revcast: fast, private certificate revocation over fm...
TRANSCRIPT
RevCast: Fast, Private Certificate Revocation
over FM radioAaron SchulmanStanford University
Dave LevinUniversity of Maryland
Neil SpringUniversity of Maryland
Authentication in the PKI
I want an encrypted connection.
Authentication in the PKI
I want an encrypted connection.
Authentication in the PKI
Certificate #12
Signed by CA:
I want an encrypted connection.
Authentication in the PKI
Certificate #12
Signed by CA:
The CA ( ) attests that
is controlled by
Is bound to ?
Authentication in the PKI
Certificate #12
Signed by CA:
The CA ( ) attests that
is controlled by
Is bound to ?
Authentication in the PKI
Certificate #12
Signed by CA:
Trusted Root CAs
The CA ( ) attests that
is controlled by
Is bound to ?
Authentication in the PKI
Certificate #12
Signed by CA:
Trusted Root CAs
The CA ( ) attests that
is controlled by✔
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
RevocationCertificate #12
Signed by CA:
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
RevocationCertificate #12
Signed by CA:
The CA ( ) breaks the binding of with
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
RevocationCertificate #12
Signed by CA:
The CA ( ) breaks the binding of with
✔
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
RevocationCertificate #12
Signed by CA:
The CA ( ) breaks the binding of with ❌ ✔
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
RevocationCertificate #12
Signed by CA:
The CA ( ) breaks the binding of with ❌ ✔
Revocation in the PKI
Trusted Root CAs
C
Certificate #12
Signed by CA:
RevocationCertificate #12
Signed by CA:
The CA ( ) breaks the binding of with ❌ ✔
One revocation every 1.1 seconds for all CAs on the Internet
Every device needs revocations
C
RevocationCertificate #12
Signed by CA:
Every device needs revocations
C
RevocationCertificate #12
Signed by CA:
Properties of revocation systems
Properties of revocation systems
10s
Timeliness
Clients’ revocationstate should be
up-to-date, ideally within 10s of seconds
Properties of revocation systems
10s
Timeliness
Clients’ revocationstate should be
up-to-date, ideally within 10s of seconds
$$$$
$$
Low-cost dissemination
The distribution mechanism must scalewith CAs, certificates,
and clients
Properties of revocation systems
10s
Timeliness
Clients’ revocationstate should be
up-to-date, ideally within 10s of seconds
$$$$
$$
Low-cost dissemination
The distribution mechanism must scalewith CAs, certificates,
and clients
Privacy
Users’ browsinghabits should not
have to be revealed
Properties of revocation systems
10s
Timeliness
Clients’ revocationstate should be
up-to-date, ideally within 10s of seconds
$$$$
$$
Low-cost dissemination
The distribution mechanism must scalewith CAs, certificates,
and clients
Privacy
Users’ browsinghabits should not
have to be revealed
It is generally regarded that no system can possibly achieve all three.
Properties of revocation systems
10s
Timeliness
Clients’ revocationstate should be
up-to-date, ideally within 10s of seconds
$$$$
$$
Low-cost dissemination
The distribution mechanism must scalewith CAs, certificates,
and clients
Privacy
Users’ browsinghabits should not
have to be revealed
It is generally regarded that no system can possibly achieve all three.
RevCast✔ ✔ ✔
Certificate Revocation Lists(CRL)
Online Certificate Status Protocol (OCSP)
OCSP Stapling
Short lived certs
Existing revocation systems
CA
Client
Client
Client
Client
Org
CRL124, 24 21, 2521
Revocation
Certificate #12
Signed by CA:
Certificate #12
Signed by CA:
Still okCertificate #12Signed by CA:
Still okCertificate #12Signed by CA:
CA Org
CA
Certificate #12
Signed by CA:
CA
CA
Client
Client
Client
Client
Org
CRL124, 24
21, 2521
Revocation
Certificate #12
Signed by CA:
Certificate #12
Signed by CA:
Still okCertificate #12Signed by CA:
Still okCertificate #12Signed by CA:
CA Org
CA
Certificate #12
Signed by CA:
CA
CRLs ❌ ❌ ✔OCSP ✔ ❌ ❌
Short lived ✔* ❌ ✔Stapling ✔ ❌ ✔
Existing revocation systems
ClientCRL
124, 24 21, 2521CA
CA ClientRevocationCertificate #12
Signed by CA:
ClientOrgCA
ClientCertificate #12
Signed CA OrgCertificate #12
Signed
Still ok
Certificate #12
Signed
Still ok
Certificate #12
Signed
CRLs ❌ ❌ ✔OCSP ✔ ❌ ❌
Short lived ✔* ❌ ✔Stapling ✔ ❌ ✔
Existing revocation systems
All of these protocols rely on unicast transmission of revocations
ClientCRL
124, 24 21, 2521CA
CA ClientRevocationCertificate #12
Signed by CA:
ClientOrgCA
ClientCertificate #12
Signed CA OrgCertificate #12
Signed
Still ok
Certificate #12
Signed
Still ok
Certificate #12
Signed
Unicast is not well suited for distributing revocations
Doesn’t scale to distributing to every device on the Internet
Failures are benign indication of connectivity issues (soft-fail)
Multicast revocation is also flawed (Sybils, MITM, DoS)
RevCast
RevocationCertificate #12
Signed by CA:
We propose broadcasting revocations over FM RDS
Tower: http://cityspottercards.com/
RevCast
RevocationCertificate #12
Signed by CA:
We propose broadcasting revocations over FM RDS
Tower: http://cityspottercards.com/
FM RDS coverage is ideal for disseminating revocations
• Transmitters are where people are• Up to 10 million people per tower
200,000 150,000 100,000 50,000 0
Properties of revocation systems
Privacy
Radio broadcasts are inherently
receiver anonymous
$$
$$
$$
Low-cost dissemination
One transmission covers up to 10 million
& Under-monotized
Properties of revocation systems
Privacy
Radio broadcasts are inherently
receiver anonymous
$$
$$
$$
Low-cost dissemination
One transmission covers up to 10 million
& Under-monotized
Properties of revocation systems
Privacy
Radio broadcasts are inherently
receiver anonymous
$$
$$
$$
Low-cost dissemination
One transmission covers up to 10 million
& Under-monotized
Solved. Let’s go party like it’s 1989!
One tiny problem. RDS has an effective bitrate of 421.8 bps.
10s
Timeliness?
RevCast protocol - fitting revocations in 421.8 bps
Evaluate RevCast with 2 months of revocations
Rest of the talk
Revoking over FM RDSCAs Radio
station Receivers
Revoking over FM RDSCAs Radio
station Receivers
R
R
R
1
2
3
R R R1 2 3
Revoking over FM RDSCAs Radio
station Receivers
R
R
R
1
2
3
Losses can go undetected
CAs Radio station
R R R
R
R
Receivers
1
2
3
1 2 R3
Losses can go undetected
CAs Radio station
R R R
R
R
Receivers
1
2
3
1 2 R3
❌
Losses can go undetected
CAs Radio station
R R R
R
R
Receivers
1
2
3
1 2 R3
❌❌
Losses can go undetected
CAs Radio station
R R R
R
R
Receivers
1
2
3
1 2 R3
❌GoDaddy didn’t revoke
❌
Making losses detectible with “nothing now”
CAs Radio station
R R R
R
Receivers
1
2 1 2
Nn
Nn
3
3
Making losses detectible with “nothing now”
CAs Radio station
R R R
R
Receivers
1
2 1 2
GoDaddy says they didn’t revoke
Nn
Nn
3
3
Making losses detectible with “nothing now”
CAs Radio station
R R R
R
Receivers
1
2 1 2
GoDaddy says they didn’t revoke
Nn
Nn
3
3
❌
Making losses detectible with “nothing now”
CAs Radio station
R R R
R
Receivers
1
2 1 2
GoDaddy says they didn’t revoke
Nn
Nn
3
3
❌❌
Making losses detectible with “nothing now”
CAs Radio station
R R R
R
Receivers
1
2 1 2
Nn
Nn
3
3
❌❌
Danger!!! I am not up-to-date with GoDaddy
Sleeping receivers can lose synchronization
CAs Radio station
R R R
R
Receivers
1
2 1 2
Nn
Nn
3
3
ZZ
ZZ
Sleeping receivers can lose synchronization
CAs Radio station
R R R
R
Receivers
1
2 1 2
Nn
Nn
3
3
What did I miss?
Sleeping receivers stay up-to-date with “Nothing since”
CAs Radio station
R R R
R
Receivers
1
2 1 2
Ns
Ns
3
3
ZZ
ZZ
Sleeping receivers stay up-to-date with “Nothing since”
CAs Radio station
R R R
R
Receivers
1
2 1 2
Ns
Ns
3
3
I didn’t miss anything from GoDaddy
RevCast messages
Nn Ns
Nothing now Nothing since
All other CAsMust sign every 10s
R
RevocationRevoking
CAs
Shortening “nothing now” and “nothing since”
{M} {M}
Shortening “nothing now” and “nothing since”
{M} {M}
{M} {M}
Shortening “nothing now” and “nothing since”
{M} {M}
{M} {M}
Problem: FM RDS doesn’t scale to hundreds of signatures
Shortening “nothing now” and “nothing since”
{M} {M}
Problem: FM RDS doesn’t scale to hundreds of signatures
{M}
Shortening “nothing now” and “nothing since”
{M} {M}
Problem: FM RDS doesn’t scale to hundreds of signatures
[Boldyreva 2003]
Multi-signatures: combine multiple CA signatures into one
{M}
Shortening “nothing now” and “nothing since”
{M} {M}
{M}{M} {M}
Problem: FM RDS doesn’t scale to hundreds of signatures
2.89 seconds for both “nothing new” and “nothing since”
[Boldyreva 2003]
Multi-signatures: combine multiple CA signatures into one
R1
Nn R1 2
RevCast summaryCAs Radio
station Receivers
2 Nn2
Ns3
Ns3
Evaluation
1. How quickly can RevCast send updates?
2. How would RevCast handle a worst case scenario?
3. Is RevCast practical?
Evaluation978 CRLs extracted from Rapid7’s scan of the entire IPv4 space
102
103
104
105
12013
2 3 4 5 6 7 8 9 10 11 12 12014
2 3 4 5
# o
f R
evoca
tion
s P
er D
ay
Month:Year:
Heartbleed
WeekdaySaturday
Sunday
Evaluation978 CRLs extracted from Rapid7’s scan of the entire IPv4 space
Security takes the weekends off
102
103
104
105
12013
2 3 4 5 6 7 8 9 10 11 12 12014
2 3 4 5
# o
f R
evoca
tion
s P
er D
ay
Month:Year:
Heartbleed
WeekdaySaturday
Sunday
Evaluation978 CRLs extracted from Rapid7’s scan of the entire IPv4 space
Security takes the weekends off
114,021 402,747
102
103
104
105
12013
2 3 4 5 6 7 8 9 10 11 12 12014
2 3 4 5
# o
f R
evoca
tion
s P
er D
ay
Month:Year:
Heartbleed
WeekdaySaturday
Sunday
How quickly can RevCast update?
00.10.20.30.40.50.60.70.80.9
1
0.01 0.1 1 10 100
CD
F
Fraction of interval required
Interval (s)102060
120
How quickly can RevCast update?
96% of 10sec intervals 99.999% of 2min intervals
00.10.20.30.40.50.60.70.80.9
1
0.01 0.1 1 10 100
CD
F
Fraction of interval required
Interval (s)102060
120
Worst-case scenario
00.10.20.30.40.50.60.70.80.9
1
0.1 1 10 100
CD
F
Fraction of interval required
Interval (10s)Pre-heartbleed
Post-heartbleed
Worst-case scenario
70% of time, up-to-date within 10 seconds
00.10.20.30.40.50.60.70.80.9
1
0.1 1 10 100
CD
F
Fraction of interval required
Interval (10s)Pre-heartbleed
Post-heartbleed
Worst-case scenario
70% of time, up-to-date within 10 seconds
00.10.20.30.40.50.60.70.80.9
1
0.1 1 10 100
CD
F
Fraction of interval required
Interval (10s)Pre-heartbleed
Post-heartbleed
The most extreme takes 15.5 minutes
Why does RevCast work?
In a small window, there are usuallyfew revocations
0.000.200.400.600.801.00
1 10 100 1000
CD
F
Revocations Per Interval
0
Interval (s)20
120
Why does RevCast work?
In a small window, there are usuallyfew revocations
0.000.200.400.600.801.00
1 10 100 1000
CD
F
Revocations Per Interval
0
Interval (s)20
120
Why does RevCast work?
Different CAs rarelyrevoke within the same
window
In a small window, there are usuallyfew revocations
0.000.200.400.600.801.00
1 10 100
CD
F
CAs Revoking Per Interval
0
Interval (s)20
120
Why does RevCast work?
Different CAs rarelyrevoke within the same
window
In a small window, there are usuallyfew revocations
• Most CAs co-sign “nothing now” messages• When they do have something to revoke, it’s a small list
0.000.200.400.600.801.00
1 10 100
CD
F
CAs Revoking Per Interval
0
Interval (s)20
120
FM RDS is ideal for disseminating revocations
Receivers:• Tiny and cheap (2.5 x 2.5 mm)
• Already built into many devices* Robustness:• 10 error correcting bits for every 16 bits• VHF & FM (same used for emergency weather radio)
*receivers not antennas
Conclusions
It is possible to design a revocation system that provides timelines, privacy, and is low cost.
Broadcasting revocations is a novel application of multi-signatures.
Practical in today’s Internet, and necessary in tomorrow’s.