A Scalable and Secure Cryptographic Service

1
A Scalable and Secure Cryptographic Service
Shouhuai Xu and Ravi Sandhu University of Texas
at San Antonio
2
Roadmap

• Motivation
• Cryptographic preliminaries
• Model and goals
• Building block a single server scheme
• Full-fledged scheme
• Related work
• conclusion

3
Motivation

• Large-scale (e.g., p2p, grid, and GENI) systems
  must be adequately protected otherwise they may
  be exploited to do more harm than good.
• Access control enforces a desired policy, but
  authentication (often based on cryptographic
  means) is perhaps the watch-dog.
• If cryptography (protocol, functionality, key) is
  compromised, access control cannot help.
• If non-repudiation is important for audit,
  digital signing is needed for authentication.

4
Motivation

• Digital signing based authentication asks each
  user to possess a pair of public and private keys
  (e.g., via identity or attribute certificate).
• Modern cryptography is key-centric
• Rivest-Shamir-Adleman have no short cut in
  breaking RSA
• But you can generate Rivests digital signatures
  once you compromised his private key
• This has no counterpart in handwriting signatures

5
Motivation

• Keys could be relatively easily compromised
  Shamir-Someran FC99, Harrison-Xu DSN07. How
  should the users protect their private signing
  key and capability?
• Hardware token (e.g., TPM) cannot protect signing
  functionality when OS or application is
  compromised
• Exploit multiple servers to implement threshold
  signing key and functionality Xu-Sandhu
  RSA-CT03
• Exploit a single sever to implement a flavor of
  two-party threshold signing Boyd89, Ganesan
  NDSS95, MacKenzie-Reiter Okland01
• This paper extends MR01 in several ways

6
This Paper

• Assume a set of servers provide service (e.g.,
  for economic incentives)
• But they do not run threshold cryptography
• For better performance
• For better availability a single server suffices

7
Roadmap

• Motivation
• Cryptographic preliminaries
• Model and goals
• Building block a single server scheme
• Full-fledged scheme
• Related work
• conclusion

8
Cryptographic Preliminaries

• Pseudorandom function fk(?)
• for secret k the output cannot be distinguished
  from random strings
• Message authentication code (MAC)
• secure against adaptive chosen message attack
• Public key encryption (Init, Enc, Dec)
• Secure against adaptive chosen-ciphertext attack
• Signature scheme (Init, Sig, Ver)
• secure against adaptive chosen message attack

9
Roadmap

• Motivation
• Cryptographic preliminaries
• Model and goals
• Building block a single server scheme
• Full-fledged scheme
• Related work
• conclusion

10
Model

• A set of semi-trust servers, each with a pair of
  keys
• A server has two interfaces one for signing and
  the other for disabling users key instance
• A set of users, each with a pair of public and
  private Keys
• Private key is somehow split into two parts, one
  stored at user side and one at a server side
• If multiple servers are selected, multiple splits

11
Adversary

• May compromise a users computer
• May compromise a servers key, but not the
  integrity of server end database (for keeping
  transaction data)

12
Goals

• Abuse prevention (most are inherited from
  MR01)
• compromising server does not compromise signing
  capability
• Compromising user server still needs to launch
  offline dictionary attack to compromise users
  key
• Compromising user end still needs to launch
  online dictionary attack to sign messages
• Compromising user end password (or when user
  program is active) cannot compromise signing
  capability after key is disabled
• Hit-and-run attack could be disabled (new!)

13
Goals (new)

• Compromise detection once the attacker having
  compromised user end starts to issue signatures,
  the attack becomes self-evident (kind of
  crypto-based IDS)
• Immediate revocation password-based revocation
• Compromise confinement compromising of a server
  is confined to possibly a proper subset of its
  customers
• Scalability can serve many users
• High availability a user can issue signatures as
  long as one of his servers is available

14
Roadmap

• Motivation
• Cryptographic preliminaries
• Model and goals
• Building block a single server scheme
• Full-fledged scheme
• Related work
• conclusion

15
Building Block Basic Idea
private key of user, sk, is split into two shares
(sk1, sk2), and sk1 is protected using password
at user end, state information is used to
synchronize the system usage
Server (pkserver, skserver state, sk2)
User (pk, sk1 state)
16
Building Block
17
Signing
18
Building Block

• Key disabling via password authentication (one
  factor authentication)
• Transaction atomicity is important (and addressed
  later)

19
Building Block

• Proposition. The building-block scheme fulfills
  the properties of abuse prevention, compromise
  detection, and immediate revocation.
• Compromise detection based on the
  out-of-synchronization of state information
• Immediate revocation via password based
  authentication

20
Roadmap

• Motivation
• Cryptographic preliminaries
• Model and goals
• Building block a single server scheme
• Full-fledged scheme
• Related work
• conclusion

21
Full-fledged Scheme
private key of user, sk, is split into multiple
two-shares (sk1, sk2)i, and the sk1s is
protected using password at user end.
Server (pkserver, skserver state, sk2)i
User (pk, sk1 state)i
22
Full-fledged Scheme
23
Signing
24
Full-fledged Scheme

• Key disabling via password authentication (one
  factor authentication)
• Transaction atomicity is important and fulfilled
  using authenticated commit/rollback

25
Full-fledged Scheme

• Proposition. Suppose there is no loss of system
  state information, even if system crashes, then
  transaction atomicity can be assured.
• Proposition. The full-fledged scheme fulfill all
  the desired properties abuse prevention,
  compromise detection, immediate revocation,
  compromise confinement, scalability, and high
  availability.

26
Related Work

• TPM can protect key but not functionality
• If you have a paper ready to submit, today is
  deadline for STC07 ?
• Threshold and proactive cryptography for
  enterprise/p2p computing
• Forward-secure/key-insulated/intrusion-resilient
  cryptography for skilled/demanding individuals
• Cryptography as a service for average people
• This work is an extension to MR01

27
Conclusion

• A service for better protecting users
  cryptographic credentials, which can be used for
  authentication in large-scale systems.
• Features
• Enforce three-factor authentication
• Support immediate revocation of key
• Damage due to server compromise is contained to a
  proper subset of its customers
• Scalable and highly available.

28
Future Work

• Implement a system that can be used for GENI
  security etc.
• Integrate the idea of Xu-Sandhu RSA-CT03
• Exploit state machine replication for better
  integrated fault-tolerance and security

29
Thank you, and questions?