Add to collection(s) Add to saved
  1. No category

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware

advertisement 
Tamper-Evident Digital Signatures:
Protecting Certification Authorities Against
Malware
Jong Youl Choi
Computer Science Dept.
Indiana University at
Bloomington
Philippe Golle
Palo Alto Research
Center
CA, USA
Markus Jakobsson
School of Informatics
Indiana University at
Bloomington
Page 1
Threats to Certificate Authorities
• Certificate repudiation
– A user chooses weak private key
– Intentionally let his private key be leaking
discretely for forgery
• Certificate private key leaking
– Malicious attack such as Trojan horse
– Leaking CA’s private via covert-channel
Page 2
What is a covert channel?
• Hidden communication channel
• Steganography – Information hiding
Original Image
Extracted Image
Page 3
Prisoners' problem
[Simmons,’93]
• Two prisoners want to exchange
messages, but must do so through the
warden
Plan A
• Subliminal channel in DSA
What
Plan?
Page 4
Leaking attack on RSA-PSS
• Random salt is used
for padding string
in encryption
• In verification process,
salt is extracted
from EM
• Hidden information
can be embedded in
salt value
RSA-PSS : PKCS #1 V2.1
Page 5
Approaches
• Detect leaking
• A warden observes outputs from CA
Something
hidden?
• Malicious attack
• Replacement of function
Pseudo Random
Number Generator
Certificate Authority
mk
Sigk
Page 6
Approaches (Cont’d)
• Observing is not so easy
because random number ...
– looks innocuous
– Or, doesn’t reveal any state
• A warden (observer) can be attacked
Something
hidden?
Pseudo Random
Number Generator
mk
Certificate Authority
Sigk
Page 7
Undercover observer
• Signer outputs non-interactive proof
as well as signature
• Ambushes until verification is invalid
Pseudo Random
Number Generator
mk
Sigk
Page 8
Tamper-evident Chain
• Predefined set of random values
in lieu of random number on the fly
• Hash chain verification
x1
Sig1
Hash()
x2
Hash()
x33
x’
Hash()
Sig2
Sig’3
?
X1=Hash(X2)
?
X2=Hash(X3)
….
….
Hash()
xn
Hash()
Sign
?
Xn-1=Hash(Xn)
Xn+1
Page 9
DSA Signature Scheme
• Gen : x  y = gx mod p
• Sign : m  (s, r)
where r = (gk mod p) mod q
and
s = k-1(h(m) + x r)
for random value k
• Verify : For given signature (s, r),
u1 = h(m) s-1
u2 = r s-1
and check r=gu1 yu2 mod p mod q
Page 10
Hash chain construction
k1
Hash()
k2
Hash()
k’
k33
Hash()
r=gk1
r=gk2
k3
r’=g
r=gk3
P1
P2
P3
Sig1
Sig2
Sig’3
?
X1=Hash(X2)
?
X2=Hash(X3)
….
….
….
….
Hash()
kn
Hash()
kn+1
r=gkn
Pn
Sign
?
Xn-1=Hash(Xn)
Pn+1
Page 11
Conclusion
• Any leakage from CAs is dangerous
• CAs are not strong enough
from malicious attacks
• We need observers which are under-cover
• A small additional cost for proofs
Or, Send me email :
jychoi@cs.indiana.edu
Related documents
Self-evaluation 21-5-2013
Self-evaluation 21-5-2013
CS330 Introduction to Algorithms October 9, 2012 Dynamic programming, hash functions
CS330 Introduction to Algorithms October 9, 2012 Dynamic programming, hash functions
Mash
Mash
CIS 5371 Cryptography QUIZ 11 (5 minutes only)
CIS 5371 Cryptography QUIZ 11 (5 minutes only)
Hash table
Hash table
Cryptography Homework #7: Hash function Search
Cryptography Homework #7: Hash function Search
CIS 5371 Cryptography QUIZ 11 (5 minutes only) –with answers
CIS 5371 Cryptography QUIZ 11 (5 minutes only) –with answers
Some solutions to TDDC32 2013-03-15
Some solutions to TDDC32 2013-03-15
Download
advertisement