certification asynchrone à grande échelle avec des arbres de vérification de certificats josep...
TRANSCRIPT
![Page 1: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/1.jpg)
Certification asynchrone à grande échelle avec des arbres
de vérification de certificats
Josep Domingo-FerrerUniversitat Rovira i Virgili
[email protected], le 17 janvier 2003
![Page 2: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/2.jpg)
Contents Introduction
Certificates and revocation CVTs
A new proposal Implicit revocation
Assessment Summary and conclusion
![Page 3: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/3.jpg)
Introduction
Safe use of digital signatures requires certification of public keys
A digital certificate consists of a ‘certificate statement’ (c-statement) and its signature by the CA
Important issues: Revocation Large-scale certificate
management
![Page 4: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/4.jpg)
Approaches to Revocation Certificate Revocation Lists (CRL, X.509 1988) Certificate Revocation Trees (CRT, Kocher
1999) Naor-Nissim Scheme (2-3 trees, 1998) Certificate Revocation System (CRS, Micali
1997) Short-validity certificates: they are valid until
their expiration date (Rivest 2000) Certificate Verification Trees (CVT): certificates
and revocation information are combined in a single Merkle tree (Gassko et al., 2000)
![Page 5: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/5.jpg)
CVTs (1/3) CA builds a Merkle tree:
Every leaf is a c-statement together with its hash value
The hash values of sibling nodes are joined and the hash of the joint value is assigned to their parent node; this procedure iterates until the root node is reached.
CA signs the root node together with the date and additional information
The cert-path of a c-statement is the path from the corresponding leaf node to the root, along with the necessary nodes to verify the leaf node hash
![Page 6: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/6.jpg)
CVTs (2/3)
Sign(RV||Date||Time)
RV=h(H5||H6)
H6=h(H3||H4)H5=h(H1||H2)
H2=h(C2)H1=h(C1)
C1 C2
H3=h(C3) H4=h(C4)
C3 C4
![Page 7: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/7.jpg)
CVTs (3/3) A single signature certifies all public keys in the
CVT (easy to change CA key) The CVT is updated on a regular basis:
Certificates are appended to the tree in batches
Updating the CVT only requires recomputing one signature; the rest of work are hash value computations.
Historical queries can be handled easily Proof of certificate non-existence
![Page 8: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/8.jpg)
A New Proposal
All advantages of CVTs are maintained The following features are added:
Batches of certificates can be requested without requiring substantial storage on the signer’s side
Convenient for short-validity certificates Convenient when the signer’s device is a smart
card Implicit revocation
![Page 9: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/9.jpg)
Asynchronous Certification Based on CVTs The signer requests batches of
certificates without being forced to store the corresponding private keys Certificates can have a short validity
The signer can use a new certificate as soon as the old one has expired
It is assumed that the signer’s device is a smart card SC
The scheme consists of three protocols: generation, signature and implicit revocation
![Page 10: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/10.jpg)
Protocol 1: Generation
1 The signer’s SC generates a key k corresponding to a block symmetric cipher (e.g.: DES, AES).
2 For i=1 to m:(a) SC generates a pair of public-private keys (pki,ski)
(b) SC encrypts ski under k and obtains Ek(ski)
(c) SC sends (pki,Ek(ski)) to CA
(d) SC deletes pki, ski and Ek(ski) from its memory
3 CA stores the Ek(ski) in a safe place
4 In the next CVT update, CA appends the pki received to CVT
![Page 11: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/11.jpg)
Generation
(m times)
pki, E(ski)
CA
SC
CVT
k
E(sk1)
E(skm)
..
.
pk1 pkm...
![Page 12: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/12.jpg)
Generation
The key pairs will be valid in consecutive time intervals
Protocol 1 is run often enough to avoid running out of keys
The larger the batch size m, the less often must Protocol 1 be run
![Page 13: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/13.jpg)
Protocol 2: Signature at Interval t
1 If the signer’s SC already stores skt, then, if necessary, obtain the cert-path for pkt
2 Otherwise:(a) Delete the last stored skj
(b) Obtain Ek(skt) from CA
(c) Decrypt Ek(skt) to obtain skt
(d) Obtain the certificate and the cert-path for pkt from the CVT
3 Sign using skt
![Page 14: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/14.jpg)
cert(pkj)skj
Signature (Interval t)
K
CA
E(sk1)
E(skm)
..
.
CVT
pk1 pkm...
skt cert(pkt
)
E(skt)
SC
signature
![Page 15: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/15.jpg)
Signature
SC only stores the current private key SC obtains a new certificate and its private key
when the current one expires When signing, the cert-path must be appended
to the signature
![Page 16: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/16.jpg)
Protocol 3: Implicit Revocation
1 If SC is compromised or stolen, the CA is informed by the signer
2 CA stops serving encrypted private keys Ek(ski) to SC
![Page 17: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/17.jpg)
Implicit Revocation (t)
cert(pkj)skj
K
CA
E(sk1)
E(skm)
..
.
CVT
pk1 pkm...
SCE(skt)
signature
![Page 18: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/18.jpg)
Implicit Revocation
Protocol 3 implicitly revokes all certificates issued for future time intervals
The current certificate is not revoked To eliminate the need for explicit
revocation of the current certificate, short-validity certificates can be used A short-validity certificate is like to expire
before the intruder has time to tamper with SC and use it
![Page 19: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/19.jpg)
Efficiency Assessment Asynchronous certification. By
requesting batches of certificates ahead of time, a new certificate can be used as soon as the current one expires
Reduced storage. SC only stores a secret symmetric key (k), the current private key and the current certificate
Implicit revocation. It allows certificates to be revoked without updating the CVT nor publishing revocation information
![Page 20: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/20.jpg)
Explicit vs Implicit Revocation Explicit revocation forces CA to publish
revocation information. Even worse, it forces verifiers to check that information before accepting a signature as valid.
Implicit revocation is better in that it prevents the private key corresponding to a revoked certificate from being used to sign
Explicit revocation can be completely eliminated if our scheme is combined with short-validity certificates
![Page 21: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/21.jpg)
Summary and Conclusion
CVTs are a good data structure to manage large-scale CAs
A scheme has been proposed which allows batches of certificates to be requested ahead of time without degrading security
In case the SC is stolen or compromised, implicit revocation is used
![Page 22: Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es](https://reader030.vdocuments.net/reader030/viewer/2022032709/56649eab5503460f94bb0304/html5/thumbnails/22.jpg)
Further Details inJ.Domingo, M.Alba and F.Sebé, “Asynchronous
Large-Scale Certification Based on Certificate Verification Trees”, Procs. of CMS’2001. Kluwer Academic Publishers, 2001, pp.185-196.