140 likes | 257 Views
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware. Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington. Philippe Golle Palo Alto Research Center. Markus Jakobsson School of Informatics Indiana University at Bloomington.
E N D
Tamper-Evident Digital Signatures:Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research Center Markus Jakobsson School of Informatics Indiana University at Bloomington jychoi@cs.indiana.edu pgolle@parc.com markus@indiana.edu
Threats to Certificate Authorities • Stealing private key • Malicious attack such as Trojan horse, virus • Leaking CA’s private key via covert-channel • Hidden communication channel • CAs use lots of random numbers • Hard to prove randomness since it is directly related to privacy
What is a covert channel? • Hidden communication channel • Steganography – Information hiding Original Image Extracted Image
Prisoners' problem [Simmons,’93] • Two prisoners want to exchange messages, but must do so through the warden • Subliminal channel in DSA What Plan? Plan A
Leaking attack on RSA-PSS • A random salt is usedas a padding string in a signature • In verification process, the salt is extracted from the message • Hidden informationcan be embedded inthe salt RSA-PSS : PKCS #1 V2.1
Approaches • Need an observer to detect leaking • An observer investigates outputs from CA Something hidden? • Malicious attack • Replacement of function Pseudo Random Number Generator Certificate Authority mk Sigk
Hindsight • Observing is not easy because of a random number • looking innocuous • Not revealing any state • Fine as long as a random number is generated in a designated way • Using hindsight, we detect abnormal behavior generating a random number
Weakness of an observer • An observer can be attacked, causing a single point of failure Something hidden? Pseudo Random Number Generator Certificate Authority mk Sigk Public verifiability with multiple observers
Undercover observer • CA outputs non-interactive proof as well as signature • Ambushes until verification is invalid Pseudo Random Number Generator mk Sigk
Tamper-evident Chain • Predefined set of random values in lieu of random number on the fly • Hash chain verification h() h() h() h() h() h() sn …. s0 s3 s2 s’3 Seed s1 Sign …. Sig2 Sig1 Sig’3 ? s0=h(s1) ? s1=h(s2) ? s2=h(s3) ? sn-1=h(sn)
DSA Signature Scheme • Gen : x y = gx mod p • Sign : m (s, r) where r = (gk mod p) mod q and s = k-1(h(m) + x r) for random value k • Verify : For given signature (s, r), u1 = h(m) s-1 u2 = r s-1 and check r=gu1 yu2 mod p mod q
Hash chain construction Seed PRNG k’3 k1 k2 k3 …. kn …. r3’=gk3 r1=gk1 r2=gk2 r3=gk3 rn=gkn h() h() h() h() w0 w1 w2 w3 wn …. Sign …. Sig1 Sig2 Sig’3 ? w0=h(r1||w1) ? w1=h(r2||w2) ? w2=h(r3||w3) ? wn-1=h(rn||wn)
Conclusion • Any leakage from CAs is dangerous • CAs are not strong enough from malicious attacks • We need observers which are under-cover • A small additional cost for proofs Or, Send me emails : jychoi@cs.indiana.edu