300 likes | 319 Views
Explore revisits in implementing Distributed Security-Mediated PKI, focusing on Certificate Revocation, revocation techniques, and methods for propagating revocation information. Dive into practical schemes, certificate revocation lists, and proactive secret sharing. Evaluate Distributed SEM and its challenges, with a focus on response time, distributed key generation, and threshold signatures.
E N D
Practical Revisits for implementing the Distributing Security-Mediated PKI(Ongoing work) Jong-Phil Yang bogus@itslab.csce.kyushu-u.ac.jp Sakurai Laboratory Kyushu University
Certificate Revocation in PKI • X.509 certificate in Public Key Infrastructure (PKI) • A signed binding a public key to certain properties (e.g., a user’s identity) • When the binding ceases to hold, the certificate needs to be revoked • Certificate Revocation techniques • Methods for propagating revocation information to relying parties • Schemes • Certificate Revocation Lists : CRLs • Online Certificate Status Protocol : OCSP • Variants of CRLs : Delta CRLs , Indirect CRLs • Certificate Revocation Tree : CRT • Certificate Revocation System : CRS
Please help me sign message M Partial signature Signature Revoke! Semi-Trusted Mediator (SEM) • Basic Idea : Boneh et. al. [1] SEM Alice Immediate Revocation of users’ signing ability CA Bob
RSA Key generation RSA Sig. / Ver. Mediated RSA (mRSA) • Direct application of 2-out-of-2 threshold RSA • Let be a user’s public key, be the private key, CA split , • The user has • SEM has • Signing • User’s partial signature • SEM’s partial signature • RSA signature
Migration Proactive Secret sharing Threshold cryptography Distributing Security-Mediated PKI • Disadvantages of SEM : G. Vanrenen et al. [5] • Temporary denial of service, if the network is partitioned. • Permanent denial of service, if SEM suffers a serious failure. • Inability to revoke the key pair, if an adversary compromises SEM and learn its secrets. • Distributed SEM (DSEM) • Consists of trustworthy islands in P2P network. • Each island may still become compromised to the adversary. • Each island may also become unavailable, due to crash or partition.
R.Gennaro, S.Jarecki, and H.Krawczyk, Revisiting the Distributed Key Generation for Discrete-Log Based Cryptosystems, RSA Security' 03 (2003). T.Rabin, Simplified Approach to Threshold and Proactive RSA, Advances in Cryptology--CRYPTO'98, LNCS 1462 (1998). RSA or DL based threshold signatures • Response Time to generate a signature : (5,3) threshold mRSA DL based Two party signature RSA based Threshold signature DL based Threshold signature
RSA or DL based threshold signatures • Response Time to generate a signature : (5,3) threshold mRSA DL based Two party signature RSA based Threshold signature DL based Threshold signature
RSA or DL based threshold signatures DKG(Distributed Key Generation) : to verifiably distribute shares for one-time secret parameter • Message traffics : 1024 bits keysize RSA based Threshold signature DL based Threshold signature
RSA or DL based threshold signatures • Which one is a better important factor? • Communication cost • Computation cost • For example, • Application to large scale MANETs • DL-based threshold signatures are not suitable • For Small scale MANETs, suitable • Application to a distributed system with high computing power • RSA-based threshold signatures are suitable • In the near future model (using threshold computation) • The rapid progress of computing power in mobile device • Redundancy of resources • Computation cost > Communication cost
mRSA Proactively updated DSEM – Key Setup Distributed SEM Network User Island SEM Server random islands C A shares of -secret sharing
Reconstruct shares of M must knows to interpolate a polynomial used in secret sharing DSEM - Migration • If a user issues a request but the island holding is not available, the user select another island and requests migration. Distributed SEM Network random islands Island L down Update shares Island M User
Notable Problems – Question 1 • How can we make k islands perform efficiently a proactive secret sharing ? • After Key setup, k islands periodically participate in a proactive secret sharing for in [3][4][7][8]. • The schemes in [7][8] • Based on discrete logarithm • The scheme in [4] • instead of • The scheme in [3] • Low performance caused by performing subsharings as many times as k.
B Island reconstruct DSEM cannot present signing or decrypting before finishing complex migration caused by reconstructing the corrupted share. reconstruct Alice Notable Problems – Question 2 • Is DSEM always performed as efficient as SEM ? • In case that the scheme in [4] or [15] is used. • (k,k)-additive secret sharing • (k,t)-polynomial secret sharing for each share B Island A Island M
Notable Problems – Question 3 • Is the execution of the proactive secret sharing meaningful ? • Since a long-term secret is stored in L, the target of adversaries is not one of k islands but L • When the long-term secret is kept in the networking island and the proactive secret sharing dose not change it, the proactive secret sharing cannot contribute the security of .
Notable Problems – Question 4 • How many peers are necessary to serve a threshold protection in DSEM ? • Synchronous communication • Allow at most t-1 servers to be compromised • Need at least t servers to be correct • P2P Network • Correct peers in P2P are not always connected to the network
Only through all of , and shares are periodically renewed at the same time, we can make the execution of the proactive secret sharing meaningful in DSEM. Let be the maximum number of correct peers which are not currently connected to the network. We precisely define the number of servers as , where . So, -secret sharing. Requirements for modified DSEM To reduce the overhead caused by subsharing, the system must perform a proactive secret sharing without subsharing. DSEM must perform signing or decrypting immediately. That is, the cryptographic service must be independent of migration
Cryptographic Tools • N-mRSA • Remove the insecurity of releasing modulus operator, • Combinatorial Secret Sharing • Remove the executing of subsharing • No need to compute a polynomial • Replication • Server-Assisted Threshold Signature • For immediate cryptographic services
2-bounded coalition offsetting Alg. in [6] RSA signature N-mRSA • Key Setup (by CA) • Splits the private exponent into two halves as follow. • Transmits securely to the user, to the server. • Signing • User : • Server : • Candidate Signature ( )
(k,t)-Combinatorial Secret Sharing [9] • Create different sets of servers. • Create a sharing for using -additive secret sharing. • Any server , share set equals For any set of servers, where : For any set of servers, where :
Server-Assisted Threshold Signature • S. Xu et al. [14] • A formal method to construct server-assisted threshold signature scheme. • Hybrid of threshold signature and two-party signature. • A practical instance • Hybrid of N-mRSA and threshold RSA in [6]
(l+1)-bounded coalition offsetting Alg. in [6] RSA signature (k,t)-Server-Assisted Threshold Signature • Key setup (by CA) • Splits the private exponent at the same as N-mRSA • => generates k share sets • Transmits to the user, and each share set to the corresponding server, respectively • Signing • User : • At least t servers : • Candidate signature ( )
Architecture of our modified DSEM Distributed SEM Network • Key Setup • Peer group (PG) • Consists of trustworthy peers. • Each peer (Gpeer) has share sets for users’ Peer group for threshold protection C A Gpeer Gpeer Gpeer HSEM User
N-mRSA ? Recovery Server-Assisted Threshold Signature Modified DSEM • Example, (4,3)-combinatorial secret sharing • , Peer Group HSEM User Periodic Renewal and Recovery
Each Gpeer updates its share set Modified DSEM – Periodic Renewal • Omit the verifiable step User Peer Group HSEM
Desirable Features • Removal of insecurity of releasing • Efficient and timely signing or decrypting • Strong against denial of service attack • In DSEM, the user cannot perform signing or decrypting up to finishing MIGRATION • In our modified DSEM, the user can still perform signing or decrypting via Server-Assisted Threshold, although the performance is lower than N-mRSA • The cryptographic operation is independent of periodic renewal or recovery
Desirable Features • Meaningful proactive secret sharing • Our modified DSEM can appropriately renew a user half, the corresponding half of SEM and shares for the half of SEM. • Simplified renewal and recovery • Subsharing is unnecessary
Considerations • Attack on threshold RSA [6] by S. Jarecki et al. [13] • Threshold RSA in [6] is a basis of cryptographic tools in our modified DSEM • Since proactive scheme in our modified DSEM does not depend on subsharing, an adversary in [13] cannot succeed in learning the private exponent. • The adversary can learn at most MSBs of the private exponent
Considerations • The scheme by S. Koga et al. [12] • A solution to prevent DoS attack by picking out malicious requests through one-time ID. • The scheme in [12] does not consider the possibility of the corruption of SEM, it did not present a solution for recovering the compromised SEM. • S. Koga et al.’s scheme can be used for supporting authentication of users’ requests in our modified DSEM.
Conclusion and Future Work • Reviewed G. Vanrenen et. al.’s DSEM, and Discussed four questions • Derived four requirements to design our modified DSEM • Designed a new model for Distributed Security-Mediator • Succeeds to the advantages of the original SEM • Provides desirable features • Comparison with original DSEM • Amount of speedup • Amount of communication cost Thank you for your attention. Useful Comments ?
References • Boneh, D., Ding, X., Tsudik, G., Wong, C.M., A method forfast revocation of public key certificates and security capabilities, 10th USENIX Security Symposium, pp.297-308, (2001). • C. Adams and S. Lloyd, Understanding public-key infrastructure: concepts, standard, and deployment considerations, Indianapolis: Macmillan Technical Publishing, (1999). • Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Optimal resilience proactive public key cryptosystems, IEEE Symposium on Foundations of Computer Science, pp.440-454, (1997). • Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M., Proactive RSA, Advances in Cryptology-CRYPTO 97, LNCS 1297, pp.440-454, (1997). • G. Vanrenen, S.W. Smith, Distributing Security-Mediated PKI, 1st European PKI Workshop Research and Applications, LNCS 3093, pp.213-231, (2004). • Haiyun Luo, Songwu Lu, Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks, UCLA Computer Science Technical Report 200030, Oct. (2000). • Herzberg, A., Jakobsson, M., Jarechi, S., Krawczyk, H., Yung, M., Proactive public key and signature systems, ACM Conference on Computer and Communications Security, pp.100-110, (1997). • Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M., Proactive secret sharing or: How to cope with perpetual leakage, Advanced in Cryptology-CRYPTO 95, LNCS 963, pp.339-352, (1995). • Lidong Zhou, Towards Fault-Tolerant and Secure On-line Services, PhD Dissertation, Department of Computer Science, Cornell University, Ithaca, NY USA. April (2001). • M. Naor and K. Nissim, Certificate revocation and certificate update, Proceedings 7th USENIX Security Symposium, San Antonio, Texas, pp.217-228, (1998). • P.Felman, A Pracitcal Scheme for Non-Interactive Verifiable Secret Sharing, Proc. of 28th FOCS, (1987). • S. Koga, K. Imamoto, and K. Sakurai, Enhancing Security of Security-Mediated PKI by One-time ID, 4th Annual PKI R&D Workshop, NIST, USA, April 19-21, (2005). • S. Jarecki, N. Saxena, and J. H. Yi, An Attack on the Proactive RSA Signature Scheme in the URSA Ad-Hoc Network Access Control Protocol, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), pp.1-9, (2004). • S. Xu, R. Sandhu, Two Efficient and Provably Secure Schemes for Server-Assisted Threshold Signatures, CT-RSA, (2003). • Tal Rabin, A Simplified Approach to Threshold and Proactive RSA, Advanced in Cryptology-CRYPTO 98, LNCS 1462, pp.89-104, (1998).