Certification asynchrone - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Certification asynchrone

Description:

A single signature certifies all public keys in the CVT (easy to change CA key) ... consists of three protocols: generation, signature and implicit revocation ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 23
Provided by: vneumann
Category:

less

Transcript and Presenter's Notes

Title: Certification asynchrone


1
Certification asynchrone à grande échelle avec
des arbres de vérification de certificats
  • Josep Domingo-Ferrer
  • Universitat Rovira i Virgili
  • jdomingo_at_etse.urv.es
  • Louvain-la-Neuve, le 17 janvier 2003

2
Contents
  • Introduction
  • Certificates and revocation
  • CVTs
  • A new proposal
  • Implicit revocation
  • Assessment
  • Summary and conclusion

3
Introduction
  • Safe use of digital signatures requires
    certification of public keys
  • A digital certificate consists of a certificate
    statement (c-statement) and its signature by the
    CA
  • Important issues
  • Revocation
  • Large-scale certificate management

4
Approaches to Revocation
  • Certificate Revocation Lists (CRL, X.509 1988)
  • Certificate Revocation Trees (CRT, Kocher 1999)
  • Naor-Nissim Scheme (2-3 trees, 1998)
  • Certificate Revocation System (CRS, Micali 1997)
  • Short-validity certificates they are valid until
    their expiration date (Rivest 2000)
  • Certificate Verification Trees (CVT)
    certificates and revocation information are
    combined in a single Merkle tree (Gassko et al.,
    2000)

5
CVTs (1/3)
  • CA builds a Merkle tree
  • Every leaf is a c-statement together with its
    hash value
  • The hash values of sibling nodes are joined and
    the hash of the joint value is assigned to their
    parent node this procedure iterates until the
    root node is reached.
  • CA signs the root node together with the date and
    additional information
  • The cert-path of a c-statement is the path from
    the corresponding leaf node to the root, along
    with the necessary nodes to verify the leaf node
    hash

6
CVTs (2/3)
7
CVTs (3/3)
  • A single signature certifies all public keys in
    the CVT (easy to change CA key)
  • The CVT is updated on a regular basis
  • Certificates are appended to the tree in batches
  • Updating the CVT only requires recomputing one
    signature the rest of work are hash value
    computations.
  • Historical queries can be handled easily
  • Proof of certificate non-existence

8
A New Proposal
  • All advantages of CVTs are maintained
  • The following features are added
  • Batches of certificates can be requested without
    requiring substantial storage on the signers
    side
  • Convenient for short-validity certificates
  • Convenient when the signers device is a smart
    card
  • Implicit revocation

9
Asynchronous Certification Based on CVTs
  • The signer requests batches of certificates
    without being forced to store the corresponding
    private keys
  • Certificates can have a short validity
  • The signer can use a new certificate as soon as
    the old one has expired
  • It is assumed that the signers device is a smart
    card SC
  • The scheme consists of three protocols
    generation, signature and implicit revocation

10
Protocol 1 Generation
  • 1 The signers SC generates a key k corresponding
    to a block symmetric cipher (e.g. DES, AES).
  • 2 For i1 to m
  • (a) SC generates a pair of public-private keys
    (pki,ski)
  • (b) SC encrypts ski under k and obtains Ek(ski)
  • (c) SC sends (pki,Ek(ski)) to CA
  • (d) SC deletes pki, ski and Ek(ski) from its
    memory
  • 3 CA stores the Ek(ski) in a safe place
  • 4 In the next CVT update, CA appends the pki
    received to CVT

11
Generation
CA
CVT
SC
k
12
Generation
  • The key pairs will be valid in consecutive time
    intervals
  • Protocol 1 is run often enough to avoid running
    out of keys
  • The larger the batch size m, the less often must
    Protocol 1 be run

13
Protocol 2 Signature at Interval t
  • 1 If the signers SC already stores skt, then, if
    necessary, obtain the cert-path for pkt
  • 2 Otherwise
  • (a) Delete the last stored skj
  • (b) Obtain Ek(skt) from CA
  • (c) Decrypt Ek(skt) to obtain skt
  • (d) Obtain the certificate and the cert-path for
    pkt from the CVT
  • 3 Sign using skt

14
Signature (Interval t)
CA
CVT
SC
K
skj
cert(pkj)
15
Signature
  • SC only stores the current private key
  • SC obtains a new certificate and its private key
    when the current one expires
  • When signing, the cert-path must be appended to
    the signature

16
Protocol 3 Implicit Revocation
  • 1 If SC is compromised or stolen, the CA is
    informed by the signer
  • 2 CA stops serving encrypted private keys Ek(ski)
    to SC

17
Implicit Revocation (t)
CA
CVT
SC
K
skj
cert(pkj)
18
Implicit Revocation
  • Protocol 3 implicitly revokes all certificates
    issued for future time intervals
  • The current certificate is not revoked
  • To eliminate the need for explicit revocation of
    the current certificate, short-validity
    certificates can be used
  • A short-validity certificate is like to expire
    before the intruder has time to tamper with SC
    and use it

19
Efficiency Assessment
  • Asynchronous certification. By requesting batches
    of certificates ahead of time, a new certificate
    can be used as soon as the current one expires
  • Reduced storage. SC only stores a secret
    symmetric key (k), the current private key and
    the current certificate
  • Implicit revocation. It allows certificates to be
    revoked without updating the CVT nor publishing
    revocation information

20
Explicit vs Implicit Revocation
  • Explicit revocation forces CA to publish
    revocation information. Even worse, it forces
    verifiers to check that information before
    accepting a signature as valid.
  • Implicit revocation is better in that it prevents
    the private key corresponding to a revoked
    certificate from being used to sign
  • Explicit revocation can be completely eliminated
    if our scheme is combined with short-validity
    certificates

21
Summary and Conclusion
  • CVTs are a good data structure to manage
    large-scale CAs
  • A scheme has been proposed which allows batches
    of certificates to be requested ahead of time
    without degrading security
  • In case the SC is stolen or compromised, implicit
    revocation is used

22
Further Details in
  • J.Domingo, M.Alba and F.Sebé, Asynchronous
    Large-Scale Certification Based on Certificate
    Verification Trees, Procs. of CMS2001. Kluwer
    Academic Publishers, 2001, pp.185-196.
Write a Comment
User Comments (0)
About PowerShow.com