revcast: fast, private certiﬁcate revocation over fm...

RevCast: Fast, Private Certificate Revocation

over FM radioAaron SchulmanStanford University

Dave LevinUniversity of Maryland

Neil SpringUniversity of Maryland

Authentication in the PKI

I want an encrypted connection.




Certificate #12

Signed by CA:



Certificate #12

Signed by CA:

The CA ( ) attests that

is controlled by

Is bound to ?


Certificate #12

Signed by CA:


is controlled by

Is bound to ?


Certificate #12

Signed by CA:

Trusted Root CAs


is controlled by

Is bound to ?


Certificate #12

Signed by CA:

Trusted Root CAs


is controlled by✔

Revocation in the PKI

Trusted Root CAs

C

Certificate #12

Signed by CA:


Trusted Root CAs

C

Certificate #12

Signed by CA:

RevocationCertificate #12

Signed by CA:


Trusted Root CAs

C

Certificate #12

Signed by CA:


Signed by CA:

The CA ( ) breaks the binding of with


Trusted Root CAs

C

Certificate #12

Signed by CA:


Signed by CA:

The CA ( ) breaks the binding of with

✔


Trusted Root CAs

C

Certificate #12

Signed by CA:


Signed by CA:

The CA ( ) breaks the binding of with ❌ ✔


Trusted Root CAs

C

Certificate #12

Signed by CA:


Signed by CA:

The CA ( ) breaks the binding of with ❌ ✔

One revocation every 1.1 seconds for all CAs on the Internet

Every device needs revocations

C


Signed by CA:

Properties of revocation systems


10s

Timeliness

Clients’ revocationstate should be

up-to-date, ideally within 10s of seconds


10s

Timeliness



$$$$

$$

Low-cost dissemination

The distribution mechanism must scalewith CAs, certificates,

and clients


10s

Timeliness



$$$$

$$



and clients

Privacy

Users’ browsinghabits should not

have to be revealed


10s

Timeliness



$$$$

$$



and clients

Privacy


have to be revealed

It is generally regarded that no system can possibly achieve all three.


10s

Timeliness



$$$$

$$



and clients

Privacy


have to be revealed

It is generally regarded that no system can possibly achieve all three.

RevCast✔ ✔ ✔

Certificate Revocation Lists(CRL)

Online Certificate Status Protocol (OCSP)

OCSP Stapling

Short lived certs

Existing revocation systems

CA

Client

Client

Client

Client

Org

CRL124, 24 21, 2521

Revocation

Certificate #12

Signed by CA:

Certificate #12

Signed by CA:

Still okCertificate #12Signed by CA:


CA Org

CA

Certificate #12

Signed by CA:

CA

CA

Client

Client

Client

Client

Org

CRL124, 24

21, 2521

Revocation

Certificate #12

Signed by CA:

Certificate #12

Signed by CA:



CA Org

CA

Certificate #12

Signed by CA:

CA

CRLs ❌ ❌ ✔OCSP ✔ ❌ ❌

Short lived ✔* ❌ ✔Stapling ✔ ❌ ✔


ClientCRL

124, 24 21, 2521CA

CA ClientRevocationCertificate #12

Signed by CA:

ClientOrgCA

ClientCertificate #12

Signed CA OrgCertificate #12

Signed

Still ok

Certificate #12

Signed

Still ok

Certificate #12

Signed

CRLs ❌ ❌ ✔OCSP ✔ ❌ ❌

Short lived ✔* ❌ ✔Stapling ✔ ❌ ✔


All of these protocols rely on unicast transmission of revocations

ClientCRL

124, 24 21, 2521CA

CA ClientRevocationCertificate #12

Signed by CA:

ClientOrgCA

ClientCertificate #12

Signed CA OrgCertificate #12

Signed

Still ok

Certificate #12

Signed

Still ok

Certificate #12

Signed

Unicast is not well suited for distributing revocations

Doesn’t scale to distributing to every device on the Internet

Failures are benign indication of connectivity issues (soft-fail)

Multicast revocation is also flawed (Sybils, MITM, DoS)

RevCast


Signed by CA:

We propose broadcasting revocations over FM RDS

Tower: http://cityspottercards.com/

http://cityspottercards.com/

FM RDS coverage is ideal for disseminating revocations

• Transmitters are where people are• Up to 10 million people per tower

200,000 150,000 100,000 50,000 0


Privacy

Radio broadcasts are inherently

receiver anonymous

$$

$$

$$


One transmission covers up to 10 million

& Under-monotized


Privacy

Radio broadcasts are inherently

receiver anonymous

$$

$$

$$


One transmission covers up to 10 million

& Under-monotized

Solved. Let’s go party like it’s 1989!

One tiny problem. RDS has an effective bitrate of 421.8 bps.

10s

Timeliness?

RevCast protocol - fitting revocations in 421.8 bps

Evaluate RevCast with 2 months of revocations

Rest of the talk

Revoking over FM RDSCAs Radio

station Receivers


station Receivers

R

R

R

1

2

3

R R R1 2 3


station Receivers

R

R

R

1

2

3

Losses can go undetected

CAs Radio station

R R R

R

R

Receivers

1

2

3

1 2 R3


CAs Radio station

R R R

R

R

Receivers

1

2

3

1 2 R3

❌


CAs Radio station

R R R

R

R

Receivers

1

2

3

1 2 R3

❌❌


CAs Radio station

R R R

R

R

Receivers

1

2

3

1 2 R3

❌GoDaddy didn’t revoke

❌

Making losses detectible with “nothing now”

CAs Radio station

R R R

R

Receivers

1

2 1 2

Nn

Nn

3

3


CAs Radio station

R R R

R

Receivers

1

2 1 2

GoDaddy says they didn’t revoke

Nn

Nn

3

3


CAs Radio station

R R R

R

Receivers

1

2 1 2


Nn

Nn

3

3

❌


CAs Radio station

R R R

R

Receivers

1

2 1 2


Nn

Nn

3

3

❌❌


CAs Radio station

R R R

R

Receivers

1

2 1 2

Nn

Nn

3

3

❌❌

Danger!!! I am not up-to-date with GoDaddy

Sleeping receivers can lose synchronization

CAs Radio station

R R R

R

Receivers

1

2 1 2

Nn

Nn

3

3

ZZ

ZZ

Sleeping receivers can lose synchronization

CAs Radio station

R R R

R

Receivers

1

2 1 2

Nn

Nn

3

3

What did I miss?

Sleeping receivers stay up-to-date with “Nothing since”

CAs Radio station

R R R

R

Receivers

1

2 1 2

Ns

Ns

3

3

ZZ

ZZ

Sleeping receivers stay up-to-date with “Nothing since”

CAs Radio station

R R R

R

Receivers

1

2 1 2

Ns

Ns

3

3

I didn’t miss anything from GoDaddy

RevCast messages

Nn Ns

Nothing now Nothing since

All other CAsMust sign every 10s

R

RevocationRevoking

CAs

Shortening “nothing now” and “nothing since”

{M} {M}


{M} {M}

{M} {M}


{M} {M}

{M} {M}

Problem: FM RDS doesn’t scale to hundreds of signatures


{M} {M}


{M}


{M} {M}


[Boldyreva 2003]

Multi-signatures: combine multiple CA signatures into one

{M}


{M} {M}

{M}{M} {M}


2.89 seconds for both “nothing new” and “nothing since”

[Boldyreva 2003]

Multi-signatures: combine multiple CA signatures into one

R1

Nn R1 2

RevCast summaryCAs Radio

station Receivers

2 Nn2

Ns3

Ns3

Evaluation

1. How quickly can RevCast send updates?

2. How would RevCast handle a worst case scenario?

3. Is RevCast practical?

Evaluation978 CRLs extracted from Rapid7’s scan of the entire IPv4 space

102

103

104

105

12013

2 3 4 5 6 7 8 9 10 11 12 12014

2 3 4 5

# o

f R

evoca

tion

s P

er D

ay

Month:Year:

Heartbleed

WeekdaySaturday

Sunday


Security takes the weekends off

102

103

104

105

12013

2 3 4 5 6 7 8 9 10 11 12 12014

2 3 4 5

# o

f R

evoca

tion

s P

er D

ay

Month:Year:

Heartbleed

WeekdaySaturday

Sunday


Security takes the weekends off

114,021 402,747

102

103

104

105

12013

2 3 4 5 6 7 8 9 10 11 12 12014

2 3 4 5

# o

f R

evoca

tion

s P

er D

ay

Month:Year:

Heartbleed

WeekdaySaturday

Sunday

How quickly can RevCast update?

00.10.20.30.40.50.60.70.80.9

1

0.01 0.1 1 10 100

CD

F

Fraction of interval required

Interval (s)102060

120

How quickly can RevCast update?

96% of 10sec intervals 99.999% of 2min intervals

00.10.20.30.40.50.60.70.80.9

1

0.01 0.1 1 10 100

CD

F


Interval (s)102060

120

Worst-case scenario

00.10.20.30.40.50.60.70.80.9

1

0.1 1 10 100

CD

F


Interval (10s)Pre-heartbleed

Post-heartbleed

Worst-case scenario

70% of time, up-to-date within 10 seconds

00.10.20.30.40.50.60.70.80.9

1

0.1 1 10 100

CD

F



Post-heartbleed

Worst-case scenario

70% of time, up-to-date within 10 seconds

00.10.20.30.40.50.60.70.80.9

1

0.1 1 10 100

CD

F



Post-heartbleed

The most extreme takes 15.5 minutes

Why does RevCast work?

In a small window, there are usuallyfew revocations

0.000.200.400.600.801.00

1 10 100 1000

CD

F

Revocations Per Interval

0

Interval (s)20

120


Different CAs rarelyrevoke within the same

window


0.000.200.400.600.801.00

1 10 100

CD

F

CAs Revoking Per Interval

0

Interval (s)20

120


Different CAs rarelyrevoke within the same

window


• Most CAs co-sign “nothing now” messages• When they do have something to revoke, it’s a small list

0.000.200.400.600.801.00

1 10 100

CD

F

CAs Revoking Per Interval

0

Interval (s)20

120

FM RDS is ideal for disseminating revocations

Receivers:• Tiny and cheap (2.5 x 2.5 mm)

• Already built into many devices* Robustness:• 10 error correcting bits for every 16 bits• VHF & FM (same used for emergency weather radio)

*receivers not antennas

Conclusions

It is possible to design a revocation system that provides timelines, privacy, and is low cost.

Broadcasting revocations is a novel application of multi-signatures.

Practical in today’s Internet, and necessary in tomorrow’s.

revcast: fast, private certiﬁcate revocation over fm...

Documents