Post on 28-Mar-2015
A Framework for Distributed OCSPwithout Responders Certificate
Young-Ho Park (pyhoya@mail1.pknu.ac.kr)
Kyung-Hyune Rhee (khrhee@pknu.ac.kr)
Pukyong National University
WISA 2004
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 22
Public Key Certificate
Public Key Infrastructure(PKI) The main architecture for security services over the
Internet Public Key Certificate
Bind a public key to the owner’s identity information Digitally signed and certified by a trusted certificate
authority(CA) Certificates Revocation
Compromising of the key or abuse of the owner Certificates Revocation List (CRL) Online Certificate Status Protocol (OCSP)
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 33
Online Certificate Status Protocol
To check the validity of a certificate at the time of a given transaction OCSP responder provides a digitally signed response Client can retrieve timely certificate status with a
moderated resource usage
Single Responder Most workloads converge into
the responder Digital signature is a computation
consuming operation Denial of service CA
Responder
X.500directory
Request
Response
Good, Revoked or UnknownValidity Interval
. . . . .Signature
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 44
Distributed OCSP
Composed of multiple OCSP responders Sharing and balancing the workload of OCSP response Client can choose one responder
Certificate of responder is required to verify the signature in response of both OCSP and D-OCSP
In D-OCSP Using the same private signing key for every responder
Easy key management but high risk for key exposure Using different private key
Increasing the complexity of key management
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 55
KIS-D-OCSP (1)
[S. Koga and K. Sakurai, PKC 2004] One solution for efficient certificate management of
multiple responders Key insulated signature(KIS) scheme and hash chain Different private key for every responders but the same
public key for signature verification Only one certificate is required for multiple responders Private key exposure of one responder does not effect
other responders Hash chain is used for checking the validity of a
responder at the given time period
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 66
KIS-D-OCSP (2)
Key Generation CA distributes private keys for every responders
CA
Master Key. . . .
R1
R2
Rn
KeyGenerator
12such that qp
number prime be and Let qp
qnn Zyxyx *
1*
1*0
*0 ,,.....,,
qZg,hhgv pyi
xii
ii order with ; ***
),,.....,,(key Mastr *1
*1
*0
*0
* nn yxyxSK
),....,,,(key Public *1
*1 nres vvhgPK
1
1
* ))1(('n
k
kkki iixx
1
1
* ))1(('n
k
kkki iiyy
)( ' *001 xxxxx iii
)( ' *01 oiii yyyyy
),(key privateresponder Each iii yxSK
Private keyfor signature
1SK
2SK
nSK
*SK
Public Key resPK Secure channel
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 77
KIS-D-OCSP (3)
Hash chain For total time periods and responders
CA provides at time period to responder Validity checks at for responder
Checking if is true Responder Certificate:
)(....)()( 13
221 t
t XHXHXHX
T n11
111
1 ............ XXXX tTT 2
122
12 ............ XXXX tTT
......nn
tnT
nT XXXX 11 ............
Tt th-i)(1
1it
ti XHX
itX Tt th-i
),....,,,,,( 111
nresCA XXVJISNPKSigCert
SN : serial number I, J : Issuer and Subject V : Valid time period
CA keeps securely
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 88
KIS-D-OCSP (4)
System
. . . .
CA
R1 Rn
1SKnSK
Generates and distributes private keys for every responders
1tX
ntX
Provides hash values for the current time period
Requests for service to one responder
*21, qR Zrr
21 rr hgw),,( wmiH
ixra 1
iyrb 2
),,,( bawiSig i
Response,KIS-Signature,
itX
1
0
*)(n
k
iii
k
vv
),,( wmiHi
ba vhgw ifcheck
Responder Certificate
- Verifying CA signature and checking expiration of the certificate- Checking hash chain- Verifying signature in response
),....,,,,,( 111
nresCA XXVJISNPKSigCert
)(11
it
ti XHX
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 99
Motivations It is possible to generate different private keys from the
same master key with different identifier strings Identifier itself can be used function for public key
Removing the overhead of certificate management for responders
KIS-D-OCSP requires at least one certificate Date information can be encoded into keying material
Date is common knowledge Hash chain is not required to check the validity for the
given time period
IBS-D-OCSP (1)
Applying identity-based signature(IBS) scheme
OCSP responders certificates for certificate management?
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 1010
IBS-D-OCSP (2)
Implementing Issues Identity-based Signature Scheme
[J. Cha and J. Cheon, PKC2003] Bilinear Pairing
Weil and Tate pairing on elliptic curve
Identifiers of responders Certificate contains OCSP_URI Certified by the CA Ex.) Keying ID = “CA || Responder_URI || 20040818”
ID itself is public key for IBS verification
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 1111
IBS-D-OCSP (3)
Key Generation CA generates private keys for responders’ identifiers
CA
Master Key
identifier1
. . . .
Date info.
R1
Rn
KeyGenerator
1SK
nSK
Secure channel
211 pairing GGe:G
curve elliptican on points of group additive:1G
field finite a of group tivemultiplica:2G
**secret Master CA qR ZsSK
11* ;key publicCA GPGPsPK
1*
i 10 ; Date)||identifier( G},f:{fQi
1key privateresponder Each GQsSK ii
function mappingway -one : )(f
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 1212
IBS-D-OCSP (4)
System
. . . .
CA
R1 Rn
1SKnSK
Distributes private keys for given time period
Requests for service to one of responders
Response,IBS-Signature
qR Zr
1i1 )||_URIRes||( GdateCAHrU ),(2 UmHh
iSKhrV )( ),( VUSigi
- Calculating public key with responder identifier and date info.-Verifying signature in response
date)||_URIRes||CA( i1HQ ),(2 UmHh
),(),( if checks hQUPeVPe CA
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 1313
Security
Security of a signature is relying on the underlying IBS Assuming that CA is a trusted authority
Master key is not disclosed Difficult to compute private key from identifier without
knowing the master key DLP(Discrete Logarithm Problem)
Date information is encoded in keying material Keys are only valid for the given time period
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 1414
Efficiency
Compare KIS-D-OCSP & IBS-D-OCSP
Master public key size is proportional tothe number of responders
Master public key size is constant tothe number of responders
At least one certificate for responders No certificate for responders
CA stores hash values securely CA stores no hash values
Return : {response, signature, hash} Return : {response, signature}
2 signature verifications + ( t-I ) hashing 1 signature verification
Hash chains to check timely validity Encoding date info. into keying material
Refresh private keys every time period Update hash values every time period
KIS-D-OCSPKIS-D-OCSP IBS-D-OCSPIBS-D-OCSP
Lab. of Information security & Internet Applications, PKNULab. of Information security & Internet Applications, PKNU 1515
Conclusion
Public key certificate is essential for secure Internet Certificate validity checking is required OCSP is one solution
Proposed an efficient D-OCSP framework IBS-D-OCSP Remove responders certificate
Don’t require additional certificate management Any other efficient IBS schemes can be applied to the
system