enabling the archival storage of signed documents n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Enabling the Archival Storage of Signed Documents PowerPoint Presentation
Download Presentation
Enabling the Archival Storage of Signed Documents

Loading in 2 Seconds...

play fullscreen
1 / 55

Enabling the Archival Storage of Signed Documents - PowerPoint PPT Presentation


  • 166 Views
  • Uploaded on

Enabling the Archival Storage of Signed Documents. Petros Maniatis, Mary Baker Computer Science Department Stanford University. Motivation by Example. You buy a house on-line You sign the contract digitally, and so does the seller You archive the contract for safe keeping

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Enabling the Archival Storage of Signed Documents' - bambi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
enabling the archival storage of signed documents

Enabling the Archival Storage of Signed Documents

Petros Maniatis, Mary Baker

Computer Science Department

Stanford University

motivation by example
Motivation by Example
  • You buy a house on-line
  • You sign the contract digitally, and so does the seller
  • You archive the contract for safe keeping
  • In 30 years, the seller disputes the sale
  • How do you prove that the archived contract was, in fact, signed by the seller?

FAST 2002

time passes
Time Passes

FAST 2002

time passes1
Time Passes

FAST 2002

time passes2
Time Passes

FAST 2002

time sensitivity of signatures
Time Sensitivity of Signatures
  • Keys are sensitive
    • They get lost, compromised, stolen
    • They get computationally vulnerable with time
  • Names change
    • People move, change jobs, get expelled
  • Certificates have an expiration date
    • To limit the possible damage due to compromise
    • A new certificate (new key) is issued regularly

FAST 2002

two big questions
Two Big Questions
  • The sale contract was signed 30 years ago:
    • Many many public keys/certificates
  • Can I trust a 30-year old signature?
    • What if a broken key was used on a fake contract?
  • Where do I find a 30-year-old public key?
    • Certification Authorities don’t care about the past
    • I can’t rely on a 30-year-old certificate either, since it has the CA’s 30-year-old signature on it

FAST 2002

state of the art a k a two really bad answers
State of the Art, a.k.a.Two Really Bad Answers
  • Do nothing
    • Contract expires with the signature
    • You can’t have contracts that last longer than a couple of years
  • Re-sign documents
    • After every key change, sign and re-archive all of my documents
    • Management disaster!

FAST 2002

a better answer
A Better Answer
  • Can I trust a 30-year old signature?
    • YES, if I establish that the signature was made while the key was still valid
  • Where do I find a 30-year-old public key?
    • In a timed, secure archive of the Certification Authority

FAST 2002

our solution kasts
Our Solution: KASTS
  • An extended archival storage system for digitally signed documents
  • It time stamps all archived signed documents
  • It maintains a timed authenticated archive of public keys as they change
  • It enables the secure correlation of the times on document signatures and certificates

FAST 2002

two big questions1
Two Big Questions
  • Can I trust a 30-year old signature?
    • How can I tell that a document was signed while the signing key was still valid?
  • Where do I find a 30-year-old public key?

FAST 2002

exploiting time stamping
Exploiting Time Stamping
  • A Time Stamping Service maintains a secure time of submission of documents
  • A time stamp on a signed document determines when the document was signed
  • A time stamp on a certificate, determines when the certificate was created and when it expires

FAST 2002

two big questions2
Two Big Questions
  • Can I trust a 30-year old signature?
  • Where do I find a 30-year-old public key?
    • What public key corresponds to an old signature?
    • How do I know it is the right one?

FAST 2002

timed authenticated archives
Timed Authenticated Archives
  • Objective: Maintain a history of the CA
  • Time stamp all CA database changes
    • Insertions, revocations, replacements
  • Be able to answer
    • “at time t, what was the public key for name n?”
    • i.e., “find the certificate active at the signing time”
  • For all public keys of any name over time!
  • Share timelines with the Time Stamping Service

FAST 2002

example reprise
Example Reprise
  • You buy a house on-line
  • You sign the contract digitally, and so does the seller
    • You time stamp the signed contract
  • You archive the contract for safe keeping
    • You make sure the seller’s certificate is in the archived CA, too
  • In 30 years, the seller disputes the sale
    • Retrieve the time stamped contract and the seller’s certificate, compare the times, go skiing

FAST 2002

time passes3
Time Passes

FAST 2002

time passes4
Time Passes

FAST 2002

time passes5
Time Passes

FAST 2002

kas requirements
KAS Requirements
  • Accountable:
    • Cannot pre-date/post-date certificates.
    • Cannot forget certificates.
  • Scalable:
    • Should handle the histories of decades’ worth of certificates.

FAST 2002

kas functionality
KAS Functionality
  • Operates in rounds
  • During each round
    • Accumulates certificate creations and revocations
    • Serves lookup requests for previous rounds
  • At the end of the round
    • Execute archive updates (insertions/deletions)
    • Time stamp the modifications since previous round

FAST 2002

kas design
KAS Design
  • Based on Authenticated Search Trees [Merkle1980, Buldas2000]
    • Tamper-evident search trees, using cryptographic hash functions (e.g., SHA-1)
    • Can compute a secure digest for the tree
    • Given the secure digest, I can produce cryptographic proofs that an element is included in the tree
    • Each tree node has a <name,public key,validity period> tuple (sorted by name)

FAST 2002

authenticated search trees
Authenticated Search Trees
  • Each node is labeled
  • Root Hash is the digest
  • Inclusion proof is based on:
    • The path from the root to the node
    • All siblings of the node’s ancestors

FAST 2002

timed authenticated search trees
Timed Authenticated Search Trees
  • By time stamping the digest (root label), you time stamp the entire tree
  • When tree changes create a new snapshot of the tree (persistent dynamic sets)
  • By time stamping the new root label, you time stamp new tree snapshot (i.e., tree modifications since last time)

FAST 2002

maintaining archive snapshots
Maintaining Archive Snapshots
  • Version 1 has keys a, b, c & d
  • Version 2 is Version 1 without key a
  • If I time stamp root 2, I time stamp the snapshot of the tree without a, i.e., a’s removal

FAST 2002

kas design 2
KAS Design (2)
  • Tree operations make efficient disk-accesses
    • Based on B-trees
  • Inclusion proofs have efficient length
    • Proof length dependent on max tree height & branching factor
    • Reduce branching factor by embedding a balanced binary tree in every B-tree node

FAST 2002

preliminary results
Preliminary Results
  • 1 million CA clients
  • 2-week KAS round
  • 1 million changes per round (average)
  • 87 Mbytes per round
  • About 1 minute of I/O and computation for a new snapshot
  • Proofs under 12 Kbytes

FAST 2002

summary
Summary
  • We put together
    • Time stamping [Haber & Stornetta]
    • Authenticated search trees [Buldas]
  • We built an extended, time stamped, persistent archive
  • We use it for a Key Archival Service, a historic archive for a Certification Authority
  • Implementation Available (in Java)

FAST 2002

the future
The Future
  • This paper assumes a “single trust domain”
    • One trusted, immortal service of each kind
  • We are working on a more troubled setting
    • Multiple competing services of each kind
    • No service lives forever
    • No service of any kind enjoys universal trust
  • Technique: Timeline Entanglement
    • Each competing service acts as a watchdog of its competitors’ historic record integrity
    • Look for a publication at a conference near you

FAST 2002

questions
Questions
  • For more information/implementation:

http://identiscape.stanford.edu/

FAST 2002

the time tree
The Time Tree
  • All snapshot roots are organized in a separate authenticated search tree, ordered by time
  • To find key for name n at time t
    • Find the snapshot root containing t in the time tree
    • Find name n in that snapshot
  • Inclusion proof consists of the two respective proofs

FAST 2002

rbb trees
RBB Trees

FAST 2002

anatomy of a signed document
Anatomy of a Signed Document
  • Data d
  • Signature σ, derived from:
    • Digest of the data, D
    • Signer’s private key S
  • To verify signature:
    • Must have the corresponding public key P
  • Trusted directory maps names to public keys
  • Archive the directory, too!

FAST 2002