A Framework for Distributed OCSP
without Responders Certificate
Young-Ho Park (pyhoya@mail1.pknu.ac.kr)
Kyung-Hyune Rhee (khrhee@pknu.ac.kr)
Pukyong National University
WISA 2004
Public Key Certificate
 Public Key Infrastructure(PKI)
 The main architecture for security services over the
Internet
 Public Key Certificate
 Bind a public key to the owner’s identity information
 Digitally signed and certified by a trusted certificate
authority(CA)
 Certificates Revocation
 Compromising of the key or abuse of the owner
 Certificates Revocation List (CRL)
 Online Certificate Status Protocol (OCSP)
Lab. of Information security & Internet Applications, PKNU
2
Online Certificate Status Protocol
 To check the validity of a certificate at the time of a
given transaction
 OCSP responder provides a digitally signed response
 Client can retrieve timely certificate status with a
moderated resource usage
 Single Responder
 Most workloads converge into
the responder
 Digital signature is a computation
consuming operation
 Denial of service
Request
Response
Good, Revoked or Unknown
Validity Interval
.....
Signature
Responder
CA
X.500
directory
Lab. of Information security & Internet Applications, PKNU
3
Distributed OCSP
 Composed of multiple OCSP responders
 Sharing and balancing the workload of OCSP response
 Client can choose one responder
 Certificate of responder is required to verify the
signature in response of both OCSP and D-OCSP
 In D-OCSP
 Using the same private signing key for every responder
 Easy key management but high risk for key exposure
 Using different private key
 Increasing the complexity of key management
Lab. of Information security & Internet Applications, PKNU
4
KIS-D-OCSP (1)
 [S. Koga and K. Sakurai, PKC 2004]
 One solution for efficient certificate management of
multiple responders
 Key insulated signature(KIS) scheme and hash chain
 Different private key for every responders but the same
public key for signature verification
 Only one certificate is required for multiple responders
 Private key exposure of one responder does not effect
other responders
 Hash chain is used for checking the validity of a
responder at the given time period
Lab. of Information security & Internet Applications, PKNU
5
KIS-D-OCSP (2)
 Key Generation
 CA distributes private keys for every responders
CA
Private key
for signature
SK1
R1
SK2
Key
Generator
....
Master Key SK*
Public Key
PKres
Secure channel
Let p and q be primenumber
such that p  2q  1
SKn
Rn
x'i  k 1 xk* (i k  (i  1) k )
n 1
y 'i  k 1 yk* (i k  (i  1) k )
n 1
x0* , y0* ,.....,xn*1, yn*1  Zq
*
R2
*
vi*  g ixi hiyi ; g,h  Z p with order q
Mastrkey SK*  ( x0* , y0* ,.....,xn*1, yn*1 )
Public key PKres  ( g, h, v1* ,....,vn*1 )
xi  xi 1  x'i ( x0  x0* )
yi  yi 1  y'i ( y0  yo* )
Each responderprivatekey SKi  ( xi , yi )
Lab. of Information security & Internet Applications, PKNU
6
KIS-D-OCSP (3)
 Hash chain
 X1  H ( X 2 )  H 2 ( X 3 )  ....  H t 1 ( X t )
 For total T time periods and n responders
X T1  X T1 1  ...... X t1  ...... X11
CA keeps
securely
X T2  X T21  ...... X t2  ...... X12
......
X Tn  X Tn1  ...... X tn  ...... X1n
 CA provides X t at time period t  T to i - th responder
 Validity checks at t  T for i - th responder
i
 Checking if X1i  H t 1 ( X ti ) is true
 Responder Certificate: Cert  SigCA (PKres , SN, I , J ,V , X11,....X1n )
SN : serial number
I, J : Issuer and Subject
V : Valid time period
Lab. of Information security & Internet Applications, PKNU
7
KIS-D-OCSP (4)
 System
Cert  SigCA ( PKres , SN, I , J ,V , X11,....X1n )
- Verifying CA signature and checking
expiration of the certificate
- Checking hash chain X1i  H t 1 ( X ti )
- Verifying signature in response
Provides hash
Generates
andvalues
distributes
for the
private
keys fortime
current
every
period
responders
CA
r1, r2R Zq*
w  g r1 hr2
  H (i, m, w)
a  r1    xi
b r 2  yi
Responder Certificate
X
X tn
SK1
Requests for service to
one responder
SKn
....
Response,
KIS-Signature,
X ti
1
t
R1
Sigi  (i, w, a, b)
n 1
vi   (vi* )i
Rn
k
k 0
  H (i, m, w)
checkif w  g a hbvi
Lab. of Information security & Internet Applications, PKNU
8
IBS-D-OCSP (1)
 Applying identity-based signature(IBS) scheme
 Motivations
OCSP responders certificates
for certificate
management?
 It is possible to generate
different
private keys from the
same master key with different identifier strings
 Identifier itself can be used function for public key
 Removing the overhead of certificate management for
responders
 KIS-D-OCSP requires at least one certificate
 Date information can be encoded into keying material
 Date is common knowledge
 Hash chain is not required to check the validity for the
given time period
Lab. of Information security & Internet Applications, PKNU
9
IBS-D-OCSP (2)
 Implementing Issues
 Identity-based Signature Scheme
[J. Cha and J. Cheon, PKC2003]
 Bilinear Pairing
 Weil and Tate pairing on elliptic curve
 Identifiers of responders
 Certificate contains OCSP_URI
 Certified by the CA
 Ex.) Keying ID = “CA || Responder_URI || 20040818”
 ID itself is public key for IBS verification
Lab. of Information security & Internet Applications, PKNU
10
IBS-D-OCSP (3)
 Key Generation
 CA generates private keys for responders’ identifiers
CA
Date info.
Key
Generator
SK1
R1
....
SKn
Master Key
identifier1
Secure channel
Rn
G1 : additivegroup of pointson an ellipticcurve
Qi  f (identifieri || Date) ; f:{ 0,1}*  G1
G2 : multiplicativegroup of a finitefield
pairinge:G1  G1  G2
CA Mastersecret SK*  s R Zq*
CA public key PK*  s  P  G1; P  G1
f () : one- way mappingfunction
Each responderprivatekey SKi  s  Qi  G1
Lab. of Information security & Internet Applications, PKNU
11
IBS-D-OCSP (4)
 System
- Calculating public key with
responder identifier and date info.
-Verifying signature in response
CA
Distributes private keys for given
time period
SK1
Requests for service to
one of responders
Response,
IBS-Signature
Q  H1 (CA || Resi _URI || date)
h  H 2 (m,U )
checksif e( P,V )  e( PCA ,U  hQ)
SKn
....
R1
Rn
r R Zq
U  r  H1 (CA || Resi _URI || date)  G1
h  H 2 (m,U )
V  (r  h)SKi
Sigi  (U ,V )
Lab. of Information security & Internet Applications, PKNU
12
Security
 Security of a signature is relying on the underlying IBS
 Assuming that CA is a trusted authority
 Master key is not disclosed
 Difficult to compute private key from identifier without
knowing the master key
 DLP(Discrete Logarithm Problem)
 Date information is encoded in keying material
 Keys are only valid for the given time period
Lab. of Information security & Internet Applications, PKNU
13
Efficiency
 Compare KIS-D-OCSP & IBS-D-OCSP
IBS-D-OCSP
KIS-D-OCSP

Master public key size is proportional to
the number of responders

Master public key size is constant to
the number of responders

At least one certificate for responders

No certificate for responders

CA stores hash values securely

CA stores no hash values

Return : {response, signature, hash}

Return : {response, signature}

2 signature verifications + ( t-I ) hashing

1 signature verification

Hash chains to check timely validity

Encoding date info. into keying material

Update hash values every time period

Refresh private keys every time period
Lab. of Information security & Internet Applications, PKNU
14
Conclusion
 Public key certificate is essential for secure Internet
 Certificate validity checking is required
 OCSP is one solution
 Proposed an efficient D-OCSP framework
 IBS-D-OCSP
 Remove responders certificate
 Don’t require additional certificate management
 Any other efficient IBS schemes can be applied to the
system
Lab. of Information security & Internet Applications, PKNU
15