Certification asynchrone

1
Certification asynchrone à grande échelle avec
des arbres de vérification de certificats

• Josep Domingo-Ferrer
• Universitat Rovira i Virgili
• jdomingo_at_etse.urv.es
• Louvain-la-Neuve, le 17 janvier 2003

2
Contents

• Introduction
• Certificates and revocation
• CVTs
• A new proposal
• Implicit revocation
• Assessment
• Summary and conclusion

3
Introduction

• Safe use of digital signatures requires
  certification of public keys
• A digital certificate consists of a certificate
  statement (c-statement) and its signature by the
  CA
• Important issues
• Revocation
• Large-scale certificate management

4
Approaches to Revocation

• Certificate Revocation Lists (CRL, X.509 1988)
• Certificate Revocation Trees (CRT, Kocher 1999)
• Naor-Nissim Scheme (2-3 trees, 1998)
• Certificate Revocation System (CRS, Micali 1997)
• Short-validity certificates they are valid until
  their expiration date (Rivest 2000)
• Certificate Verification Trees (CVT)
  certificates and revocation information are
  combined in a single Merkle tree (Gassko et al.,
  2000)

5
CVTs (1/3)

• CA builds a Merkle tree
• Every leaf is a c-statement together with its
  hash value
• The hash values of sibling nodes are joined and
  the hash of the joint value is assigned to their
  parent node this procedure iterates until the
  root node is reached.
• CA signs the root node together with the date and
  additional information
• The cert-path of a c-statement is the path from
  the corresponding leaf node to the root, along
  with the necessary nodes to verify the leaf node
  hash

6
CVTs (2/3)
7
CVTs (3/3)

• A single signature certifies all public keys in
  the CVT (easy to change CA key)
• The CVT is updated on a regular basis
• Certificates are appended to the tree in batches
• Updating the CVT only requires recomputing one
  signature the rest of work are hash value
  computations.
• Historical queries can be handled easily
• Proof of certificate non-existence

8
A New Proposal

• All advantages of CVTs are maintained
• The following features are added
• Batches of certificates can be requested without
  requiring substantial storage on the signers
  side
• Convenient for short-validity certificates
• Convenient when the signers device is a smart
  card
• Implicit revocation

9
Asynchronous Certification Based on CVTs

• The signer requests batches of certificates
  without being forced to store the corresponding
  private keys
• Certificates can have a short validity
• The signer can use a new certificate as soon as
  the old one has expired
• It is assumed that the signers device is a smart
  card SC
• The scheme consists of three protocols
  generation, signature and implicit revocation

10
Protocol 1 Generation

• 1 The signers SC generates a key k corresponding
  to a block symmetric cipher (e.g. DES, AES).
• 2 For i1 to m
• (a) SC generates a pair of public-private keys
  (pki,ski)
• (b) SC encrypts ski under k and obtains Ek(ski)
• (c) SC sends (pki,Ek(ski)) to CA
• (d) SC deletes pki, ski and Ek(ski) from its
  memory
• 3 CA stores the Ek(ski) in a safe place
• 4 In the next CVT update, CA appends the pki
  received to CVT

11
Generation
CA
CVT
SC
k
12
Generation

• The key pairs will be valid in consecutive time
  intervals
• Protocol 1 is run often enough to avoid running
  out of keys
• The larger the batch size m, the less often must
  Protocol 1 be run

13
Protocol 2 Signature at Interval t

• 1 If the signers SC already stores skt, then, if
  necessary, obtain the cert-path for pkt
• 2 Otherwise
• (a) Delete the last stored skj
• (b) Obtain Ek(skt) from CA
• (c) Decrypt Ek(skt) to obtain skt
• (d) Obtain the certificate and the cert-path for
  pkt from the CVT
• 3 Sign using skt

14
Signature (Interval t)
CA
CVT
SC
K
skj
cert(pkj)
15
Signature

• SC only stores the current private key
• SC obtains a new certificate and its private key
  when the current one expires
• When signing, the cert-path must be appended to
  the signature

16
Protocol 3 Implicit Revocation

• 1 If SC is compromised or stolen, the CA is
  informed by the signer
• 2 CA stops serving encrypted private keys Ek(ski)
  to SC

17
Implicit Revocation (t)
CA
CVT
SC
K
skj
cert(pkj)
18
Implicit Revocation

• Protocol 3 implicitly revokes all certificates
  issued for future time intervals
• The current certificate is not revoked
• To eliminate the need for explicit revocation of
  the current certificate, short-validity
  certificates can be used
• A short-validity certificate is like to expire
  before the intruder has time to tamper with SC
  and use it

19
Efficiency Assessment

• Asynchronous certification. By requesting batches
  of certificates ahead of time, a new certificate
  can be used as soon as the current one expires
• Reduced storage. SC only stores a secret
  symmetric key (k), the current private key and
  the current certificate
• Implicit revocation. It allows certificates to be
  revoked without updating the CVT nor publishing
  revocation information

20
Explicit vs Implicit Revocation

• Explicit revocation forces CA to publish
  revocation information. Even worse, it forces
  verifiers to check that information before
  accepting a signature as valid.
• Implicit revocation is better in that it prevents
  the private key corresponding to a revoked
  certificate from being used to sign
• Explicit revocation can be completely eliminated
  if our scheme is combined with short-validity
  certificates

21
Summary and Conclusion

• CVTs are a good data structure to manage
  large-scale CAs
• A scheme has been proposed which allows batches
  of certificates to be requested ahead of time
  without degrading security
• In case the SC is stolen or compromised, implicit
  revocation is used

22
Further Details in

• J.Domingo, M.Alba and F.Sebé, Asynchronous
  Large-Scale Certification Based on Certificate
  Verification Trees, Procs. of CMS2001. Kluwer
  Academic Publishers, 2001, pp.185-196.