1 / 13

A Simple Traceable Pseudonym Certificate System for RSA-based PKI

A Simple Traceable Pseudonym Certificate System for RSA-based PKI. SCGroup Jinhae Kim. Introduction. Digital certificate an authorized assertion about a public key Holder can prove the related ownership by using a corresponding private key The current PKI: privacy-intrusive

bethan
Télécharger la présentation

A Simple Traceable Pseudonym Certificate System for RSA-based PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim

  2. Introduction • Digital certificate • an authorized assertion about a public key • Holder can prove the related ownership by using a corresponding private key • The current PKI: privacy-intrusive • Can be linked and traced • Pseudonym certificate • Identifiable by a pseudonym only • Digital certificate contains pseudonym as a subject identifier • Can be used in anonymous transaction

  3. Building Blocks • PKI • RSA • Pseudonym • Blind signature • Threshold cryptography • X.509 certificate

  4. CA User Anonymous Issuer (AI) Blind Issuer (BI) Site n Site 1 Basic Model Issuer (PI) 1 2 5 i 6 iv 3 ii 4 . . . iii . . .

  5. Basic Model – cnt’d • User U holds a digital certificate issued by CA • Using a real identity • User can access service providers SPs • SP asks revocation of a certificate to PI • PI: pseudonym certificate issuer (AI and BI) • AI and BI collaborate to link IDU and PNU • IDU: real identity of user U • PNU: pseudonym of user U

  6. Traceable Pseudonym Certificates Critical: (Ci), * Critical: (C1, C2, … , Cm) (a) x.509 v3 Certificate (b) Pseudonym Certificate Skeleton (c) Traceable Pseudonym Certificate

  7. Basic Protocol - I • Basic Assumption • CA and PS’s authentic public keys are respectively available. • User U holds a real identity certificate denoted by {IDU, pkU}SIGCA • RSA private exponent d of PI is split by d2 for AI and d1 for BI (In case of single BI) • AI can control and verify the contents of a pseudonym certificate • BI can verify the user’s real identity

  8. Basic Protocol - II • U → AI: Skeleton Request • Option: U can submit her basic information, so that AI can choose an appropriate BI • AI stores certificate skeleton with index SN • AI → U: Certificate Skeleton • b ← <PNU, ppkU, SIGU> • M ← <b, (ci)> • h = H(M) • u = h re, r: random number • U → BI: {IDU, pkU}SIGCA ,{{u} SIGU, ρ} ENCBI • BI verifies {IDU, pkU}SIGCA under pkCA asdf • Decrypt {{u} SIGU, ρ} ENCBI verify u under pkU • Record < {u} ENCBI :IDU > • Compute w = ud1 mod N

  9. Basic Protocol - III • BI → U: {w} ENCAIρ • U decrypts {w} ENCAI under ρ • Computes {{M}SIGPN, r, {w}ENCAI }ENCAI • U → AI: {{M}SIGPN, r, {w}ENCAI }ENCAI • Verify {M}SIGPN under ppkU and compare this with record corresponding SN • Compute z = wd2 mod N • Check z r-1 mod N under <M, e, N> • Record <PNU: {z}ENCAI > • Send z • AI → U: z • Compute z r-1 mod N to recover hd mod N • Verify hd mod N under <M, e, N> • Traceable pseudonym certificate: <M, hd mod N>

  10. Pseudonym Revocation and Trace • SP asks revocation of a certain Pseudonym to AI • Submit the PNU to AI • AI retrieve <PNU: {z}ENCAI > • Recover z and send it to BI • BI obtain a real identity IDU • u = ze mod N • From < {u} ENCBI :IDU > can find IDU • Revoke all pseudonyms of a user U’ • BI retrieve all records < {u} ENCBI :IDU’ > • Send ud1 mod N to AI securely • AI raises d2 to get z and retrieve all pseudonyms of U’

  11. Extended Protocols • Threshold Schemes • In case of multiple BI’s • Apply an RSA (L, k)-threshold signature scheme • Re-blinding Variants • Disable the tracing ability (e.g., e-voting) • Selective Credential Show • User’s digital credential: <flag, ci, h(ci)> • Flag: 0 – mandatory, 1 – selective • h(ci) : hash value of credential ci • PI should certify all semi-records of which flag is 0, but a hashed value only for flag is 1

  12. Conclusion • Can be used on existing PKIs without requiring additional crypto modules • Fully compatible with X.509 certificates • Simple and efficient with versatile privacy-enhancing features • Choice from traceability and absolute anonymity • Threshold variants for more secure applications

  13. References • Yongdae Kim, et al. “A Simple Traceable Pseudonym Certificate System for RSA-based PKI” • D. Chaum, “Security without identification: Transactions systems to make big brother obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1035-1044 • X.509, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks,” ITU-T Recommendation X.509

More Related