180 likes | 344 Vues
A Method for Detecting the Exposure of an OCSP Responder ’ s Session Private Key in D-OCSP-KIS. Euro PKI 2005. Younggyo Lee, Injung Kim , Seungjoo Kim, Dongho Won yglee@dosan.skku.ac.kr, ciper@etri.re.kr , skim@ece.skku.ac.kr, dhwon@dosan.skku.ac.kr Sungkyunkwan University, Korea
E N D
A Method for Detecting the Exposure of anOCSP Responder’s Session Private Keyin D-OCSP-KIS Euro PKI 2005 Younggyo Lee, Injung Kim, Seungjoo Kim, Dongho Won yglee@dosan.skku.ac.kr, ciper@etri.re.kr, skim@ece.skku.ac.kr, dhwon@dosan.skku.ac.kr Sungkyunkwan University, Korea Electronics and Telecommunication Research Institute, Korea
PKI (Public Key Infrastructure) • Widespread and strong technology • Provides the security (integrity, authentication, non-repudiation) • Main idea digital certificate • Binding an entity’s identity information and his public key • Digitally signed by CA (Certificate Authority) • Needs CSI (Certificate Status Information) • Information whether the certificate is revoked or not • Entity makes a request to CA for revoking • Entity’s private key is compromised • Entity’s identity information is changed • Etc. • CA gathers a list of information about revoked certificates and issues the certificate revocation information periodically.
CRLs (Certificate Revocation Lists) • The most well-known method for CSI • Simplicity • High communication costs (user CA’s Repository) and storage spaces for storing • In order to reduce the size of certificate revocation list and communication costs • Several methods have been suggested nowadays • Delta CRL • CRL DPs (Distributed Points) • Over-issued CRLs • Indirect CRLs • Dynamic CRL DPs • Freshest CRLs • CRTs (Certificate Revocation Trees) • NOVOMODO • Authenticated Directory
OCSP (Online Certificate Status Protocol) • On-line certificate status service • Services very timely CSI to client or user • High communication costs and storage spaces are not required • Good(0), revoked(1), unknown(?) • OCSP Responder : 1, OCSP clients : n • If the CSI requests are centralized to OCSP Responder risk of DoS attacks • If the OCSP Responder pre-produce a signed value for responses in a short time possibility of replay attacks • For reducing the overload of 1 OCSP Responder, D-OCSP is introduced • Single OCSP : T-OCSP (Traditional OCSP) • Multiple OCSP : D-OCSP (Distributed OCSP)
D-OCSP (Distributed-OCSP) • On-line certificate status service with n-server • Reduces the overload of T-OCSP • Can service the more CSI than T-OCSP to client in same time • Each OCSP Responder have the same private key possibility of OCSP Responder’s private key is very high • Therefore, each OCSP Responder have a different private key generally • Clients must have all of the OCSP Responder’s certificate • increase of communication costs • increase of storage consumption • For solving the problems, the method of single public key was proposed in D-OCSP-KIS
D-OCSP-KIS and D-OCSP-IBS • D-OCSP-KIS (Distributed OCSP based on Key-Insulated Signature) • Proposed by Koga and Sakurai • Each OCSP Responder has a different private key • But they all have the same public key • The length of the single public key is in proportion to the number of OCSP Responder • Services the certificate status information of OCSP Responder using hash value CertRes is modified • D-OCSP-IBS (Distributed OCSP based on Identity-Based Signature) • Proposed by Yum and Lee • The length of the single public key is constant and short
responder’s certificate CA’s certificate CA Client response + X1,t … X1,t Xn,t ……… Responder n Responder 1 SKn SK1 D-OCSP-KIS and its analysis • The concept of D-OCSP-KIS • a CA, n-OCSP Responders and a client • uses a one-way hash function H satisfying the following properties • H operation is at least 10,000 times faster in computation than a digital signature operation. • H produces 20-byte outputs, no matter how long its inputs are; and • It is too hard to find X such that H(X)=Y. Finding this solution is practically impossible < Concept of D-OCSP-KIS >
D-OCSP-KIS and its analysis (Continued) • Issuance of OCSP Responder's certificate • T is total number of time periods in days (ex : T is 365 if each OCSP Responder’s certificate expires 365 days after issuance) • CA produces T-hash values using H • Let n be the total number of OCSP Responders. The CA repeatedly produces n hash-chains as different input value XT,i • The CA issues the OCSP Responder's certificate Cres as follows by using its own private key • Status validation of OCSP Responder's private key • The CA delivers the hash value Xt,i to OCSP Responder i, if OCSP Responder i's private key Ski is valid in period t • When the OCSP Responder i returns the response to the client in period t, it also delivers the hash value Xt,i to the client • When the client receives the response, she verifies the digital signature using PKres. Then the client can check the status validation of the OCSP Responder's private key using the hash value Xt,i received and X1,icontained in certificate
D-OCSP-KIS and its analysis (Continued) • Analysis of D-OCSP-KIS • Possibility of distributing wrong hash values • Suppose that an OCSP Responder's session private key is compromised by an attacker accidentally and securely in a time period (e.g., one day) • The OCSP Responder cannot request the revocation to the CA • So the CA will distribute to the OCSP Responder the wrong hash value that validates the certificate status in spite of the compromise of the session private key • Additional load on CA • The CA computes and stores the X-chains at each time interval such as in Table • And the CA distributes the hash values to each OCSP Responder at the beginning of each period • Because the CA has a basic mission (such as certificate issue and revocation, CRL publishing, etc), the generating, storing and distributing (most critical) of these hash values are additional loads on the CA
D-OCSP-KIS and its analysis (Continued) • Analysis of D-OCSP-KIS (Continued) • No detection of exposure of OCSP Responder's session private key • An attacker steals an OCSP Responder Ri's session private key secretly in period t • She can acquire the hash value Xt,i easily and cannot derive any other OCSP Responder's private keys because she cannot obtain SK* • She cannot derive the hash value Xt+1,i (H(Xt+1,i) = Xt,i) because H is a one-way function • Therefore, she cannot cheat the clients after period t • However, if the OCSP Responder Ri cannot recognize the fact that its session private key has been stolen in period t, she can masquerade as the OCSP Responder until all the periods are finished • She can offer the wrong OCSP responses to clients, servers and users of E-commerce • It can cause serious confusion and damage to them
Responder’s certificate ……. … CA’s certificate X1,1,K …Xn,1,K client1 CA X1,m,K …Xn,m,K … X1,1,K …X1,m,K Xn,1,K …Xn,m,K clientm ……… Responder 1 Responder n SK1 SKn Proposed method < Computation of hash value and issuance of OCSP Responder's certificate > • Requirements • Let n be the total number of OCSP Responders and m be the total number of clients. In general, n is much less than m (n << m) • Suppose that the end user gets the CSI service through the client • Suppose that the client gets the CSI service from the OCSP Responder after registration with the CA • Computation of hash values for each OCSP Responder • Let K be the total number of signature uses by an OCSP Responder. (ex, K is 10,000 if each OCSP Responder's certificate expires after 10,000-signing operations for responses) • Thus, the certificate of the OCSP Responder is expired after 10,000-signature operations. • The OCSP Responder can produce the hash value XK using H as follows • The OCSP Responder repeatedly produces m hash-chains as different input values Xj,0for m clients
Proposed method (Continued) • Computation of hash values for each OCSP Responder (Cont’) • Each OCSP Responder repeatedly produces n × m hash-chains as different input values Xi,j,0 • Xi,j,k denotes the hash value of time k computed in OCSP Responder i for distribution to client j • Each OCSP Responder stores the input values of Xi,1,0,...,Xi,m,0 and all intermediate hash values and sends all the final hash values of Xi,1,K,...,Xi,m,K to the CA, securely • Issuance of OCSP Responder's certificate by a CA • The CA gathers Xi,1,K,...,Xi,m,K from each OCSP Responder and issues m OCSP Responder's certificates Cclientj for distribution to the clients by using its own private key • SN is the serial number of the certificate and V represents the validity period. I and S denote the issuer and subject of the certificate • Then, the hash values included in each certificate are different from each other In OCSP Responder 1 In OCSP Responder j In OCSP Responder n Certificate for client 1 Certificate for client m
CA’s certificate CA Client response + X1,j,k response + Xn,j,k ……… Responder 1 Responder n SK1 SKn Proposed method (Continued) < Status validation of OCSP Responder's private key > • Status validation of OCSP Responder's private key by the client • When OCSP Responder i returns the response to the client j, she also delivers the hash value Xi,j,k to the client • When the client j receives the response from the OCSP Responder i, she verifies the digital signature using the OCSP Responder's public key PKres. Then the client can check the status validation of the OCSP Responder's private key using the hash value Xi,j,k received in the response and Xi,j,K contained in the OCSP Responder's certificate. At the first response to client j Atthek-thresponsetoclientj At the last response to client j At the first response Atthek-thresponse At the last response
Proposed method (Continued) • Detection procedure of OCSP Responder's session key's exposure by the client • The client performs 1-hashing operation using the hash value Xi,j,k included in the response, sets Xtempto the hash value, and increments the counter Cnow by 1 Xtemp H(Xi,j,k) Cnow Cnow + 1 • The client then compares Xtemp with Xi,j,K contained in the OCSP Responder i's certificate. If this holds, goto step 3. Otherwise, the client sets Xi,j,k to Xtemp and goto step 1 Xi,j,k Xtemp • The counter Cnow is compared with Cbefore. If the following condition CnowCbefore+1 is satisfied, then the client accepts the response and goto step 4. Otherwise, he rejects the response because of recognizing the exposure of the session private key and the abuse of the hash value • After setting Cbefore to Cnow and Cnow to 0, the client proceeds to perform step 1 Cbefore Cnow Cnow 0
Characteristics and comparisons • Detection of the exposure of session private key and hash value • Usage times of OCSP Responder's private key • Decreasing of CA's Load
Conclusion • We have proposed a method that can immediately detect the exposure of the OCSP Responder's session private key and the abuse of the hash value in D-OCSP-KIS. • The hash values are only used one time and the load for computation of the X-chain in the CA is distributed to each OCSP Responder. • The method decreases the additional load to the CA. • Our future work is to increase the usage time of the OCSP Responder's private key and to decrease the number of hash function operation for the status validation.