A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim
Introduction ¨ Digital certificate – an authorized assertion about a public key – Holder can prove the related ownership by using a corresponding private key – The current PKI: privacy-intrusive • Can be linked and traced ¨ Pseudonym certificate – Identifiable by a pseudonym only – Digital certificate contains pseudonym as a subject identifier – Can be used in anonymous transaction
Building Blocks ¨ PKI ¨ RSA ¨ Pseudonym ¨ Blind signature ¨ Threshold cryptography ¨ X. 509 certificate
Basic Model Issuer (PI) 1 2 CA i 5 User Site 1 iv 3 ii . . . 6 Anonymous Issuer (AI) 4 Site n Blind Issuer (BI) iii . . .
Basic Model – cnt’d User U holds a digital certificate issued by CA I. ¨ Using a real identity II. User can access service providers SP s III. SP asks revocation of a certificate to PI ¨ PI: pseudonym certificate issuer (AI and BI) IV. AI and BI collaborate to link IDU and PNU ¨ ¨ IDU: real identity of user U PNU: pseudonym of user U
Traceable Pseudonym Certificates Version 3 Serial Number SN SN Signature Algorithm ID RSA Issuer Name PI PI Validity Period * Validity Period Subject Name * PN Subject Public Key Info. * ppk. U, SIGPN Extensions Critical: (Ci), * (a) x. 509 v 3 Certificate (C 1, C 2, … , Cm) (b) Pseudonym Certificate Skeleton (c) Traceable Pseudonym Certificate
Basic Protocol - I ¨ Basic Assumption – CA and PS’s authentic public keys are respectively available. – User U holds a real identity certificate denoted by {IDU, pk. U}SIGCA – RSA private exponent d of PI is split by d 2 for AI and d 1 for BI (In case of single BI) ¨ AI can control and verify the contents of a pseudonym certificate ¨ BI can verify the user’s real identity
Basic Protocol - II 1. U → AI: Skeleton Request ¨ Option: U can submit her basic information, so that AI can choose an appropriate BI ¨ AI stores certificate skeleton with index SN 2. AI → U: Certificate Skeleton ¨ b ← <PNU, ppk. U, SIGU> ¨ M ← <b, (ci)> ¨ h = H(M) ¨ u = h re, r: random number 3. U → BI: {IDU, pk. U}SIGCA , {{u} SIGU, ρ} ENCBI ¨ BI verifies {IDU, pk. U}SIGCA under pk. CA asdf ¨ Decrypt {{u} SIGU, ρ} ENCBI verify u under pk. U 1. Record < {u} ENCBI : IDU > 2. Compute w = ud 1 mod N
Basic Protocol - III 4. BI → U: {w} ENCAI ρ ¨ U decrypts {w} ENCAI under ρ ¨ Computes {{M}SIGPN, r, {w}ENCAI 5. U → AI: {{M}SIGPN, r, {w}ENCAI ¨ Verify {M}SIGPN under ppk. U and compare this with record corresponding SN ¨ Compute z = wd 2 mod N ¨ Check z r-1 mod N under <M, e, N> ¨ Record <PNU: {z}ENCAI > ¨ Send z 6. AI → U: z 4. Compute z r-1 mod N to recover hd mod N 5. Verify hd mod N under <M, e, N> 6. Traceable pseudonym certificate: <M, hd mod N>
Pseudonym Revocation and Trace ¨ SP asks revocation of a certain Pseudonym to AI – Submit the PNU to AI ¨ AI retrieve <PNU: {z}ENCAI > – Recover z and send it to BI ¨ BI obtain a real identity IDU – u = ze mod N – From < {u} ENCBI : IDU > can find IDU ¨ Revoke all pseudonyms of a user U’ – BI retrieve all records < {u} ENCBI : IDU’ > – Send ud 1 mod N to AI securely – AI raises d 2 to get z and retrieve all pseudonyms of U’
Extended Protocols ¨ Threshold Schemes – In case of multiple BI’s – Apply an RSA (L, k)-threshold signature scheme ¨ Re-blinding Variants – Disable the tracing ability (e. g. , e-voting) ¨ Selective Credential Show – User’s digital credential: <flag, ci, h(ci)> • Flag: 0 – mandatory, 1 – selective • h(ci) : hash value of credential ci – PI should certify all semi-records of which flag is 0, but a hashed value only for flag is 1
Conclusion ¨ Can be used on existing PKIs without requiring additional crypto modules ¨ Fully compatible with X. 509 certificates ¨ Simple and efficient with versatile privacy-enhancing features ¨ Choice from traceability and absolute anonymity ¨ Threshold variants for more secure applications
References ¨ Yongdae Kim, et al. “A Simple Traceable Pseudonym Certificate System for RSA-based PKI” ¨ D. Chaum, “Security without identification: Transactions systems to make big brother obsolete, ” Communications of the ACM, vol. 28, no. 10, pp. 1035 -1044 ¨ X. 509, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks, ” ITU-T Recommendation X. 509
Скачать презентацию A Simple Traceable Pseudonym Certificate System for RSA-based
d351a7aa3b26373e3e26b70111f6e2bf.ppt