220 likes | 230 Views
This paper proposes a new approach to large-scale certification using Certificate Verification Trees (CVTs) and implicit revocation. The paper discusses the advantages of CVTs, introduces the new proposal, and assesses its efficiency.
E N D
Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es Louvain-la-Neuve, le 17 janvier 2003
Contents • Introduction • Certificates and revocation • CVTs • A new proposal • Implicit revocation • Assessment • Summary and conclusion
Introduction • Safe use of digital signatures requires certification of public keys • A digital certificate consists of a ‘certificate statement’ (c-statement) and its signature by the CA • Important issues: • Revocation • Large-scale certificate management
Approaches to Revocation • Certificate Revocation Lists (CRL, X.509 1988) • Certificate Revocation Trees (CRT, Kocher 1999) • Naor-Nissim Scheme (2-3 trees, 1998) • Certificate Revocation System (CRS, Micali 1997) • Short-validity certificates: they are valid until their expiration date (Rivest 2000) • Certificate Verification Trees (CVT): certificates and revocation information are combined in a single Merkle tree (Gassko et al., 2000)
CVTs (1/3) • CA builds a Merkle tree: • Every leaf is a c-statement together with its hash value • The hash values of sibling nodes are joined and the hash of the joint value is assigned to their parent node; this procedure iterates until the root node is reached. • CA signs the root node together with the date and additional information • The cert-path of a c-statement is the path from the corresponding leaf node to the root, along with the necessary nodes to verify the leaf node hash
Sign(RV||Date||Time) RV=h(H || H ) 5 6 H =h(H || H ) H =h(H || H ) 5 1 2 6 3 4 H =h(C ) H =h(C ) H =h(C ) H =h(C ) 1 1 2 2 3 3 4 4 C C C C 1 2 3 4 CVTs (2/3)
CVTs (3/3) • A single signature certifies all public keys in the CVT (easy to change CA key) • The CVT is updated on a regular basis: • Certificates are appended to the tree in batches • Updating the CVT only requires recomputing one signature; the rest of work are hash value computations. • Historical queries can be handled easily • Proof of certificate non-existence
A New Proposal • All advantages of CVTs are maintained • The following features are added: • Batches of certificates can be requested without requiring substantial storage on the signer’s side • Convenient for short-validity certificates • Convenient when the signer’s device is a smart card • Implicit revocation
Asynchronous Certification Based on CVTs • The signer requests batches of certificates without being forced to store the corresponding private keys • Certificates can have a short validity • The signer can use a new certificate as soon as the old one has expired • It is assumed that the signer’s device is a smart card SC • The scheme consists of three protocols: generation, signature and implicit revocation
Protocol 1: Generation 1 The signer’s SC generates a key k corresponding to a block symmetric cipher (e.g.: DES, AES). 2 For i=1 to m: (a) SC generates a pair of public-private keys (pki,ski) (b) SC encrypts ski under k and obtains Ek(ski) (c) SC sends (pki,Ek(ski)) to CA (d) SC deletes pki, ski and Ek(ski) from its memory 3 CA stores the Ek(ski) in a safe place 4 In the next CVT update, CA appends the pki received to CVT
... pk1 pkm E(sk1) (m times) pki, E(ski) ... E(skm) Generation CVT CA SC k
Generation • The key pairs will be valid in consecutive time intervals • Protocol 1 is run often enough to avoid running out of keys • The larger the batch size m, the less often must Protocol 1 be run
Protocol 2: Signature at Interval t 1 If the signer’s SC already stores skt, then, if necessary, obtain the cert-path for pkt 2 Otherwise: (a) Delete the last stored skj (b) Obtain Ek(skt) from CA (c) Decrypt Ek(skt) to obtain skt (d) Obtain the certificate and the cert-path for pktfrom the CVT 3 Sign using skt
... pk1 pkm E(sk1) ... E(skt) E(skm) skt cert(pkt) signature Signature (Interval t) CVT CA SC K skj cert(pkj)
Signature • SC only stores the current private key • SC obtains a new certificate and its private key when the current one expires • When signing, the cert-path must be appended to the signature
Protocol 3: Implicit Revocation 1 If SC is compromised or stolen, the CA is informed by the signer 2 CA stops serving encrypted private keys Ek(ski) to SC
... pk1 pkm E(sk1) ... E(skt) E(skm) signature Implicit Revocation (t) CVT CA SC K skj cert(pkj)
Implicit Revocation • Protocol 3 implicitly revokes all certificates issued for future time intervals • The current certificate is not revoked • To eliminate the need for explicit revocation of the current certificate, short-validity certificates can be used • A short-validity certificate is like to expire before the intruder has time to tamper with SC and use it
Efficiency Assessment • Asynchronous certification. By requesting batches of certificates ahead of time, a new certificate can be used as soon as the current one expires • Reduced storage. SC only stores a secret symmetric key (k), the current private key and the current certificate • Implicit revocation. It allows certificates to be revoked without updating the CVT nor publishing revocation information
Explicit vs Implicit Revocation • Explicit revocation forces CA to publish revocation information. Even worse, it forces verifiers to check that information before accepting a signature as valid. • Implicit revocation is better in that it prevents the private key corresponding to a revoked certificate from being used to sign • Explicit revocation can be completely eliminated if our scheme is combined with short-validity certificates
Summary and Conclusion • CVTs are a good data structure to manage large-scale CAs • A scheme has been proposed which allows batches of certificates to be requested ahead of time without degrading security • In case the SC is stolen or compromised, implicit revocation is used
Further Details in J.Domingo, M.Alba and F.Sebé, “Asynchronous Large-Scale Certification Based on Certificate Verification Trees”, Procs. of CMS’2001. Kluwer Academic Publishers, 2001, pp.185-196.