Tamper evident digital signatures protecting certification authorities against malware
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware. Jong Youl Choi Computer Science Dept. Indiana University at Bloomington. Philippe Golle Palo Alto Research Center CA, USA. Markus Jakobsson School of Informatics Indiana University at Bloomington.

Download Presentation

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Tamper evident digital signatures protecting certification authorities against malware

Tamper-Evident Digital Signatures:Protecting Certification Authorities Against Malware

Jong Youl Choi

Computer Science Dept.

Indiana University at Bloomington

Philippe Golle

Palo Alto Research Center

CA, USA

Markus Jakobsson

School of Informatics

Indiana University at Bloomington


Threats to certificate authorities

Threats to Certificate Authorities

  • Certificate repudiation

    • A user chooses weak private key

    • Intentionally let his private key be leaking discretely for forgery

  • Certificate private key leaking

    • Malicious attack such as Trojan horse

    • Leaking CA’s private via covert-channel


What is a covert channel

What is a covert channel?

  • Hidden communication channel

  • Steganography – Information hiding

Original Image

Extracted Image


Prisoners problem simmons 93

Prisoners' problem [Simmons,’93]

  • Two prisoners want to exchange messages, but must do so through the warden

  • Subliminal channel in DSA

What Plan?

Plan A


Leaking attack on rsa pss

Leaking attack on RSA-PSS

  • Random salt is usedfor padding string in encryption

  • In verification process, salt is extracted from EM

  • Hidden informationcan be embedded insalt value

RSA-PSS : PKCS #1 V2.1


Approaches

Approaches

  • Detect leaking

  • A warden observes outputs from CA

Something hidden?

  • Malicious attack

  • Replacement of function

Pseudo Random

Number Generator

Certificate Authority

mk

Sigk


Approaches cont d

Approaches (Cont’d)

  • Observing is not so easy because random number ...

    • looks innocuous

    • Or, doesn’t reveal any state

  • A warden (observer) can be attacked

Something hidden?

Pseudo Random

Number Generator

Certificate Authority

mk

Sigk


Undercover observer

Undercover observer

  • Signer outputs non-interactive proof as well as signature

  • Ambushes until verification is invalid

Pseudo Random

Number Generator

mk

Sigk


Tamper evident chain

Tamper-evident Chain

  • Predefined set of random values in lieu of random number on the fly

  • Hash chain verification

Hash()

Hash()

Hash()

Hash()

Hash()

xn

….

x3

x2

x’3

Xn+1

x1

Sign

….

Sig2

Sig1

Sig’3

?

X1=Hash(X2)

?

X2=Hash(X3)

?

Xn-1=Hash(Xn)


Dsa signature scheme

DSA Signature Scheme

  • Gen : x  y = gx mod p

  • Sign : m  (s, r) where r = (gk mod p) mod q and s = k-1(h(m) + x r) for random value k

  • Verify : For given signature (s, r),u1 = h(m) s-1u2 = r s-1and check r=gu1 yu2 mod p mod q


Hash chain construction

Hash chain construction

Hash()

Hash()

Hash()

Hash()

Hash()

k’3

k1

k2

k3

….

kn

kn+1

….

r’=gk3

r=gk1

r=gk2

r=gk3

r=gkn

P1

P2

P3

Pn

Pn+1

….

Sign

….

Sig2

Sig’3

Sig1

?

X1=Hash(X2)

?

X2=Hash(X3)

?

Xn-1=Hash(Xn)


Conclusion

Conclusion

  • Any leakage from CAs is dangerous

  • CAs are not strong enough from malicious attacks

  • We need observers which are under-cover

  • A small additional cost for proofs

Or, Send me email : [email protected]


  • Login