cinderella: turning shabby x.509 certificates into elegant ... · x.509 certificates into elegant...
TRANSCRIPT
Cinderella:TurningShabbyX.509CertificatesintoElegant
AnonymousCredentials
AntoineDelignat-LavaudCédricFournet,MarkulfKohlweiss,
BryanParnoX.509 V.C.
withtheMagicofVerifiableComputation
TheX.509PublicKeyInfrastructure(1988)
EndpointcertificateIntermediateCertificateAuthoritycertificate
RootCertificationAuthoritycertificate
Chain
X.509Authentication
certificatevalidationprogram
authorizedroot
certificates(data)
certificates+privatekeys
OCSP,CertificateTransparency,Perspectives…
(1-3KB/certificate)
CertificateAuthority
X.509Problem:ApplicationHeterogeneity
(1-3KB/certificate)
certificatevalidationprogram
authorizedroot
certificates(data)
certificates+privatekeys
OCSP,CertificateTransparency,Perspectives…
• TLS• S/MIME• 802.1X(Wi-Fi)• Codesigning• Documentsigning• …
BasicValidation
CorrectASN.1encoding(injectiveparsing)
Correctsignaturesfromonecertificatetothenext
Validbasicconstraints
Validkeyusages
Acceptablealgorithmsandkeysizes
TLSvalidation
notBefore <now()<notAfter ?
Domain==SubjectCN?DomaininSubjectAlternativeNames?Matchesawildcardname?DomaincompatiblewithNameConstraints?
EndpointEKUincludesTLSclient/server?ChainallowsTLSEKU?
Notrevokednow
S/MIMEvalidation
notBefore <emaildate<notAfter ?
SubjectemailAddress orAlternativeNamesincludesenderemail?
EndpointEKUincludesS/MIME?ChainallowsS/MIMEEKU?
Notrevokedwhenmailwassent
Cryptofailures RecentPKIFailures
2006200720082009201020112012 201320142015
HashClash rogueCA(MD5collision)Stevensetal.
FlamemalewareNSA/GCHQattack
againstWindowsCABleichenbacher’se=3attackon
PKCS#1signatures
512bitKoreanSchoolCAs
TÜRKTRUST
BERSerk
DigiNotar hack
EKU-unrestrictedVeriSigncertificates
ANSSIComodo hack TrustwaveVeriSign
NetDiscovery
Debian OpenSSLentropybug
Basicconstraintsnotproperlyenforced(recurring&catastrophicbug)
OpenSSLnullprefix
TheSHAppening
DROWNKeyUsage
Nameconstraintsfailures
VeriSignhack
OpenSSLCVE-2015-1793
GnuTLS X509v1
Formatting&semantics
CAfailures
Superfish
IndiaNICStartCom hack
ChinaNNIC
X.509Problem:Privacy
(1-3KB/certificate)
certificatevalidationprogram
authorizedroot
certificates(data)
certificates+privatekeys
OCSP,CertificateTransparency,Perspectives…
NetworkObserver
NetworkObserverLearnsall
certificatecontents
MonitorRequests
Cinderella:MainIdea
evaluationkeyverificationkey
certificates+privatekeys Otherevidence
(OCSP,CT)
certificatevalidationpolicy(Ccode)
authorizedroot
certificates(data)
Geppettocompiler
Proof(288B)Proof
(288B)
ComputationOutsourcingwithPinocchio
SetupPhase
RuntimePhase
CprogramF(priv,pub)
publicverifierinputsprivateprover inputs
+X
XC
D
ArithmeticCircuit
VerificationKeyVk
EvaluationKeyEk
SuccinctProof
Query(pub)
Check(Proof,Vk) F(priv,pub)
Complexprogramscompiletoverylargearithmeticcircuits
[GGP,CRYPTO’10];[GGPR,EUROCRYPT’13];[PGHR;S&P’13];[CFHKKNBZ;S&P’15]
Ek
Proof
Cinderella:Contributions
• Acompilerfromhigh-levelvalidationpolicytemplatestoPinocchio-optimizedcertificatevalidators• Pinocchio-optimizedlibrariesforhashingandRSA-PKCS#1signaturevalidation• SeveralTLSvalidationpoliciesbasedonconcretetemplatesandadditionalevidence(OCSP),testedonrealcertificates• Ane-VotingvalidationpolicybasedonHelioswithEstonianIDcard
BenefitsandCaveats
• CompatiblewithexistingPKI andcertificates(practicality)• Ensuresuniformapplicationofthevalidationpolicybut,allowsflexibleissuancepolicies• Completecontroloverdisclosureofcertificatecontents(anonymity)• Lessexposureoflong-termprivatekeythroughweakalgorithms
• Computationallyexpensive• Initialagreementonthevalidationpolicy• Relianceonsecurityofverifiedcomputationsystem(newexoticcryptoassumption,newtrustedkeygeneration)• Doesnotsolvekeymanagement(onemorelayertomanage)
Cinderella:Soundness
verificationkey
certificates+privatekeys
Otherevidence(OCSP,CT)
certificatevalidationpolicy(Ccode)
authorizedroot
certificates(data)
Geppettocompiler
Proof(288B)
Publicinputs
certificatevalidationpolicy(Ccode)
Publicinputs
CompilingCertificateTemplatesseq {seq {#Versiontag<0>:const<2L>;#SerialNumbervar<int,serial,10,20>;#SignatureAlgorithmseq {const<O1.2.840.113549.1.1.5>;const<null>;};
#Issuerseq {set{seq {const<O2.5.4.10>;
const<printable:"AlphaSSL">;};};set{seq {const<O2.5.4.3>;const<printable:"AlphaSSL CA-G2">;};};};
#ValidityPeriodseq {var<date,notbefore,13,13>;var<date,notafter,13,13>;};
#Subjectseq {varlist<subject,2,4>:set{seq {var<oid,subjectoid,3,10>;var<x500,subjectval,2,31>;};};};
[…] Template
UntrustedNativeParserParsecertificate
GenerateProver Inputs
C/QAPverifierConcatenatecompile-timeconstantsandrun-timevars
ComputerunninghashTemplateVerifiercompiler
Variables
Constants
Variablelists
Private inputs
Cverifierprogram
ProducedVerifier(Fragment)
if(in_subject.v[0]>2){append(&buffer,in_subjectval[2].tag);append(&buffer,0+LEN(in_subjectval[2]));for(i=0;i<31;i++)if(i<LEN(in_subjectval[2]))append(&buffer,in_subjectval[2].v[i]);
}
if(buffer.cur >=85)reduce(&buffer,&hash);
Hashingbuffer=2*hashfunctionblocksize
CurrentHash
Append(byte)Add given bytetothehashing buffer
Reduce()compress oneblockofbuffer,updatecurrent hash
Variablelist
Variable
Constants
Compression
Output=hashofASN.1formattedcertificatecontents
VerifyingPKCS#1RSASignaturesS^emodN=1ffffffffff[…]ffffffkkkkk[…]kkkkkkXXXXXXXXXXXXXXXXXXXXX
Hash(computedbefore)
S 120bits 120bits 120bits
S^2 240+bits 240+bits 240+bits 240+bits 240+bits
…
…
S² =Q*N+R
Q*N 240+bits 240+bits 240+bits 240+bits 240+bits …
R 120bits 120bits 120bits …
S<- R
S^e=S(((S^2)^2)…
PrivateinputsQandR->
Assumefixede=65537=2^16+1
Verifytheproverhintsarevalid
Application:TLSClient(withOfflineSigning)
KeyExchangesignedwithEk
PseudoEk
Proof
NochangetoTLS!
ClientCert
Ck,fields
PseudoEk
F(fields)
Geppettocompiler
evaluationkey verificationkey
Proof
PseudoEk
Proof
Offline
SingleTemplateEvaluation(WithSignature)
0.001
0.01
0.1
1
10
100
1000
EstonianEID S/MIME TLSserver OCSP TLSPseudonym
Seconds
Keygentime Prooftime Verifytime
Applicationevaluation
0.001
0.01
0.1
1
10
100
1000
TLS(2intermediates+OCSP)
TLS(1intermediate+OCSP)
TLS(nointermediate,OCSP)
Helios(OCSP)
Seconds
Keygentime Prooftime Verifytime
Conclusions
• Oneofthefirstpracticalapplicationofverifiablecomputing
• WeenhancetheprivacyandintegrityofX.509authentication
• NochangetothePKIortoapplicationprotocols
• WorkingprototypeforTLSandHelios
TheInternetPKI
WithM.Abadi,A.Birrell,I.Mironov,T.WobberandY.Xie (NDSS’14)
CorePinocchioprotocol
𝐾𝑒𝑦𝐺𝑒𝑛(𝑅) 𝐸𝐾, 𝑉𝐾GeneratetheMultiQAP for𝑅Pickrandom𝑠Compute𝐸𝐾 = {𝐸𝐾0}, {𝑔3
4}
𝐸𝐾5 = 𝑔67 3 , 𝑔87 3 , 𝑔97 3
𝑔:;,<67 3 , 𝑔:;,=87 3 , 𝑔:;,>97 3?∈A;
Compute𝑉𝐾 = (𝑔B 3 = 𝑔∏ 3DE�4 )
𝐶𝑜𝑚𝑚𝑖𝑡(𝐸𝐾0, 𝑢0, 𝑜0)Generatethecommitment:𝑣 0 𝑠 = ∑ 𝑢?𝑣? 𝑠�
?∈A; + 𝑜0,8𝑑 𝑠 ,similarlyfor𝑤 and𝑦𝐶0 = (𝑔6 0 , 𝑔8 0 , 𝑔9 0 , 𝑔:;,<6 0 , 𝑔:;,=8 0 , 𝑔:;,>9 0 ).𝑣 𝑠 = ∏𝑣(0) andsimilarlyfor𝑤 and𝑦
𝐶0
𝑉𝑒𝑟𝑖𝑓𝑦(𝑉𝐾0, 𝐶0)𝑒 𝑔6 0 , 𝑔0
:;,< = 𝑒(𝑔:;,<6 0 , 𝑔)andsimilarlyfor𝑤 and𝑦
𝑃𝑟𝑜𝑣𝑒(𝐸𝐾, 𝒖, 𝒐)Findℎ(𝑥) s.t. ℎ 𝑥 ∗ 𝑑 𝑥 = 𝑣 𝑥 ∗ 𝑤 𝑥 − 𝑦(𝑥)
Compute𝑔[(3) = ∏ 𝑔34[4
Proofis(𝑔6 3 , 𝑔8 3 , 𝑔9 3 𝑔[(3))
𝜋
𝑉𝑒𝑟𝑖𝑓𝑦(𝑉𝐾, 𝑪, 𝜋) {Yes,No}^ _< ` ,_= `
^ _> ` ,_=? 𝑒(𝑔[ 3 , 𝑔B(3)) 𝑒(b,b) isapairing:
𝑒 𝑔𝑝, 𝑔𝑞 = 𝑒(𝑔, 𝑔)𝑝𝑞
Workaround:Tunneling
ServerCertificate
DHKeyExchange
Serverauthenticatedchannel
ClientAuthentication
Compoundauthentication
Iseeallcertificatefields
Performanceoverheadoftunneling
• TLSRenegotiation• TLS1.3HandshakeEncryption• Serverstillseesallcontents• Notalwayspossible(S/MIME,codeanddocumentsigning)
Serverauthenticatedchannel
UsabilityandPrivacyofPKIAuthentication
ServerCertificate
DHKeyExchange
Serverauthenticatedchannel
Channel-boundClientAuthentication
CurrentPrivacyApproach
Authenticationbindinge.g.ChannelIDorRenego Extension
AnonymousClientCertificate CB=sign(tls-unique,cliSk(channel))<user,HMAC(password,CB)>
• UserUnfriendly• Complex• KeyCompromiseImpersonationattacks
TheInternetPKI
PublicKey
PublicKey
PublicKey
Algorithm+Parameters
Signaturevalue
Algorithm+Parameters
Signaturevalue
Algorithm+Parameters
Signaturevalue
Issuer
Subject
Subject
Subject
Issuer
Issuer
Signed by
Matches
Deployment:X.509SignatureScheme
CAPublicKey
PublicKey
PublicKey
Algorithm+Parameters
Signaturevalue
Algorithm+Parameters
Signaturevalue
Proof
RootCA
IntermediateCA
CN=Peggy,Age=29
IntermediateCA
PseudonymCertificate
Extension:Vk
Peggy’scertC
OCSPcertificateofNon-revocation
Pseudonymcreation
Ek
ASN.1
Binaryencodingstandard
Ancient(1984)
<Tag,Length,Value>
Distinguishedrules(DER):uniqueserialization
CheckingRSASignatures
Assumefixede=65537=2^16+1