tamper-evident digital signatures: protecting certification authorities against malware
DESCRIPTION
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware. Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington. Philippe Golle Palo Alto Research Center. Markus Jakobsson School of Informatics Indiana University at Bloomington. - PowerPoint PPT PresentationTRANSCRIPT
Tamper-Evident Digital Signatures:Protecting Certification Authorities Against Malware
Jong Youl ChoiDept. of Computer ScienceIndiana University at Bloomington
Philippe GollePalo Alto Research Center
Markus JakobssonSchool of InformaticsIndiana University at [email protected]
Page 2Threats to Certificate Authorities• Stealing private key
– Malicious attack such as Trojan horse, virus
– Leaking CA’s private key via covert-channel
• Hidden communication channel– CAs use lots of random numbers– Hard to prove randomness since it is
directly related to privacy
Page 3
What is a covert channel?• Hidden communication channel• Steganography – Information hiding
Original Image Extracted Image
Page 4Prisoners' problem [Simmons,’93]
• Two prisoners want to exchange messages, but must do so through the warden
• Subliminal channel in DSA
What Plan?
Plan A
Page 5
Leaking attack on RSA-PSS• A random salt is used
as a padding string in a signature
• In verification process, the salt is extracted from the message
• Hidden informationcan be embedded inthe salt
RSA-PSS : PKCS #1 V2.1
Page 6
Approaches• Need an observer to detect leaking• An observer investigates outputs
from CA
mk
Pseudo Random Number Generator
Sigk
Something hidden?
Certificate Authority
• Malicious attack• Replacement of function
Page 7
Hindsight• Observing is not easy
because of a random number– looking innocuous – Not revealing any state
• Fine as long as a random number is generated in a designated way
• Using hindsight, we detect abnormal behavior generating a random number
Page 8
Weakness of an observer• An observer can be attacked,
causing a single point of failure
mk
Pseudo Random Number Generator
Sigk
Something hidden?
Certificate Authority
Public verifiability with multiple observers
Page 9
Undercover observer• CA outputs non-interactive proof
as well as signature• Ambushes until verification is invalid
mk
Pseudo Random Number Generator
Sigk
Page 10
Tamper-evident Chain• Predefined set of random values
in lieu of random number on the fly • Hash chain verification
s1 s2 s3 …. sn Seed
Sig1 Sig2 …. Sign
h()h()h()h()h()
?s1=h(s2)
?sn-1=h(sn)
s’3
Sig’3
?s2=h(s3)
?s0=h(s1)
s0
h()
Page 11
DSA Signature Scheme• Gen : x y = gx mod p• Sign : m (s, r)
where r = (gk mod p) mod q and s = k-1(h(m) + x r) for random value k
• Verify : For given signature (s, r),u1 = h(m) s-1
u2 = r s-1
and check r=gu1 yu2 mod p mod q
Page 12
Hash chain construction
k1 k2 k3 …. kn
PRNG
Sig1 Sig2 …. Sign
h()h()h()h()
?w1=h(r2||w2)
?wn-1=h(rn||wn)
k’3
Sig’3
?w2=h(r3||w3)
r1=gk1 r2=gk2 …. rn=gknr3=gk3
w1 w2….
wnw3
r3’=gk3
w0
?w0=h(r1||w1)
Seed
Page 13
Conclusion• Any leakage from CAs is dangerous• CAs are not strong enough
from malicious attacks• We need observers which are under-
cover• A small additional cost for proofs
Or, Send me emails : [email protected]