blind certificate authorities€¦ · liang wang1, gilad asharov2, rafael pass 2, thomas ristenpart...
TRANSCRIPT
![Page 1: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/1.jpg)
LiangWang1,GiladAsharov2,RafaelPass2,ThomasRistenpart2,abhishelat3
BlindCertificateAuthorities
1PrincetonUniversity2CornellTech3NortheasternUniversity
![Page 2: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/2.jpg)
Motivation
CertificateAuthorities(CA)issuecertificates
![Page 3: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/3.jpg)
CA(identityprovider)
• Email• Websitelogin• Anonymouscredentialsystems• ….
User
Validateidentity
Certificatesbindpublickeystoidentities
Requestcert
Identity+
TheusermustrevealtrueidentitytotheCAduringidentityvalidation
![Page 4: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/4.jpg)
Identityissensitive
Whistleblower JournalistIamworkingatUniversityABC...ProfessorXtookbribes!
OK.First,proveyouareworkingatABC…(AfriendofProfessorX?)
CA
Third-partyorfromUniversityABC
?
![Page 5: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/5.jpg)
CA(identityprovider)
• PGP• Websitelogin• Anonymouscredentialsystems• ….
User
Validateidentity
Requestcert
Identity+
[email protected]:[email protected]:cert2…..
CA:singlepointofprivacyfailure
![Page 6: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/6.jpg)
CanwemakeCA“blind”?
Mainchallenge:Validateanidentitywhilenotlearningit
YES!!!
![Page 7: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/7.jpg)
Contributions• SecureChannelInjection(SCI):
o Aprimitiveallowsapartytoinjectasmallamountofinformationintoasecureconnectionbetweentwoparties
o (SCI-TLS)Anefficient,special-purposeMPCprotocolfortwopartiestocomputeaTLSrecord
• AnonymousProofofAccountOwnership(PAO):
o Validateoneownssomeemailaccountsfromagivenorganizationwithoutknowingwhichaccount
• BlindCA:o Validateownershipofanaccountalice@domain.comandissueaX.509certificate
binding“alice”toapublickey,withoutlearningtheaccountandthekey
![Page 8: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/8.jpg)
Emailisthemostcommonidentity
![Page 9: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/9.jpg)
Myemailis:[email protected] To:[email protected]
Emailprovider
Username:alicePassword:???
User
CA
Conventionalemailverification
ProveaccountownershipbyshowingtheabilitytoREADanemailfromanaccount
![Page 10: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/10.jpg)
SecureChannelInjection(SCI)
M1
Alice Bob
Carol
M*
M2 Mn……
![Page 11: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/11.jpg)
M1
Alice Bob
CarolM*
M2 Mn……
MPC
SecureChannelInjection(SCI)
![Page 12: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/12.jpg)
M1
Alice Bob
Carol
M* Mn…………
SecureChannelInjection(SCI)
Alice:LearnsnothingaboutM*Bob:Doesn’tknowM*isfromCarolCarol:LearnsnothingaboutothermessagesfromAlice
![Page 13: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/13.jpg)
Myemailis:[email protected] To:[email protected]
Emailprovider
Username:alicePassword:???
User
CA
Conventionalemailverification
ProveaccountownershipbyshowingtheabilitytoREADanemailfromanaccount
![Page 14: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/14.jpg)
Anonymousproofofaccountownership(PAO)
CA
Sendanemailfrom:[email protected]:alice1
SCI alice1
ProveaccountownershipbyshowingtheabilitytoSENDanemailfromanaccount
Goal:ValidateAliceownssomeemailaccountsfromdomain.com
![Page 15: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/15.jpg)
PAOusecases
Whistleblower Journalist
IcansendanemailfromABC’ssmtpserverEmployee
![Page 16: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/16.jpg)
AnonymousPAOneedstouseMPCtocomputeTLSrecords
SQN + HDR
HMAC tag
HMAC
AES-CBC
Ciphertext
M
M
M
Padding
HDR
IV
TLSAES-CBCwithSHA256
Fora512-byteemailand16-bytechallenge• GenericMPC:32AESand8SHA256operationsà0.94M+ANDgates
![Page 17: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/17.jpg)
Merkle–DamgårdConstruction
f f f
Block1 Bock2 BlockN
IV
Padding
M
![Page 18: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/18.jpg)
Two-partySHA:“Outsource”SHAcomputation
f
BlockX
BlockX+1toX+K
User+CA
f
BlockX+K+1
f
CA UserUser
SendoutputofftoCA SendoutputofftoUser
M*Kblocks
![Page 19: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/19.jpg)
Two-partyAESCBC
BlockX
BlockX+1toX+K
BlockX+K+1
MPC---Alice:keyCA:blocks UserUser
AES
CipherX
SendtoCA
AES
CipherX+1toX+K
AESSendtoUser
Kblocks
User+CA
M*
![Page 20: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/20.jpg)
AnonymousPAOneedstouseMPCtocomputeTLSrecords
SQN + HDR
HMAC tag
HMAC
AES-CBC
Ciphertext
M
M
M
Padding
HDR
IV
TLSAES-CBCmode
Fora512-byteemailand16-bytechallenge• GenericMPC:32AESand8SHA-256operationsà0.94M+ANDgates• Ourprotocol:4AESoperationsà27K+ANDgates;NOMPCforHMAC
![Page 21: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/21.jpg)
AsimplifiedSMTPsessionSMTPclient
STARTTLSSMTPserver
EHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
![Page 22: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/22.jpg)
SMTPclient(user)STARTTLS
SMTPserverEHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
BlindCA:TLSrecordascommitment
TheSMTPAUTHmessagecontainsemailaccount(useridentity)
CA
![Page 23: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/23.jpg)
SMTPclient(user)STARTTLS
SMTPserverEHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
BlindCA:AnonymousPAOCA
![Page 24: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/24.jpg)
SMTPclient(user)STARTTLS
SMTPserverEHLO
DATA
AUTHStep2:Authentication
Step1:SetupTLSandprepareforauth
Step3:PrepareforemailRCPT MAIL
Step4:SendemailEMAIL
BlindCA:AnonymousPAOCA
Challenge Commitment …
abc eee… …123 fff… …
... ... …
![Page 25: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/25.jpg)
ProverproducesaZKBooproof
CA:Sharesacertificatetemplatewiththeusero Allfieldsareknownexceptforsubjectandpublickey
Issuer:BlindCASubject:?@abcPublickey:?Version:…
• Theemailaccount(e1)andpublickeyforformingthecertificate• TheopeningoftheTLScommitment:
o secretkeys,emailaccount(e2)andpassword• e1=e2
SingleBooleancircuit!
Giacomelli,Irene,JesperMadsen,andClaudioOrlandi."Zkboo:Fasterzero-knowledgeforbooleancircuits."USENIXSecurity2016.
User:Fillsinmissinginfo,producesthehashofthecert;Generatesazkbooprooftoshowtheknowledgeof:
![Page 26: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/26.jpg)
CAverifiesproofsandsignsChallenge:123Hashofcert:hZKbooproof
User CA
Sign(h)
Challenge Commitment …
abc eee… …123 fff… …
... ... …
![Page 27: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/27.jpg)
BlindCAoverheadLoc1(NoTor) Loc2(NoTor) Loc1(WithTor)
2P-HMAC 0.01 0.03 0.31
2P-CBC 0.20 0.35 0.36
PAO 0.76 1.68 4.31
SMTPBaseline 0.31 0.77 3.33
Themediantime(seconds)tocompletethe2P-HMAC,2P-CBC(withoutoffline),PAO(withoutoffline)andnormalSMTP-TLS
• PAOTestwithGmail,UW-Madison,andCornellSMTPservers:o PAO(withoutoffline):1.01s,1.64s,1.53so WithoutPAO:0.44s,0.94s,0.79s
• BlindCAproof(136ZKBooproofs):o Size:85M+o Generation:2.9so Verification:2.3s
![Page 28: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/28.jpg)
Sessiondurationisnotagooddetector
ThedistributionoftheSMTPdurationsislong-tailed(basedon8K+SMTP-TLSsessions).
15%>10s!
![Page 29: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/29.jpg)
Summary• Wedesignthefirst“blind”CA:aCAthatcanvalidateidentitiesandissuecertificateswithoutlearningtheidentityo SCIforTLSAES-CBCandAES-GCM(seepaper)
• Participationprivacy:doesnotdisclosetoanypartytheidentitiesofusers
• Pleaseseeourpaperformoredetails(securityproofs,securityanalysis,etc.)!
Thankyou!
![Page 30: Blind Certificate Authorities€¦ · Liang Wang1, Gilad Asharov2, Rafael Pass 2, Thomas Ristenpart , abhi shelat3 Blind Certificate Authorities 1 Princeton University 2 Cornell Tech](https://reader033.vdocuments.net/reader033/viewer/2022060500/5f1a7ac7ab8fcc24280bbdbf/html5/thumbnails/30.jpg)
Title