coniks key transparency
play

CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara The - PowerPoint PPT Presentation

Nov 01, 2022 •322 likes •918 views

[USENIX Security 15, Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, Michael J. Freedman] CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara The problem of the PKI (Public key infrastructure) A long

  1. [USENIX Security ’15, Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, Michael J. Freedman] CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara

  2. The problem of the PKI (Public key infrastructure) • A long standing problem has been to distribute public keys securely in the presence of attackers • Use cases: • Secure messaging: Alice needs to send an encrypted message to Bob and needs Bob’s public key to encrypt the message • Web surfing and https: when Alice’s browser contacts amazon.com over https, we need Amazon’s PK • Man in the middle attacker can intercept PK and return incorrect PK

  3. Centralized Key Management Email + Key Provider foo.com Register Register 1 1 (alice à PK A ) (bob à PK B ) User User Alice Bob

  4. Centralized Key Management Email + Key Provider foo.com Register Look up Alice’s 1 2 3 3 (alice à PK A ) public key: PK A Send message encrypted to PK A , signed by SK B User User Alice Bob

  5. Still, Key Server Compromise Email + Key This isn’t Alice’s Provider real key! foo.com Equivocates: returns Register Look up Alice’s 1 2 incorrect value (alice à PK A ) public key: PK’ A User User Alice Bob

  6. Still, Key Server Compromise Email + Key Provider Read message foo.com 4 encrypted to PK’ A Send message encrypted to PK’ A , 3 signed by SK B User User Alice Bob

  7. KT’s Approach: Consistent Identities • Users expect consistency of online identities. • Certificates make no statement about correctness.

  8. Consistency Non-Equivocation No unexpected key changes Alice’s key today = Alice’s key yesterday Key seen by Alice = Key seen by Bob

  9. Solution: a promising new generation • CONIKS • An alternative Public Key Infrastructure (PKI) • Embedded in Google’s project called Key Transparency or Trillian • The key data structure is the Log-backed Verified Map • Certificate Transparency • Similar technology to Key Transparency but aimed at certificates • Currently mandated by Chrome, supported by Firefox and others These are essentially blockchains, with decentralized security but hosted centrally

  10. CONIKS [Melara et al. 2014] • End-User Key Management Service. • Consistent name-to-key bindings. • Verifiable key directories à Untrusted identity providers. • Clients verify consistency in-band. à automated key management

  11. CONIKS Overview Untrusted Identity Provider foo.com Register Register 1 1 (alice à PK A ) (bob à PK Bs ) Client Client A B User User Alice Bob

  12. Using CONIKS for E2E Encryption Untrusted Identity Provider foo.com Look up the public key 4 Look up public key for bob: 2 for alice: PK A PK B , verify signature, decrypt using SK A Client Client A B User User 3 Alice Bob Send message encrypted to PK A , signed by SK B

  13. Strawman Design Untrusted Identity Provider foo.com Validity Checks O(N) storage per client N = 4 Client Client Client Client A C B D Non-equivocation Checks O(N 2 ) downloads per client

  14. CONIKS Design • Divide time into epochs. • Providers generate snapshots of directory. à Clients do not check individual bindings. • Providers distribute snapshots to other providers. à Build publicly verifiable history • Non-repudiation: Snapshots are digitally signed.

  15. Efficient Snapshots root snapshot = root signed by foo.com provider H(sub L ) H(sub R ) H(sub L ) H(sub R ) H(sub L ) H(sub R ) i george : i charlie : i emily : i alice : PK George PK Charlie PK Emily PK Alice

  16. Efficient Snapshots root foo.com H(sub L ) H(sub R ) 0 1 H(sub L ) H(sub R ) H(sub L ) H(sub R ) 0 1 0 1 i george : i charlie : i emily : i alice : PK George PK Charlie PK Emily PK Alice username -> index; arrange usernames based on index in the leaves

  17. Checking Consistency • Use snapshots to check for consistency. • Clients need to ensure bindings are included in snapshots. • Lookups: prove inclusion of bindings in directory. • Clients check validity, non-equivocation. • Providers cross-verify each other for non-equivocation.

  18. Proving Inclusion: Authentication Paths A user can ask the server to prove inclusion of a binding (i->PK) against a signed snapshot: this can be the owner of the binding, or a user wanting to fetch the PK for i root foo.com H(sub L ) H(sub R ) 0 1 H(sub L ) H(sub R ) H(sub L ) H(sub R ) 0 1 i charlie : i alice : PK Charlie PK Alice

  19. Proving Inclusion: Authentication Paths root foo.com H(sub L ) H(sub R ) 0 H(sub L ) H(sub R ) 0 i alice : PK Alice

  20. What we have so far • A client, say Alice can check that her binding is correct in a signed snapshot • Another client fetching Alice’s key can check Alice’s binding against the signed snapshot • What is missing? • Provider can equivocate about the signed snapshot (e.g., give different signed snapshots • How to address this?

  21. Checking Non-Equivocation: Snapshot History Snapshot 0 Snapshot prev Snapshot t 0 -1 t prev t prev-1 t t prev … H(seed) root 0 H(root prev-1 ) root prev H(root prev ) root t Blockchain! Trillian calls this: Log-backed Verified Map The provider gives the signed last snapshot to other providers, who check that it is well-formed (e.g., it contains a hash of the previous snapshot) and cross-check that they all received the same snapshot

  22. Why do we need to chain the hashes? • Otherwise, providers need to exchange the whole history to check for consistency • With a hash chain forks are not possible • Why? • Collusion resistance of the hash

  23. Checking Non-Equivocation: Snapshot History Snapshot prev Snapshot t t prev t prev-1 t t prev Snapshot 0 H(root prev-1 ) root prev H(root prev ) root t 0 -1 … H(seed) root 0 Snapshot’ prev Snapshot’ t t prev t prev-1 t t prev H(root’ prev-1 ) root’ prev H(root’ prev ) root’ t The server can try a fork attack, but after fork the provider must maintain these forked hash chains for the rest of time, and not allow clients seeing one branch of the hash chain to communicate with anyone seeing the other branch.

  24. CONIKS Protocols • Registration: New bindings/updated keys. • Lookups: Clients check bindings are included in directory. • Monitoring: Clients check for validity of bindings. • Auditing: Clients & providers check for non-equivocation.

  25. CONIKS Protocols • Registration: New bindings/updated keys. • Lookups: Clients check bindings are included in directory. • Monitoring: Clients check for validity of bindings. • Auditing: Clients & providers check for non-equivocation.

  26. Registration Protocol Untrusted Check ``alice’’ is Identity Provider not taken already foo.com Why do we need this “promise” signed? (provider might discard Temporary binding = Register update forever) 2 3 [(alice à PK A ) + next epoch], (alice à PK A ) Sig(TB) Client Client A B 1 User User Generate key pair Alice Bob (PK A , SK A )

  27. CONIKS Protocols • Registration: new bindings/updated keys. • Lookups: Clients check bindings are included in directory. • Monitoring: Clients check for validity of bindings. • Auditing: Clients & providers check for non-equivocation.

  28. Lookups without Inclusion Proofs Publish new snapshot including PK A Untrusted PK A Identity Provider PK B … foo.com Register (alice à PK A ) Client Client A B User User Alice Bob Provider regularly generates and publishes snapshots

  29. Lookups without Inclusion Proofs Untrusted Identity Provider This isn’t alice’s foo.com real key! Look up the public key for alice: PK’ A Client Client A B User User Alice Bob Return Fake Key

  30. Lookups without Inclusion Proofs Untrusted Identity Provider foo.com PK A PK B … Client Client A B Verify & accept User User snapshot Alice Bob No proof fake key is inconsistent with snapshot

  31. Lookups without Inclusion Proofs Untrusted Identity Provider Read message foo.com encrypted to PK’ A Send message encrypted to PK’ A , signed by SK B Client Client A B User User Alice Bob Provider can read Bob’s message

  32. Lookup Protocol • Ensures bindings are consistent with snapshots. • Prevents malicious providers from publishing fake keys and not leaving any evidence of the misbehavior.

  33. Lookup Protocol Untrusted Identity Provider foo.com Send proof of inclusion: Lookup 1 2 Authentication path for (alice à PK A ) (alice à PK A ) Client Client A B 3 User User Verify auth. path Alice Bob

  34. CONIKS Protocols • Registration: new bindings/updated keys. • Lookups: Clients check bindings are included in directory. • Monitoring: Clients check for validity of bindings. • Auditing: Clients & providers check for non-equivocation. What can happen without monitoring?

  35. Communication without Monitoring Untrusted Identity Provider foo.com Register (alice à PK A ) Look up the public key for alice: PK A Client Client A B User User Alice Bob Epoch 1: Key has not Changed

  36. Communication without Monitoring Untrusted Identity Provider foo.com Send message encrypted to PK A , signed by SK B Client Client A B User User Alice Bob Epoch 1: Provider cannot read Bob’s message

Recommend

CONIKS BRINGING KEY TRANSPARENCY TO END USERS Marcela Melara Aaron Blankstein, Joseph Bonneau*,

CONIKS BRINGING KEY TRANSPARENCY TO END USERS Marcela Melara Aaron Blankstein, Joseph Bonneau*,

CONIKS BRINGING KEY TRANSPARENCY TO END USERS Marcela Melara Aaron Blankstein, Joseph Bonneau*, Edward W. Felten, Michael J. Freedman Princeton University, *Stanford University/EFF E2E Encrypted Communication Today Users growing demand

516 views • 26 slides
CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara Any scriber for today? Sign up

CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara Any scriber for today? Sign up

CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara Any scriber for today? Sign up for presentations or scribers The problem of the PKI (Public key infrastructure) A long standing problem has been to distribute public keys

1.5k views • 77 slides
1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

Politics and Information: Discussion Notes 1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No democratic society worthy of the name can govern itself without transparency and information. Onthecommons.org

461 views • 5 slides
Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency & Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency & Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency & Advisory Management Section Prescription Medicines Authorisation Branch Market Authorisation Division, TGA ARCS Scientific Congress Canberra 2016 Two transparency

652 views • 36 slides
www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India is the accredited Indian National Chapter of Transparency International. It was established in 1997. Transparency International India endeavors

603 views • 45 slides
Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Capacity-building Initiative for Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement Article 13: Transparency To build mutual trust and confidence and to promote effective implementation

643 views • 15 slides
Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

September 28, 2017 Alex Hathaway Center for State and Local Finance Fiscal Transparency and Accountability Overview Importance of Institutional Transparency Review of the Literature Methodology Volcker Alliance questions

343 views • 16 slides
NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation Activities of NTW Workshop on Environmental Mapping: Mobilising Trust in Measurements and Engaging Scientific Citizenry Nadja Zeleznik nzeleznik@rec.org

338 views • 30 slides
Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency an organisational view Transparency is all about the release of information by institutions or companies that is relevant for the evaluation of

883 views • 32 slides
transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

Driving change in fisheries trade through transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI Sub-Committee on Fish trade / Busan, 6 September 2017 The necessity of transparency in fisheries International

346 views • 15 slides
www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

1 www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013 NZ's National Integrity System Assessment The Treasury Friday 14 th March 2014 1:30pm- 3:00pm liz.brown@paradise.net.nz mpetrie@esg.co.nz

947 views • 45 slides
The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum Mykkah Herner, MA, CCP Director of Professional Services Paige Hanley, CCP Sr. Compensation Professional 14,000 Positions 3000 Customers 11 Countries

371 views • 35 slides
LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

TIF FINANCING: Allan-Charles Chipman LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of the truth Transparency can be violated in two ways: 1. Telling some of the people all of the truth 2.

518 views • 35 slides
Transparency-Enhancing Tools PETs PhD Course at Chalmers Tobias Pulls Karlstad University,

Transparency-Enhancing Tools PETs PhD Course at Chalmers Tobias Pulls Karlstad University,

Transparency TETs Transparency Logging A4Cloud Summary Transparency-Enhancing Tools PETs PhD Course at Chalmers Tobias Pulls Karlstad University, Sweden tobias.pulls@kau.se October 29, 2012 Transparency TETs Transparency Logging

1.05k views • 59 slides
Driving Success Driving Success Through Transparency Through Transparency 2013-14 IAE Industry

Driving Success Driving Success Through Transparency Through Transparency 2013-14 IAE Industry

Driving Success Driving Success Through Transparency Through Transparency 2013-14 IAE Industry Outreach Meeting 3 May 13, 2014 Welcome! We look forward to a dialog today. You will have the opportunity to post questions throughout the

410 views • 37 slides
EMEA Transparency Policy Current transparency level Overall acceptable Increase

EMEA Transparency Policy Current transparency level Overall acceptable Increase

EMEA Transparency Policy Current transparency level Overall acceptable Increase information on working parties/scientific committees Further improve management of EMEA website Product related issues Current

337 views • 7 slides
Tools for Corporate Transparency & Accountability Advancing the SDGs: Understanding and

Tools for Corporate Transparency & Accountability Advancing the SDGs: Understanding and

Tools for Corporate Transparency & Accountability Advancing the SDGs: Understanding and Improving the Role of Corporate Transparency April 19, 2018 The Resource Centres mission We seek to build corporate transparency, strengthen

336 views • 5 slides
Democratic Transparency & Engagement John Williams Service Head, Democratic Services

Democratic Transparency & Engagement John Williams Service Head, Democratic Services

Democratic Transparency & Engagement John Williams Service Head, Democratic Services Overview and Scrutiny Committee - Transparency Commission 7 th September 2015 TRANSPARENCY A wide topic. See range of areas covered in DCLG Local

403 views • 8 slides
NET NEUTRALITY: YET MORE TRANSPARENCY AND TRANSPARENCY AND SWITCHING Professor Chris Marsden,

NET NEUTRALITY: YET MORE TRANSPARENCY AND TRANSPARENCY AND SWITCHING Professor Chris Marsden,

NET NEUTRALITY: YET MORE TRANSPARENCY AND TRANSPARENCY AND SWITCHING Professor Chris Marsden, University of Sussex c.marsden@sussex.ac.uk @ChrisTMarsden www.chrismarsden.blogspot.com Network neutrality policy influences Ofcom, government

577 views • 19 slides
Transparency CS 6965 Fall 2011 Transparency Light is an electromagnetic wave Some

Transparency CS 6965 Fall 2011 Transparency Light is an electromagnetic wave Some

Transparency CS 6965 Fall 2011 Transparency Light is an electromagnetic wave Some materials conduct energy at visible frequencies CS 6965 Fall 2011 2 Transmitted rays plane of incidence i n r 1 1 1 boundary 2 t

736 views • 38 slides
Transparency Imperative March 2017 Deb Arcoleo Director, Product Transparency @debarc

Transparency Imperative March 2017 Deb Arcoleo Director, Product Transparency @debarc

The Changing Consumer and the Transparency Imperative March 2017 Deb Arcoleo Director, Product Transparency @debarc darcoleo@hersheys.com linkedin.com/in/deboraharcoleo A little about Hershey Consumer perspective The trust issue in the

2.72k views • 64 slides
Remote Procedure Call (RPC) and Transparency Brad Karp UCL Computer Science CS GZ03 / M030 11

Remote Procedure Call (RPC) and Transparency Brad Karp UCL Computer Science CS GZ03 / M030 11

Remote Procedure Call (RPC) and Transparency Brad Karp UCL Computer Science CS GZ03 / M030 11 th October 2017 Transparency in Distributed Systems Programmers accustomed to writing code for a single box Transparency: retain feel

536 views • 34 slides
Tran ansparency International EU EU Transparency Intl initiative and report welcomed

Tran ansparency International EU EU Transparency Intl initiative and report welcomed

www.transparency.eu /euro Tran ansparency International EU EU Transparency Intl initiative and report welcomed MD Declarations of interest (voluntarily) published Further tweaks to gift register www.transparency.eu /euro BEYOND

477 views • 13 slides
13 th Transparency Workshop Update on the TP activities BluePoint Meeting Centre 21 November 2019

13 th Transparency Workshop Update on the TP activities BluePoint Meeting Centre 21 November 2019

Brussels 21/11/2019 13 th Transparency Workshop Update on the TP activities BluePoint Meeting Centre 21 November 2019 Kathrine Nygaard Stannov, Subject Manager Transparency Rene Prins, Transparency Adviser Agenda > New developments in 2019

648 views • 32 slides

More recommend