1 / 22

Asynchronous Certification at Large Scale with Certificate Verification Trees

This paper proposes a new approach to large-scale certification using Certificate Verification Trees (CVTs) and implicit revocation. The paper discusses the advantages of CVTs, introduces the new proposal, and assesses its efficiency.

hectorallen
Télécharger la présentation

Asynchronous Certification at Large Scale with Certificate Verification Trees

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili jdomingo@etse.urv.es Louvain-la-Neuve, le 17 janvier 2003

  2. Contents • Introduction • Certificates and revocation • CVTs • A new proposal • Implicit revocation • Assessment • Summary and conclusion

  3. Introduction • Safe use of digital signatures requires certification of public keys • A digital certificate consists of a ‘certificate statement’ (c-statement) and its signature by the CA • Important issues: • Revocation • Large-scale certificate management

  4. Approaches to Revocation • Certificate Revocation Lists (CRL, X.509 1988) • Certificate Revocation Trees (CRT, Kocher 1999) • Naor-Nissim Scheme (2-3 trees, 1998) • Certificate Revocation System (CRS, Micali 1997) • Short-validity certificates: they are valid until their expiration date (Rivest 2000) • Certificate Verification Trees (CVT): certificates and revocation information are combined in a single Merkle tree (Gassko et al., 2000)

  5. CVTs (1/3) • CA builds a Merkle tree: • Every leaf is a c-statement together with its hash value • The hash values of sibling nodes are joined and the hash of the joint value is assigned to their parent node; this procedure iterates until the root node is reached. • CA signs the root node together with the date and additional information • The cert-path of a c-statement is the path from the corresponding leaf node to the root, along with the necessary nodes to verify the leaf node hash

  6. Sign(RV||Date||Time) RV=h(H || H ) 5 6 H =h(H || H ) H =h(H || H ) 5 1 2 6 3 4 H =h(C ) H =h(C ) H =h(C ) H =h(C ) 1 1 2 2 3 3 4 4 C C C C 1 2 3 4 CVTs (2/3)

  7. CVTs (3/3) • A single signature certifies all public keys in the CVT (easy to change CA key) • The CVT is updated on a regular basis: • Certificates are appended to the tree in batches • Updating the CVT only requires recomputing one signature; the rest of work are hash value computations. • Historical queries can be handled easily • Proof of certificate non-existence

  8. A New Proposal • All advantages of CVTs are maintained • The following features are added: • Batches of certificates can be requested without requiring substantial storage on the signer’s side • Convenient for short-validity certificates • Convenient when the signer’s device is a smart card • Implicit revocation

  9. Asynchronous Certification Based on CVTs • The signer requests batches of certificates without being forced to store the corresponding private keys • Certificates can have a short validity • The signer can use a new certificate as soon as the old one has expired • It is assumed that the signer’s device is a smart card SC • The scheme consists of three protocols: generation, signature and implicit revocation

  10. Protocol 1: Generation 1 The signer’s SC generates a key k corresponding to a block symmetric cipher (e.g.: DES, AES). 2 For i=1 to m: (a) SC generates a pair of public-private keys (pki,ski) (b) SC encrypts ski under k and obtains Ek(ski) (c) SC sends (pki,Ek(ski)) to CA (d) SC deletes pki, ski and Ek(ski) from its memory 3 CA stores the Ek(ski) in a safe place 4 In the next CVT update, CA appends the pki received to CVT

  11. ... pk1 pkm E(sk1) (m times) pki, E(ski) ... E(skm) Generation CVT CA SC k

  12. Generation • The key pairs will be valid in consecutive time intervals • Protocol 1 is run often enough to avoid running out of keys • The larger the batch size m, the less often must Protocol 1 be run

  13. Protocol 2: Signature at Interval t 1 If the signer’s SC already stores skt, then, if necessary, obtain the cert-path for pkt 2 Otherwise: (a) Delete the last stored skj (b) Obtain Ek(skt) from CA (c) Decrypt Ek(skt) to obtain skt (d) Obtain the certificate and the cert-path for pktfrom the CVT 3 Sign using skt

  14. ... pk1 pkm E(sk1) ... E(skt) E(skm) skt cert(pkt) signature Signature (Interval t) CVT CA SC K skj cert(pkj)

  15. Signature • SC only stores the current private key • SC obtains a new certificate and its private key when the current one expires • When signing, the cert-path must be appended to the signature

  16. Protocol 3: Implicit Revocation 1 If SC is compromised or stolen, the CA is informed by the signer 2 CA stops serving encrypted private keys Ek(ski) to SC

  17. ... pk1 pkm E(sk1) ... E(skt) E(skm) signature Implicit Revocation (t) CVT CA SC K skj cert(pkj)

  18. Implicit Revocation • Protocol 3 implicitly revokes all certificates issued for future time intervals • The current certificate is not revoked • To eliminate the need for explicit revocation of the current certificate, short-validity certificates can be used • A short-validity certificate is like to expire before the intruder has time to tamper with SC and use it

  19. Efficiency Assessment • Asynchronous certification. By requesting batches of certificates ahead of time, a new certificate can be used as soon as the current one expires • Reduced storage. SC only stores a secret symmetric key (k), the current private key and the current certificate • Implicit revocation. It allows certificates to be revoked without updating the CVT nor publishing revocation information

  20. Explicit vs Implicit Revocation • Explicit revocation forces CA to publish revocation information. Even worse, it forces verifiers to check that information before accepting a signature as valid. • Implicit revocation is better in that it prevents the private key corresponding to a revoked certificate from being used to sign • Explicit revocation can be completely eliminated if our scheme is combined with short-validity certificates

  21. Summary and Conclusion • CVTs are a good data structure to manage large-scale CAs • A scheme has been proposed which allows batches of certificates to be requested ahead of time without degrading security • In case the SC is stolen or compromised, implicit revocation is used

  22. Further Details in J.Domingo, M.Alba and F.Sebé, “Asynchronous Large-Scale Certification Based on Certificate Verification Trees”, Procs. of CMS’2001. Kluwer Academic Publishers, 2001, pp.185-196.

More Related