A Secure Distributed Online Certification Authority

1
A Secure Distributed Online Certification
Authority

• Presented by
• Gary Lee

2
COCA

• Cornell Online Certification Authority
• Secure and fault tolerant
• Incorporates Byzantine quorum system
• Uses threshold cryptography
• Proactive recovery protocols
• Operations
• Update creates and invalidates certificates
• Query given a name, returns the certificate for
  that name

3
Basic terminology

• Public key infrastructure (PKI)
• Uses public/private keys for digital signatures.
• Certificate
• Binds a name and a public key or other
  attributes.
• Certification authority (CA)
• Ensures that certificates are valid by digitally
  signing them
• Online CA
• Provides a service for clients to check the
  validity of a certificate before using it

4
System Model

• There is a set of N servers
• A server is either correct or compromised
• Lets say 3t 1 N, then at most t servers are
  ever compromised during a window of
  vulnerability. (At most one-third)
• Fair Link
• Not all messages sent are delivered
• Asynchrony
• No bound on message deliver delay or server
  execution speed

5
COCA Certificates

• Binds a name cid and some public key or
  attributes
• Each certificate contains a unique serial number,
  s, assigned by COCA
• Implemented as a pair ltv, h(R)gt
• v is the version number (incremented in Update)
• h(R) is a hash of the original Update request
• Follows the X.509 Certificate specifications with
  its own serial number embedded
• A certificate for cid is invalid if there is
  another certificate for cid with a higher serial
  number

6
Update Query

• Update
• Given the name cid and a new binding
• Creates a new certificate with a new serial
  number that is greater than the previous serial
  number
• Query
• Given a name cid
• Returns a certificate for that cid

7
Client

• A client sends a request to invoke an operation,
  then awaits for a response
• Each request should contain a nonce
• Response
• Digitally signed by COCA service key
• Includes the client request (nonce)

8
Proactive Recovery Protocols

• Protocol
• Reload the code
• Return the COCA server to its original state
  (this includes its set of certificates)
• Make obsolete any information compromised by an
  attacker
• The above protocol is executed periodically
• A window of vulnerability begins at the start of
  execution of the above protocol and ends at the
  start of the next execution

9
Threshold Cryptography

• Server Keys
• Each server maintains a private/public key pair
• The public key is distributed to all other COCA
  servers, but no clients
• Server keys must be refreshed periodically
  (one-way using administrative public/private
  keys)
• Service Key
• One service public/private key pair exists
• Used to sign requests and responses
• All servers and clients know the service public
  key

10
Threshold Cryptography

• Service Key
• No COCA servers know the service private key
• Different shares of the key are stored on each
  server
• Each server creates a partial signature, and then
  some server will combine these partial signatures
  to obtain a signed message
• With (N, t 1) threshold cryptography, t 1
  partial signatures are needed
• Proactive secret-sharing
• A new set of shares are generated periodically
  and distributed

11
Byzantine quorum system

• Replication is managed as a dissemination
  Byzantine quorum system
• Requires the assumption that 3t 1 N
• Servers are organized into quorums
• Quorum Intersection intersection of any two
  servers contains at least one correct server
• Quorum Availability a quorum comprising only
  correct servers exist

12
Byzantine quorum system

• Delegate - A COCA server that receives a client
  request
• A client sends a request to t 1 delegates
• Each delegate engages a quorum of servers to
  handle the request (by sending the request to all
  COCA servers)
• Constructs a response to the request using the
  quorums responses
• The response is then signed by the delegate and t
  other COCA servers
• The signed response is sent to the requesting
  client

13
Query

• Delegate receives a Query request from a client
• Delegate forwards the request to all COCA servers
• Delegate waits for certificates from a quorum of
  COCA servers
• Delegate picks a certificate with the largest
  serial number
• Delegate invokes threshold signature protocol to
  sign a response containing the certificate the
  response is sent to the client

14
Update

• Delegate receives an Update request for cid
• Delegate constructs a new certificate for cid,
  using the threshold signature protocol
• Delegate sends the certificate to every COCA
  server
• If the certificate contained a larger serial
  number, then each server replaces its copy of the
  certificate for cid. Each server then sends an
  acknowledgement to the delegate
• Delegate waits for acknowledgements from a quorum
  of servers
• Delegate uses the threshold signature protocol to
  sign the response

15
Other features

• Queuing and scheduling
• Limit processing of requests coming from a single
  source
• Caching
• Cryptographic calculations are cached by server
• Servers also cache a clients most recent
  response
• Clients make one request at a time
• Delegates limit the number of requests they
  initiate
• Self-Verifying Messages
• Every message by a delegate contains a transcript
  of relevant messages previously sent and signed
  by other servers

16
Paper

• COCA A Secure Distributed Online Certification
  Authority. Lidong Zhou, Fred B. Schneider,
  Robbert Van Renesse. May 2002