tamper-evident digital signatures: protecting certification authorities against malware jong youl...
TRANSCRIPT
![Page 1: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/1.jpg)
Tamper-Evident Digital Signatures:Protecting Certification Authorities Against Malware
Jong Youl ChoiComputer Science Dept.Indiana University at Bloomington
Philippe GollePalo Alto Research CenterCA, USA
Markus JakobssonSchool of InformaticsIndiana University at Bloomington
![Page 2: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/2.jpg)
Page 2Threats to Certificate Authorities• Certificate repudiation
– A user chooses weak private key – Intentionally let his private key be
leaking discretely for forgery
• Certificate private key leaking– Malicious attack such as Trojan horse– Leaking CA’s private via covert-channel
![Page 3: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/3.jpg)
Page 3
What is a covert channel?• Hidden communication channel• Steganography – Information hiding
Original Image Extracted Image
![Page 4: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/4.jpg)
Page 4Prisoners' problem [Simmons,’93]
• Two prisoners want to exchange messages, but must do so through the warden
• Subliminal channel in DSA
What Plan?
Plan A
![Page 5: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/5.jpg)
Page 5
Leaking attack on RSA-PSS• Random salt is used
for padding string in encryption
• In verification process, salt is extracted from EM
• Hidden informationcan be embedded insalt value RSA-PSS : PKCS #1 V2.1
![Page 6: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/6.jpg)
Page 6
Approaches• Detect leaking• A warden observes outputs from CA
mk
Pseudo Random Number Generator
Sigk
Something hidden?
Certificate Authority
• Malicious attack• Replacement of function
![Page 7: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/7.jpg)
Page 7
Approaches (Cont’d)• Observing is not so easy
because random number ...– looks innocuous– Or, doesn’t reveal any state
• A warden (observer) can be attacked
mk
Pseudo Random Number Generator
Sigk
Something hidden?
Certificate Authority
![Page 8: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/8.jpg)
Page 8
Undercover observer• Signer outputs non-interactive proof
as well as signature• Ambushes until verification is invalid
mk
Pseudo Random Number Generator
Sigk
![Page 9: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/9.jpg)
Page 9
Tamper-evident Chain• Predefined set of random values
in lieu of random number on the fly • Hash chain verification
x1 x2 x3 …. xn Xn+1
Sig1 Sig2 …. Sign
Hash()Hash()Hash()Hash()Hash()
?X1=Hash(X2)
?Xn-1=Hash(Xn)
x’3
Sig’3
?X2=Hash(X3)
![Page 10: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/10.jpg)
Page 10
DSA Signature Scheme• Gen : x y = gx mod p• Sign : m (s, r)
where r = (gk mod p) mod q and s = k-1(h(m) + x r) for random value k
• Verify : For given signature (s, r),u1 = h(m) s-1
u2 = r s-1
and check r=gu1 yu2 mod p mod q
![Page 11: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/11.jpg)
Page 11
Hash chain constructionk1 k2 k3 …. kn kn+1
Sig1Sig2 …. Sign
Hash()Hash()Hash()Hash()Hash()
?X1=Hash(X2)
?Xn-1=Hash(Xn)
k’3
Sig’3
?X2=Hash(X3)
r=gk1 r=gk2 …. r=gknr=gk3
P1 P2….
PnP3 Pn+1
r’=gk3
![Page 12: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Computer Science Dept. Indiana University at Bloomington](https://reader035.vdocuments.pub/reader035/viewer/2022062515/56649ca55503460f94965e12/html5/thumbnails/12.jpg)
Page 12
Conclusion• Any leakage from CAs is dangerous• CAs are not strong enough
from malicious attacks• We need observers which are under-
cover• A small additional cost for proofs
Or, Send me email : [email protected]