Trustworthy OnLine Signatures: the Nightingale Approach

About This Presentation

Title:

Trustworthy OnLine Signatures: the Nightingale Approach

Description:

Trustworthy OnLine Signatures: the Nightingale Approach – PowerPoint PPT presentation

Number of Views:53

Avg rating:3.0/5.0

Slides: 25

Provided by: BurtKa6

Category:

more less

Transcript and Presenter's Notes

Title: Trustworthy OnLine Signatures: the Nightingale Approach

1
Trustworthy On-Line Signatures the Nightingale
Approach

Burt Kaliski, RSA Laboratories

2
Outline

On-line signatures
Assumptions and solution objectives
Comparing seven solutions
Joint authentication with Nightingale
Conclusions

3
On-Line Signatures

Service generates digital signature on behalf of
user
User key or enterprise key
Benefits
User mobility
Security for signature key
Policy auditing
Challenges
Potential server compromise is basis for
repudiation

4
Assumptions

Password authentication
Tokens, biometrics could also be supported
Client software
e.g., Java applet
no persistent state
Secure channel to service
Protects password, message
e.g., SSL with server certificate
One or more servers

Software trust issue!
Certificate trust issue!
5
Solution Objectives

Convenient for user
Single password
Dual control
Single server cant request or generate signature
Based on cryptographic key splitting
Intrusion-resilient
Resists full compromise of any single server
Even with dictionary attack on (weak) passwords
? Trustworthy

6
How Key Splitting Works RSA Example

Signature key is split between two servers
Server 1 (n,d1)
Server 2 (n,d2)
where d d1d2 is standard private exponent
Servers generate partial signatures
Server 1 ?1 Md1 mod n
Server 2 ?2 Md2 mod n
Ordinary signature obtained from partials
? ?1 ? ?2 mod n
Proof ? Md1d2 mod n Md mod n
Neither server can sign alone

7
Comparing Solutions Overview

No key splitting
Single server
Separate auth. server

Key splitting
Single server
Separate auth. server
Two passwords
Derived passwords
Joint authentication

8
Model and Notation
Notation P password (or hash)M message (or
hash)? signature indexes (1,2) indicate shares,
partial signatures
9
No Key Splitting Single Server
Client

verify P
sign M

Server
10
No Key Splitting Separate Auth. Server
Auth. server
Client

verify P
issue assertion

verify assertion
sign M

OASIS SAML / DSS hybrid
Signature server
11
Key Splitting Single Server
Client

partially sign M using password (e.g., d1
derived from P)

complete signature

Yaksha / SingleSignOn.net
Server
12
Key Splitting Separate Auth. Server
Auth. server
Client

verify P
partially sign M

complete signature

(Many variants of this and following protocols)
Signature server
13
Key Splitting Two Passwords
Server 1
Client

verify P1
partially sign M

complete signature

verify P2
partially sign M

Server 2
14
Key Splitting Derived Passwords
Server 1
Client

verify P1
partially sign M

derive passwords from P

complete signature

verify P2
partially sign M

Server 2
15
Key Splitting Joint Authentication
Server 1
Client

partially sign M

split P into P1, P2

complete signature

partially sign M

Server 2
16
Joint Authentication with Nightingale

Nightingale joint authentication protocol
Brainard-Juels-Kaliski-Szydlo (2002)
Password is split cryptographically between two
servers
P1 P R P2 R, where R is random
Two servers can verify password together without
seeing or storing it
? Compromise of one server doesnt reveal
password
Based on Shamir secret-sharing, zero-knowledge
techniques

17
Registering a Password
Password P
18
Verifying a Password (1)
Password P
19
Verifying a Password (2)
20
Verifying a Password (3)
If P P, then A B! Otherwise, A and B are
different
21
Comparing Solutions Summary
22
Conclusions

On-line signatures have many benefits
Key-splitting essential for dual control, but
authentication may still be single point of
compromise
Highest assurance and convenience when both
servers participate jointly in signature and
authentication

23
More about Nightingale