Antoine DelignatLavaud Cédric Fournet Markulf Kohlweiss Bryan Parno X509 VC with the Magic of Verifiable Computation The X509 Public Key Infrastructure 1988 Endpoint certificate Intermediate Certificate Authority certificate ID: 1040138
Download Presentation The PPT/PDF document "Cinderella: Turning Shabby X.509 Certifi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous CredentialsAntoine Delignat-LavaudCédric Fournet, Markulf Kohlweiss,Bryan ParnoX.509V.C.with the Magic of Verifiable Computation
2. The X.509 Public Key Infrastructure (1988)Endpoint certificateIntermediate Certificate Authority certificateRoot Certification Authority certificateChain
3. X.509 Authenticationcertificate validation programauthorizedroot certificates(data)Optional evidence that chain is OKcertificates + private keysOCSP, Certificate Transparency,Perspectives…Authentication challenge(1-3KB / certificate)Sign(challenge, private key)CertificateAuthority
4. X.509 Problem: Application Heterogeneity(1-3KB / certificate)certificate validation programauthorizedroot certificates(data)Optional evidence that chain is OKcertificates + private keysOCSP, Certificate Transparency,Perspectives…Authentication challengeTLSS/MIME802.1X (Wi-Fi)Code signingDocument signing…Sign(challenge, private key)Basic ValidationCorrect ASN.1 encoding (injective parsing)Correct signatures from one certificate to the nextValid basic constraintsValid key usagesAcceptable algorithms and key sizesTLS validationnotBefore < now() < notAfter ?Domain == Subject CN? Domain in Subject Alternative Names? Matches a wildcard name? Domain compatible with Name Constraints?Endpoint EKU includes TLS client / server? Chain allows TLS EKU?Not revoked nowS/MIME validationnotBefore < email date < notAfter ?Subject emailAddress or Alternative Names include sender email?Endpoint EKU includes S/MIME ? Chain allows S/MIME EKU?Not revoked when mail was sent
5. Crypto failuresRecent PKI Failures2006 2007 2008 2009 2010 2011 2012 2013 2014 2015HashClash rogue CA(MD5 collision)Stevens et al.Flame malewareNSA/GCHQ attack against Windows CA Bleichenbacher’s e=3 attack on PKCS#1 signatures512 bit Korean School CAsTÜRKTRUSTBERSerkDigiNotar hackEKU-unrestrictedVeriSign certificatesANSSIComodo hackTrustwaveVeriSignNetDiscoveryDebian OpenSSL entropy bug Basic constraints not properly enforced (recurring & catastrophic bug)OpenSSL null prefixThe SHAppeningDROWNKeyUsageName constraints failuresVeriSign hackOpenSSL CVE-2015-1793GnuTLS X509v1Formatting & semanticsCA failuresSuperfishIndia NICStartCom hackChina NNIC
6. X.509 Problem: Privacy(1-3KB / certificate)certificate validation programauthorizedroot certificates(data)Optional evidence that chain is OKcertificates + private keysOCSP, Certificate Transparency,Perspectives…Authentication challengeSign(challenge, private key)Network ObserverNetwork ObserverLearns allcertificate contentsMonitorRequests
7. Cinderella: Main Ideaevaluation keyverification keycertificates + private keysOther evidence(OCSP, CT)certificate validation policy(C code)authorizedroot certificates(data)GeppettocompilerAuthentication challengeProof(288 B)Proof(288 B)
8. Computation Outsourcing with PinocchioSetup PhaseRuntime PhaseC programF(priv, pub)public verifier inputsprivate prover inputs+XXCDArithmetic CircuitVerification Key VkEvaluation Key EkSuccinct ProofQuery(pub)Check(Proof, Vk)F(priv, pub)Complex programs compile to very large arithmetic circuits[GGP, CRYPTO’10]; [GGPR, EUROCRYPT’13]; [PGHR; S&P’13]; [CFHKKNBZ; S&P’15] EkProof
9. Cinderella: ContributionsA compiler from high-level validation policy templates to Pinocchio-optimized certificate validatorsPinocchio-optimized libraries for hashing and RSA-PKCS#1 signature validationSeveral TLS validation policies based on concrete templates and additional evidence (OCSP), tested on real certificatesAn e-Voting validation policy based on Helios with Estonian ID card
10. Benefits and CaveatsCompatible with existing PKI and certificates (practicality)Ensures uniform application of the validation policy but, allows flexible issuance policiesComplete control over disclosure of certificate contents (anonymity)Less exposure of long-term private key through weak algorithmsComputationally expensiveInitial agreement on the validation policyReliance on security of verified computation system (new exotic crypto assumption, new trusted key generation)Does not solve key management (one more layer to manage)
11. Cinderella: Soundnessverification keycertificates + private keysOther evidence(OCSP, CT)certificate validation policy(C code)authorizedroot certificates(data)GeppettocompilerProof(288 B)Public inputscertificate validation policy(C code)Public inputs
12. Compiling Certificate Templatesseq {seq { # Version tag<0>: const<2L>; # Serial Number var<int, serial, 10, 20>; # Signature Algorithm seq { const<O1.2.840.113549.1.1.5>; const<null>; }; # Issuer seq { set { seq { const<O2.5.4.10>; const<printable:"AlphaSSL">; };};set { seq { const<O2.5.4.3>; const<printable:"AlphaSSL CA - G2">; }; }; };# Validity Period seq { var<date, notbefore, 13, 13>; var<date, notafter, 13, 13>; }; # Subject seq { varlist<subject, 2, 4>: set { seq { var<oid, subjectoid, 3, 10>; var<x500, subjectval, 2, 31>; }; }; };[…]TemplateUntrusted Native ParserParse certificateGenerate Prover InputsC/QAP verifierConcatenate compile-time constants and run-time varsCompute running hashTemplateVerifiercompilerVariablesConstantsVariable listsPrivate inputs
13. C verifier programProduced Verifier (Fragment)if(in_subject.v[0] > 2) { append(&buffer, in_subjectval[2].tag); append(&buffer, 0 + LEN(in_subjectval[2])); for(i=0; i<31; i++) if(i<LEN(in_subjectval[2])) append(&buffer, in_subjectval[2].v[i]);}if(buffer.cur >= 85) reduce(&buffer, &hash);Hashing buffer = 2 * hash function block sizeCurrent HashAppend(byte)Add given byte to the hashing bufferReduce()compress one block of buffer, update current hashVariable listVariableConstantsCompressionOutput = hash of ASN.1 formatted certificate contents
14. Verifying PKCS#1 RSA SignaturesS ^ e mod N = 1ffffffffff[…]ffffffkkkkk[…]kkkkkkXXXXXXXXXXXXXXXXXXXXXHash (computed before)S120 bits120 bits120 bitsS^2240+ bits240+ bits240+ bits240+ bits240+ bits……S² = Q*N + RQ*N240+ bits240+ bits240+ bits240+ bits240+ bits…R120 bits120 bits120 bits…S <- RS ^ e = S (((S ^ 2) ^ 2) …Private inputs Q and R ->Assume fixed e = 65537 = 2 ^ 16 + 1Verify the prover hints are valid
15. Application: TLS Client (with Offline Signing)Key Exchange signed with EkPseudoEkProofNo change to TLS!ClientCertCk, fieldsPseudoEkF(fields)Geppettocompilerevaluation keyverification keyProofPseudoEkProofOffline
16. Single Template Evaluation (With Signature)
17. Application evaluation
18. ConclusionsOne of the first practical application of verifiable computingWe enhance the privacy and integrity of X.509 authenticationNo change to the PKI or to application protocolsWorking prototype for TLS and Helios
19.
20. The Internet PKIWith M. Abadi, A. Birrell, I. Mironov,T. Wobber and Y. Xie (NDSS’14)
21. Core Pinocchio protocol Generate the MultiQAP for Pick random Compute Compute Generate the commitment:, similarly for and . and similarly for and and similarly for and Find s.t. Compute Proof is {Yes, No} is a pairing:
22. Workaround: TunnelingServer CertificateDH Key ExchangeServer authenticated channelClient AuthenticationCompound authenticationI see all certificate fieldsPerformance overhead of tunnelingTLS RenegotiationTLS 1.3 Handshake EncryptionServer still sees all contentsNot always possible (S/MIME, code and document signing)
23. Server authenticated channelUsability and Privacy of PKI AuthenticationServer CertificateDH Key ExchangeServer authenticated channelChannel-bound Client AuthenticationCurrent Privacy ApproachAuthentication binding e.g. Channel ID or Renego ExtensionAnonymous Client CertificateCB = sign(tls-unique, cliSk(channel))<user, HMAC(password, CB)>User UnfriendlyComplexKey Compromise Impersonation attacks
24. The Internet PKIPublic KeyPublic KeyPublic KeyAlgorithm +ParametersSignature valueAlgorithm +ParametersSignature valueAlgorithm +ParametersSignature valueIssuerSubjectSubjectSubjectIssuerIssuerSigned byMatches
25. Deployment: X.509 Signature SchemeCA Public KeyPublic KeyPublic KeyAlgorithm +ParametersSignature valueAlgorithm +ParametersSignature valueProofRoot CAIntermediate CACN=Peggy, Age=29Intermediate CAPseudonym CertificateExtension: VkPeggy’s cert COCSP certificate ofNon-revocationPseudonym creationEk
26. ASN.1Binary encoding standardAncient (1984)<Tag, Length, Value>Distinguished rules (DER): unique serialization
27. Checking RSA SignaturesAssume fixed e = 65537 = 2 ^ 16 + 1