tamper-evident digital signatures: protecting certification authorities against malware
DESCRIPTION
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware. Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington. Philippe Golle Palo Alto Research Center. Markus Jakobsson School of Informatics Indiana University at Bloomington. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/1.jpg)
Tamper-Evident Digital Signatures:Protecting Certification Authorities Against Malware
Jong Youl ChoiDept. of Computer ScienceIndiana University at Bloomington
Philippe GollePalo Alto Research Center
Markus JakobssonSchool of InformaticsIndiana University at [email protected]
![Page 2: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/2.jpg)
Page 2Threats to Certificate Authorities• Stealing private key
– Malicious attack such as Trojan horse, virus
– Leaking CA’s private key via covert-channel
• Hidden communication channel– CAs use lots of random numbers– Hard to prove randomness since it is
directly related to privacy
![Page 3: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/3.jpg)
Page 3
What is a covert channel?• Hidden communication channel• Steganography – Information hiding
Original Image Extracted Image
![Page 4: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/4.jpg)
Page 4Prisoners' problem [Simmons,’93]
• Two prisoners want to exchange messages, but must do so through the warden
• Subliminal channel in DSA
What Plan?
Plan A
![Page 5: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/5.jpg)
Page 5
Leaking attack on RSA-PSS• A random salt is used
as a padding string in a signature
• In verification process, the salt is extracted from the message
• Hidden informationcan be embedded inthe salt
RSA-PSS : PKCS #1 V2.1
![Page 6: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/6.jpg)
Page 6
Approaches• Need an observer to detect leaking• An observer investigates outputs
from CA
mk
Pseudo Random Number Generator
Sigk
Something hidden?
Certificate Authority
• Malicious attack• Replacement of function
![Page 7: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/7.jpg)
Page 7
Hindsight• Observing is not easy
because of a random number– looking innocuous – Not revealing any state
• Fine as long as a random number is generated in a designated way
• Using hindsight, we detect abnormal behavior generating a random number
![Page 8: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/8.jpg)
Page 8
Weakness of an observer• An observer can be attacked,
causing a single point of failure
mk
Pseudo Random Number Generator
Sigk
Something hidden?
Certificate Authority
Public verifiability with multiple observers
![Page 9: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/9.jpg)
Page 9
Undercover observer• CA outputs non-interactive proof
as well as signature• Ambushes until verification is invalid
mk
Pseudo Random Number Generator
Sigk
![Page 10: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/10.jpg)
Page 10
Tamper-evident Chain• Predefined set of random values
in lieu of random number on the fly • Hash chain verification
s1 s2 s3 …. sn Seed
Sig1 Sig2 …. Sign
h()h()h()h()h()
?s1=h(s2)
?sn-1=h(sn)
s’3
Sig’3
?s2=h(s3)
?s0=h(s1)
s0
h()
![Page 11: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/11.jpg)
Page 11
DSA Signature Scheme• Gen : x y = gx mod p• Sign : m (s, r)
where r = (gk mod p) mod q and s = k-1(h(m) + x r) for random value k
• Verify : For given signature (s, r),u1 = h(m) s-1
u2 = r s-1
and check r=gu1 yu2 mod p mod q
![Page 12: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/12.jpg)
Page 12
Hash chain construction
k1 k2 k3 …. kn
PRNG
Sig1 Sig2 …. Sign
h()h()h()h()
?w1=h(r2||w2)
?wn-1=h(rn||wn)
k’3
Sig’3
?w2=h(r3||w3)
r1=gk1 r2=gk2 …. rn=gknr3=gk3
w1 w2….
wnw3
r3’=gk3
w0
?w0=h(r1||w1)
Seed
![Page 13: Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56812ded550346895d934a46/html5/thumbnails/13.jpg)
Page 13
Conclusion• Any leakage from CAs is dangerous• CAs are not strong enough
from malicious attacks• We need observers which are under-
cover• A small additional cost for proofs
Or, Send me emails : [email protected]