Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials

Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation Antoine Delignat-Lavaud X.50...
Author: Branden Harmon
6 downloads 0 Views 2MB Size
Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation Antoine Delignat-Lavaud X.509

Cédric Fournet, Markulf Kohlweiss, Bryan Parno

V.C.

The X.509 Public Key Infrastructure (1988)

Chain

Endpoint certificate Intermediate Certificate Authority certificate Root Certification Authority certificate

X.509 Authentication authorized root certificates (data)

Certificate Authority

certificates + private keys

certificate validation program

(1-3KB / certificate)

OCSP, Certificate Transparency, Perspectives…

X.509 Problem: Application Heterogeneity

certificates + private keys

Basic Validation authorized root certificates (data)

• • • • • •

TLS S/MIME 802.1X (Wi-Fi) Code signing Document signing …

certificate validation program

Correct ASN.1 encoding (injective TLS validation parsing) notBefore < now() < notAfter ? S/MIME validation Correct signatures from one certificate to the next Domain == Subject CN? Domain in notBefore < email date < notAfter ? Subject Alternative Names? Matches Valid basic constraints a wildcard name? Domain Subject emailAddress or Alternative compatible with Name Constraints? Names include sender email? (1-3KB / certificate) Valid key usages Endpoint EKU includes TLS client / Endpoint EKU includes S/MIME ? Acceptable algorithms and key sizes server? Chain allows TLS EKU? Chain allows S/MIME EKU? Not revoked now Not revoked when mail was sent

OCSP, Certificate Transparency, Perspectives…

Recent PKI Failures

Crypto failures Debian OpenSSL entropy bug Bleichenbacher’s e=3 attack on PKCS#1 signatures

HashClash rogue CA (MD5 collision) Stevens et al.

The SHAppening

Flame maleware NSA/GCHQ attack against Windows CA

512 bit Korean School CAs BERSerk

DROWN KeyUsage

Basic constraints not properly enforced (recurring & catastrophic bug) Name constraints failures

OpenSSL null prefix

Formatting & semantics VeriSign NetDiscovery StartCom hack CA failures

GnuTLS X509v1 EKU-unrestricted VeriSign certificates Comodo hack

VeriSign hack

Trustwave

ANSSI

OpenSSL CVE2015-1793

Superfish India NIC

DigiNotar hack

TÜRKTRUST

China NNIC

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

X.509 Problem: Privacy authorized root certificates (data)

Network Observer

certificate validation program

(1-3KB / certificate)

Learns all certificate contents

certificates + private keys

Network Observer

Monitor Requests

OCSP, Certificate Transparency, Perspectives…

Cinderella: Main Idea certificate validation policy (C code)

verification key

Proof (288 B)

Geppetto compiler

authorized root certificates (data)

certificates + private keys evaluation key

Proof (288 B)

Other evidence (OCSP, CT)

Computation Outsourcing with Pinocchio Complex programs compile to very large arithmetic circuits Verification Key Vk Setup Phase

C program F(priv, pub)

public verifier inputs private prover inputs D

X

+

C

Evaluation Key Ek

X

Arithmetic Circuit

Runtime Phase Ek Query(pub)

Check(Proof, Vk)

Succinct Proof

F(priv, pub) Proof

[GGP, CRYPTO’10]; [GGPR, EUROCRYPT’13]; [PGHR; S&P’13]; [CFHKKNBZ; S&P’15]

Cinderella: Contributions • A compiler from high-level validation policy templates to Pinocchio-optimized certificate validators • Pinocchio-optimized libraries for hashing and RSA-PKCS#1 signature validation • Several TLS validation policies based on concrete templates and additional evidence (OCSP), tested on real certificates • An e-Voting validation policy based on Helios with Estonian ID card

Benefits and Caveats • Compatible with existing PKI and certificates (practicality) • Ensures uniform application of the validation policy but, allows flexible issuance policies • Complete control over disclosure of certificate contents (anonymity) • Less exposure of long-term private key through weak algorithms

• Computationally expensive • Initial agreement on the validation policy • Reliance on security of verified computation system (new exotic crypto assumption, new trusted key generation) • Does not solve key management (one more layer to manage)

Cinderella: Soundness certificate validation policy (C code)

authorized root certificates (data)

Proof (288 B)

Other evidence (OCSP, CT)

Public inputs

Geppetto compiler

verification key

certificates + private keys

Public inputs

certificate validation policy (C code)

Compiling Certificate Templates seq {seq { # Validity Period # Version seq { tag: const; var; # Serial Number var; var; }; Variables # Signature Algorithm seq { # Subject const; seq { const; }; varlist: set { Variable lists # Issuer seq { seq { set { seq { var; const; var; const; }; };};set { seq { const; }; const; }; }; Template }; […] Constants

Private inputs

Untrusted Native Parser Parse certificate Generate Prover Inputs

Template Verifier compiler

C/QAP verifier Concatenate compile-time constants and run-time vars Compute running hash

Produced Verifier (Fragment) Variable list

if(in_subject.v[0] > 2) { Constants append(&buffer, in_subjectval[2].tag); append(&buffer, 0 + LEN(in_subjectval[2])); for(i=0; i Q*N R

240+ bits 120 bits

240+ bits

S² = Q*N + R

240+ bits 120 bits



120 bits

S