Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation Antoine Delignat-Lavaud Cédric Fournet, Markulf Kohlweiss, Bryan Parno X.509 V.C.
The X.509 Public Key Infrastructure (1988) Chain Endpoint certificate Intermediate Certificate Authority certificate Root Certification Authority certificate
X.509 Authentication certificates + Certificate private keys Authority authorized certificate root validation certificates program (data) (1-3KB / certificate) OCSP, Certificate Transparency, Perspectives…
X.509 Problem: Application Heterogeneity certificates + private keys Basic Validation authorized certificate TLS validation Correct ASN.1 encoding (injective root validation parsing) certificates program (data) S/MIME validation notBefore < now() < notAfter ? Correct signatures from one certificate to the next Domain == Subject CN? Domain in notBefore < email date < notAfter ? Subject Alternative Names? Matches Valid basic constraints a wildcard name? Domain Subject emailAddress or Alternative compatible with Name Constraints? Names include sender email? Valid key usages (1-3KB / certificate) • TLS Endpoint EKU includes TLS client / Endpoint EKU includes S/MIME ? Acceptable algorithms and key sizes • S/MIME server? Chain allows TLS EKU? Chain allows S/MIME EKU? • 802.1X (Wi-Fi) OCSP, Certificate Not revoked now • Code signing Not revoked when mail was sent Transparency, • Document signing Perspectives… • …
Recent PKI Failures The SHAppening Crypto failures HashClash rogue CA Flame maleware 512 bit Korean Debian OpenSSL entropy bug (MD5 collision) NSA/GCHQ attack School CAs Stevens et al. against Windows CA Bleichenbacher’s DROWN e=3 attack on BERSerk KeyUsage PKCS#1 signatures Basic constraints not properly enforced (recurring & catastrophic bug) Name constraints failures OpenSSL GnuTLS X509v1 OpenSSL CVE- null prefix 2015-1793 EKU-unrestricted Formatting & semantics VeriSign certificates VeriSign Superfish Comodo hack Trustwave NetDiscovery ANSSI India NIC VeriSign hack StartCom hack DigiNotar hack TÜRKTRUST China NNIC CA failures 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
X.509 Problem: Privacy certificates + private keys Network authorized certificate Observer root validation certificates program (data) (1-3KB / certificate) Monitor Requests Network Observer Learns all OCSP, Certificate certificate Transparency, contents Perspectives…
Cinderella: Main Idea certificate authorized validation root policy certificates (C code) (data) certificates + private keys Other evidence (OCSP, CT) Geppetto verification key compiler evaluation key Proof Proof (288 B) (288 B)
Computation Outsourcing with Pinocchio C program Complex programs F(p riv , p ub ) compile to very large public verifier inputs arithmetic circuits private prover inputs Verification Evaluation Key Vk D X Key Ek C + X Setup Phase Arithmetic Circuit Runtime Phase Ek Query(pub) F(priv, pub) Check(Proof, Vk) Succinct Proof Proof [GGP, CRYPTO’10]; [GGPR, EUROCRYPT’13]; [PGHR; S&P’13]; [CFHKKNBZ; S&P’15]
Cinderella: Contributions • A compiler from high-level validation policy templates to Pinocchio-optimized certificate validators • Pinocchio-optimized libraries for hashing and RSA-PKCS#1 signature validation • Several TLS validation policies based on concrete templates and additional evidence (OCSP), tested on real certificates • An e-Voting validation policy based on Helios with Estonian ID card
Benefits and Caveats • Compatible with existing PKI and • Computationally expensive certificates (practicality) • Initial agreement on the • Ensures uniform application of the validation policy validation policy but, allows • Reliance on security of verified flexible issuance policies computation system (new exotic • Complete control over disclosure of crypto assumption, new trusted certificate contents ( anonymity ) key generation) • Less exposure of long-term private • Does not solve key management key through weak algorithms (one more layer to manage)
Cinderella: Soundness certificate authorized Other evidence validation root certificates + (OCSP, CT) policy certificates private keys (C code) (data) Public inputs Geppetto compiler certificate validation policy verification key Public inputs (C code) Proof (288 B)
Compiling Certificate Templates Private inputs seq {seq { # Validity Period # Version seq { tag<0>: const<2L>; var<date, notbefore, 13, 13>; Untrusted Native Parser # Serial Number var<date, notafter, 13, 13>; Parse certificate var<int, serial, 10, 20>; }; Variables Generate Prover Inputs # Signature Algorithm seq { # Subject const<O1.2.840.113549.1.1.5>; seq { const<null>; }; varlist<subject, 2, 4>: C/QAP verifier set { Variable lists Concatenate compile-time # Issuer seq { constants and run-time vars Template seq { set { seq { var<oid, subjectoid, 3, 10>; Compute running hash Verifier const<O2.5.4.10>; var<x500, subjectval, 2, 31>; compiler const<printable:"AlphaSSL">; }; };};set { seq { const<O2.5.4.3>; }; const<printable:"AlphaSSL CA - }; G2">; }; }; Template }; […] Constants
Produced Verifier (Fragment) Variable list if(in_subject.v[0] > 2) { Constants Append(byte) append(&buffer, in_subjectval[2].tag); Add given byte to the hashing buffer append(&buffer, 0 + LEN(in_subjectval[2])); for(i=0; i<31; i++) Reduce() compress one block of buffer, update current hash if(i<LEN(in_subjectval[2])) append(&buffer, in_subjectval[2].v[i]); } Current Hash Variable Compression Hashing buffer = 2 * hash function block size if(buffer.cur >= 85) Output = hash of ASN.1 reduce(&buffer, &hash); formatted certificate contents C verifier program
Verifying PKCS#1 RSA Signatures S ^ e mod N = 1ffffffffff[…]ffffffkkkkk[…]kkkkkk XXXXXXXXXXXXXXXXXXXXX S ^ e = S (((S ^ 2) ^ 2) … Hash (computed before) Assume fixed e = 65537 = 2 ^ 16 + 1 S … 120 bits 120 bits 120 bits … S^2 240+ bits 240+ bits 240+ bits 240+ bits 240+ bits S ² = Q*N + R Private inputs Q and R -> Verify the prover hints are valid … Q*N 240+ bits 240+ bits 240+ bits 240+ bits 240+ bits R … 120 bits 120 bits 120 bits S <- R
Application: TLS Client (with Offline Signing) Geppetto Client Pseudo compiler Cert Pseudo Ek Ek F(fields) Ck , fields Proof evaluation key verification key Offline Pseudo Ek Proof Proof Key Exchange signed with Ek No change to TLS!
Single Template Evaluation (With Signature) 1000 Seconds 100 10 1 0.1 0.01 0.001 Estonian EID S/MIME TLS server OCSP TLS Pseudonym Keygen time Proof time Verify time
Application evaluation 1000 Seconds 100 10 1 0.1 0.01 0.001 TLS (2 intermediates + TLS (1 intermediate + TLS (no intermediate, Helios (OCSP) OCSP) OCSP) OCSP) Keygen time Proof time Verify time
Conclusions • One of the first practical application of verifiable computing • We enhance the privacy and integrity of X.509 authentication • No change to the PKI or to application protocols • Working prototype for TLS and Helios
The Internet PKI With M. Abadi, A. Birrell, I. Mironov, T. Wobber and Y. Xie (NDSS’14)
� � Core Pinocchio protocol 𝐷𝑝𝑛𝑛𝑗𝑢(𝐹𝐿 0 , 𝑣 0 , 𝑝 0 ) 𝐷 0 Generate the commitment: 𝐿𝑓𝑧𝐻𝑓𝑜(𝑆) 𝐹𝐿 , 𝑊𝐿 𝑤 0 𝑡 = ∑ 𝑣 ? 𝑤 ? 𝑡 + 𝑝 0,8 𝑒 𝑡 , similarly for 𝑥 and 𝑧 ?∈A ; Generate the MultiQAP for 𝑆 0 = ( 6 0 , 8 0 , 9 0 , : ;,< 6 0 , : ;,= 8 0 , : ;,> 9 0 ) . 𝐷 Pick random 𝑡 𝑤 𝑡 = ∏𝑤 (0) and similarly for 𝑥 and 𝑧 0 }, { 3 4 } Compute 𝐹𝐿 = {𝐹𝐿 6 7 3 , 8 7 3 , 9 7 3 𝑄𝑠𝑝𝑤𝑓(𝐹𝐿, 𝒗, 𝒑) 𝜌 𝐹𝐿 5 = : ;,< 6 7 3 , : ;,= 8 7 3 , : ;,> 9 7 3 Find ℎ(𝑦) s.t. ℎ 𝑦 ∗ 𝑒 𝑦 = 𝑤 𝑦 ∗ 𝑥 𝑦 − 𝑧(𝑦) ?∈A ; Compute [(3) = ∏ 3 4 [ 4 Compute 𝑊𝐿 = ( B 3 = ∏ 3DE ) 4 Proof is ( 6 3 , 8 3 , 9 3 [(3) ) 𝑊𝑓𝑠𝑗𝑔𝑧(𝑊𝐿 0 , 𝐷 0 ) 𝑊𝑓𝑠𝑗𝑔𝑧(𝑊𝐿, 𝑫, 𝜌) {Yes, No} 𝑓 6 0 , 0 : ;,< = 𝑓( : ;,< 6 0 , ) 𝑓(b,b) is a pairing: ^ _ < ` ,_ = ` = ? 𝑓( [ 3 , B(3) ) 𝑓 𝑞 , 𝑟 = 𝑓(, ) 𝑞𝑟 ^ _ > ` ,_ and similarly for 𝑥 and 𝑧
Workaround: Tunneling Compound I see all authentication certificate fields Server Certificate DH Key Exchange Client Authentication Server authenticated channel • TLS Renegotiation Performance • TLS 1.3 Handshake Encryption overhead of tunneling • Server still sees all contents • Not always possible (S/MIME, code and document signing)
Recommend
More recommend