certificate transparency with privacy
play

Certificate Transparency with Privacy Saba Eskandarian, Eran - PowerPoint PPT Presentation

Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford Certificate Authorities Public Key Certificate Authorities Public Key Certificate CA Certificate apo-CA-lypse


  1. Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford

  2. Certificate Authorities Public Key

  3. Certificate Authorities Public Key Certificate CA Certificate

  4. apo-CA-lypse

  5. apo-CA-lypse

  6. Outline ● Certificate Transparency ● Redaction of private subdomains ● Privacy-preserving proof of misbehavior

  7. Certificate Transparency (CT) Idea : public, verifiable log of all certificates Public Key Certificate CA Certificate

  8. Certificate Transparency (CT) Idea : public, verifiable log of all certificates Log Public Key Certificate CA Certificate ...

  9. Certificate Transparency (CT) Idea : public, verifiable log of all certificates Log Public Key Certificate CA Certificate ...

  10. Certificate Transparency (CT) Idea : public, verifiable log of all certificates Log Certificate Public Key Certificate, SCT CA Certificate, SCT SCT ...

  11. Certificate Transparency (CT) Idea : public, verifiable log of all certificates Log Certificate Public Key Certificate, SCT CA Certificate, SCT SCT ...

  12. Certificate Transparency (CT) Idea : public, verifiable log of all certificates Log Certificate Public Key Certificate, SCT CA Certificate, SCT SCT ... CT logging required by chrome for all sites starting October 2017!

  13. Transparency and Privacy?

  14. Outline ● Certificate Transparency ● Redaction of private subdomains ● Privacy-preserving proof of misbehavior

  15. Redaction: keeping secrets on a public log Log CA Request Certificate secret.facebook.com Precertificate secret.facebook.com SCT secret.facebook.com Certificate, SCT ... secret.facebook.com Problem: secret.facebook.com is publicly visible on the log!

  16. Redaction: keeping secrets on a public log Log CA Request Certificate secret.facebook.com Precertificate secret.facebook.com Redacted SCT Redacted secret.facebook.com Certificate, SCT ... secret.facebook.com Problem: secret.facebook.com is publicly visible on the log!

  17. Tools: Commitments Usage: val c ← Commit(m, r) Verify(c, m, r) Commit(m, r) r Security Properties: Hiding : given commitment Commit(m, r), can’t find m Binding : given commitment Commit(m, r), can’t decommit to m’ ≠ m

  18. Tools: Commitments Usage: c ← Commit(m, r) Verify(c, m, r) r Security Properties: Hiding : given commitment Commit(m, r), can’t find m Binding : given commitment Commit(m, r), can’t decommit to m’ ≠ m

  19. Tools: Commitments Usage: val r c ← Commit(m, r) Verify(c, m, r) r Verify( , val, r) Security Properties: Hiding : given commitment Commit(m, r), can’t find m Binding : given commitment Commit(m, r), can’t decommit to m’ ≠ m

  20. Subdomain Redaction via Commitments Log CA Request Certificate secret.facebook.com secret.facebook.com ...

  21. Subdomain Redaction via Commitments Log CA Request Certificate Precertificate secret.facebook.com secret.facebook.com secret.facebook.com ...

  22. Subdomain Redaction via Commitments Log CA Request Certificate Precertificate secret.facebook.com secret.facebook.com secret.facebook.com SCT ... secret.facebook.com .facebook .com

  23. Subdomain Redaction via Commitments Log CA Request Certificate Precertificate secret.facebook.com secret.facebook.com secret.facebook.com SCT Certificate secret.facebook.com ... secret.facebook.com SCT: secret.facebook.com SCT Opening: .facebook .com

  24. Subdomain Redaction via Commitments Page Request: secret.facebook.com

  25. Subdomain Redaction via Commitments Page Request: secret.facebook.com Certificate secret.facebook.com SCT: secret.facebook.com SCT Opening:

  26. Subdomain Redaction via Commitments Page Request: secret.facebook.com Certificate secret.facebook.com SCT: secret.facebook.com SCT Opening: Verify( , secret , )

  27. Security How can a monitor still check the log? Knowledge of number of entries per domain owner reveals extra certificates Why can’t a malicious site or CA reuse an existing redacted SCT? Binding property of commitment

  28. Outline ● Certificate Transparency ● Redaction of private subdomains ● Privacy-preserving proof of misbehavior

  29. Privacy-Compromising Proof of Exclusion Log 1 2 3 4 5 6 7 8 9 10 Excluded SCT secret.facebook.com

  30. Privacy-Compromising Proof of Exclusion Log 1 2 3 4 5 6 7 8 9 10 Excluded SCT secret.facebook.com

  31. Goals ● Auditor proves to vendor that an SCT is missing from log ● Auditor does not reveal domain name, vendor only learns that log is misbehaving

  32. Goals ● Auditor proves to vendor that an SCT is missing from log ● Auditor does not reveal domain name, vendor only learns that log is misbehaving Then: ● Vendor can investigate log ● Vendor can blindly revoke missing certificate (by pushing a revocation value to all browsers)

  33. Goals ● Auditor proves to vendor that an SCT is missing from log ● Auditor does not reveal domain name, vendor only learns that log is misbehaving Then: ● Vendor can investigate log ● Vendor can blindly revoke missing certificate (by pushing a revocation value to all browsers) Assumption: timestamps in order

  34. What Does Auditor Prove? Log 1 2 3 4 5 6 7 8 9 10 Excluded SCT

  35. What Does Auditor Prove? Log 1 2 3 4 5 6 7 8 9 10 t=4 t=18 t=21 t=27 t=30 t=38 t=41 t=42 t=50 t=59 Excluded t=25 SCT Assumption: timestamps in order

  36. What Does Auditor Prove? Log 1 2 3 4 5 6 7 8 9 10 t=4 t=18 t=21 t=27 t=30 t=38 t=41 t=42 t=50 t=59 Excluded t=25 SCT Assumption: timestamps in order

  37. What Does Auditor Prove? Log 1 2 3 4 5 6 7 8 9 10 t=4 t=18 t=21 t=27 t=30 t=38 t=41 t=42 t=50 t=59 3 4 t=25 t=21 t=27

  38. What Does Auditor Prove? Log 1 2 3 4 5 6 7 8 9 10 t=4 t=18 t=21 t=27 t=30 t=38 t=41 t=42 t=50 t=59 3 4 What about t=25 t=21 t=27 privacy?!

  39. Tools: Additively Homomorphic Commitments val 1 val 2

  40. Tools: Additively Homomorphic Commitments + val 1 val 2

  41. Tools: Additively Homomorphic Commitments + = val 1 val 2 val 1 +val 2

  42. Tools: Zero-Knowledge Proofs A

  43. Tools: Zero-Knowledge Proofs = A B

  44. Tools: Zero-Knowledge Proofs = A B 0 < < 5 A A

  45. Tools: Zero-Knowledge Proofs = A B val val sk 0 < < 5 A A

  46. Tools: Zero-Knowledge Proofs = A B val val sk 0 < < 5 A A

  47. Tools: Zero-Knowledge Proofs = A B val val sk 0 < < 5 A A

  48. Proof of Exclusion Log 1 2 3 4 5 6 7 8 9 10 t=4 t=18 t=21 t=27 t=30 t=38 t=41 t=42 t=50 t=59 3 4 What about t=25 t=21 t=27 privacy?!

  49. Proof of Exclusion Log 1 2 3 4 5 6 7 8 9 10 t=4 t=18 t=21 t=27 t=30 t=38 t=41 t=42 t=50 t=59 X Y Z Index(X) Index(Z) What about Time(Y) Time(X) Time(Z) privacy?!

  50. Proof of Exclusion X Y Z

  51. Proof of Exclusion + 1 = Index(X) Index(Z) X Y < < Time(X) Time(Y) Time(Z) Z

  52. Proof of Exclusion + 1 = Index(X) Index(Z) X Y < < Time(X) Time(Y) Time(Z) Z

  53. Proof of Exclusion + 1 = Index(X) Index(Z) X Y < < Time(X) Time(Y) Time(Z) Z

  54. Proof of Exclusion + 1 = Index(X) Index(Z) X Y Are these < < numbers really Time(X) Time(Y) Time(Z) from the log? Z

  55. Proof of Exclusion + 1 = 11 12 X Y < < 3 4 5 Z hehehe...

  56. Proof of Exclusion X Needed for proof Index(X) Time(X)

  57. Proof of Exclusion X New H(x)+Index(X) H(x) H(x)+Time(X) signatures from log sk I sk H sk T Needed for proof Index(X) Time(X)

  58. Proof of Exclusion X New H(x)+Index(X) H(x) H(x)+Time(X) signatures from log sk I sk H sk T H(X) Needed for proof Index(X) Time(X)

  59. Proof of Exclusion X New H(x)+Index(X) H(x) H(x)+Time(X) signatures from log sk I sk H sk T + + H(X) Needed for proof Index(X) Time(X)

  60. Proof of Exclusion X New H(x)+Index(X) H(x) H(x)+Time(X) signatures from log sk I sk H sk T + + H(x)+Index(X) H(X) H(x)+Time(X) Needed for proof Index(X) Time(X)

  61. Proof of Exclusion X New H(x)+Index(X) H(x) H(x)+Time(X) signatures from log sk I sk H sk T + + H(x)+Index(X) H(X) H(x)+Time(X) Needed for proof Index(X) Time(X)

  62. Performance Numbers Online Costs Offline Costs (storage) Proof Size: 333 kB Growth of log entry: 480 bytes Time to generate: 5.0 seconds Growth of SCT: 160 bytes Time to verify: 2.3 seconds Revocation notice size: 32 bytes

  63. Summary ● CT is an exciting new feature of our web infrastructure ● Transparency raises new privacy concerns ● Work on privacy-preserving solutions to two issues: ○ Compatibility between CT and need for private domain names ○ Reporting CT log misbehavior without revealing private information See paper for details and security proofs: https://arxiv.org/pdf/1703.02209.pdf

Recommend


More recommend