci, h(ci)> • Flag: 0 – mandatory, 1 – selective • h(ci) : hash value of credential ci • PI should certify all semi-records of which flag is 0, but a hashed value only for flag is 1
Conclusion • Can be used on existing PKIs without requiring additional crypto modules • Fully compatible with X.509 certificates • Simple and efficient with versatile privacy-enhancing features • Choice from traceability and absolute anonymity • Threshold variants for more secure applications
References • Yongdae Kim, et al. “A Simple Traceable Pseudonym Certificate System for RSA-based PKI” • D. Chaum, “Security without identification: Transactions systems to make big brother obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1035-1044 • X.509, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks,” ITU-T Recommendation X.509