Blind Certificate Authorities Liang Wang 1 , Gilad Asharov 2 , - - PowerPoint PPT Presentation

blind certificate authorities
SMART_READER_LITE
LIVE PREVIEW

Blind Certificate Authorities Liang Wang 1 , Gilad Asharov 2 , - - PowerPoint PPT Presentation

Nov 20, 2022 153 likes •454 views

Blind Certificate Authorities Liang Wang 1 , Gilad Asharov 2 , Rafael Pass 2 , Thomas Ristenpart 2 , abhi shelat 3 1 Princeton University 2 Cornell Tech 3 Northeastern University Motivation Certificate Authorities (CA) issue certificates

slide-1
SLIDE 1

Liang Wang1, Gilad Asharov2, Rafael Pass2, Thomas Ristenpart2, abhi shelat3

Blind Certificate Authorities

1 Princeton University 2 Cornell Tech 3 Northeastern University

slide-2
SLIDE 2

Motivation

Certificate Authorities (CA) issue certificates

slide-3
SLIDE 3

CA (identity provider)

  • Email
  • Website login
  • Anonymous credential

systems

  • ….

User Validate identity

Certificates bind public keys to identities

Request cert Identity +

The user must reveal true identity to the CA during identity validation

slide-4
SLIDE 4

Identity is sensitive

Whistleblower Journalist

I am working at University ABC... Professor X took bribes!

  • OK. First, prove you are working at ABC…

(A friend of Professor X?)

CA

Third-party or from University ABC

?

slide-5
SLIDE 5

CA (identity provider)

  • PGP
  • Website login
  • Anonymous credential

systems

  • ….

User Validate identity Request cert Identity + alice@domain.com: cert1 bob@gmail.com: cert2 …..

CA: single point of privacy failure

slide-6
SLIDE 6

Can we make CA “blind”?

Main challenge: Validate an identity while not learning it

YES!!!

slide-7
SLIDE 7

Contributions

  • Secure Channel Injection (SCI):
  • A primitive allows a party to inject a small amount of information into a secure

connection between two parties

  • (SCI-TLS) An efficient, special-purpose MPC protocol for two parties to compute a

TLS record

  • Anonymous Proof of Account Ownership (PAO):
  • Validate one owns some email accounts from a given organization without knowing

which account

  • BlindCA:
  • Validate ownership of an account alice@domain.com and issue a X.509 certificate

binding “alice” to a public key, without learning the account and the key

slide-8
SLIDE 8

Email is the most common identity

slide-9
SLIDE 9

My email is: alice@domain.com To: alice@domain.com Email provider Username: alice Password: ??? User CA

Conventional email verification

Prove account ownership by showing the ability to READ an email from an account

slide-10
SLIDE 10

Secure Channel Injection (SCI)

M1 Alice Bob Carol M* M2 Mn ……

slide-11
SLIDE 11

M1 Alice Bob Carol M* M2 Mn …… MPC

Secure Channel Injection (SCI)

slide-12
SLIDE 12

M1 Alice Bob Carol M* Mn …… ……

Secure Channel Injection (SCI)

Alice: Learns nothing about M* Bob: Doesn’t know M* is from Carol Carol: Learns nothing about other messages from Alice

slide-13
SLIDE 13

My email is: alice@domain.com To: alice@domain.com Email provider Username: alice Password: ??? User CA

Conventional email verification

Prove account ownership by showing the ability to READ an email from an account

slide-14
SLIDE 14

User SMTP server @ domain.com

Anonymous proof of account ownership (PAO)

CA Send an email from: alice@domain.com To: alice1

SCI

alice1

Prove account ownership by showing the ability to SEND an email from an account

Goal: Validate Alice owns some email accounts from domain.com

slide-15
SLIDE 15

PAO use cases

Whistleblower Journalist

I can send an email from ABC’s smtp server

Employee

slide-16
SLIDE 16

Anonymous PAO needs to use MPC to compute TLS records

SQN + HDR HMAC tag HMAC AES-CBC Ciphertext M M M Padding HDR IV

TLS AES-CBC with SHA256

For a 512-byte email and 16-byte challenge

  • Generic MPC: 32 AES and 8 SHA256 operations à 0.94M+ AND gates
slide-17
SLIDE 17

Merkle–Damgård Construction

f f f

Block1 Bock2 BlockN

IV Padding

M

slide-18
SLIDE 18

Two-party SHA: “Outsource” SHA computation f

Block X Block X+1 to X+K

User + CA

f

Block X+K+1

f

CA User User Send output of f to CA Send output of f to User

M* K blocks

slide-19
SLIDE 19

Two-party AES CBC

Block X Block X+1 to X + K Block X+K+1

MPC --- Alice: key CA: blocks User User

AES Cipher X

Send to CA

AES Cipher X+1 to X+ K AES

Send to User

K blocks

User + CA

M*

slide-20
SLIDE 20

Anonymous PAO needs to use MPC to compute TLS records

SQN + HDR HMAC tag HMAC AES-CBC Ciphertext M M M Padding HDR IV

TLS AES-CBC mode

For a 512-byte email and 16-byte challenge

  • Generic MPC: 32 AES and 8 SHA-256 operations à 0.94M+ AND gates
  • Our protocol: 4 AES operations à 27K+ AND gates; NO MPC for HMAC
slide-21
SLIDE 21

A simplified SMTP session

SMTP client

STARTTLS

SMTP server

EHLO DATA AUTH

Step 2: Authentication Step 1: Setup TLS and prepare for auth Step 3: Prepare for email

RCPT MAIL

Step 4: Send email

EMAIL

slide-22
SLIDE 22

SMTP client (user)

STARTTLS

SMTP server

EHLO DATA AUTH

Step 2: Authentication Step 1: Setup TLS and prepare for auth Step 3: Prepare for email

RCPT MAIL

Step 4: Send email

EMAIL

BlindCA: TLS record as commitment

The SMTP AUTH message contains email account (user identity) CA

slide-23
SLIDE 23

SMTP client (user)

STARTTLS

SMTP server

EHLO DATA AUTH

Step 2: Authentication Step 1: Setup TLS and prepare for auth Step 3: Prepare for email

RCPT MAIL

Step 4: Send email

EMAIL

BlindCA: Anonymous PAO

CA

slide-24
SLIDE 24

SMTP client (user)

STARTTLS

SMTP server

EHLO DATA AUTH

Step 2: Authentication Step 1: Setup TLS and prepare for auth Step 3: Prepare for email

RCPT MAIL

Step 4: Send email

EMAIL

BlindCA: Anonymous PAO

CA

Challenge Commitment …

abc eee… … 123 fff… … ... ... …

slide-25
SLIDE 25

Prover produces a ZKBoo proof

CA: Shares a certificate template with the user

  • All fields are known except for subject and public key

Issuer: BlindCA Subject: ?@abc Public key: ? Version: …

  • The email account (e1) and public key for forming the certificate
  • The opening of the TLS commitment:
  • secret keys, email account (e2) and password
  • e1 = e2

Single Boolean circuit!

Giacomelli, Irene, Jesper Madsen, and Claudio Orlandi. "Zkboo: Faster zero-knowledge for boolean circuits." USENIX Security 2016.

User: Fills in missing info, produces the hash of the cert; Generates a zkboo proof to show the knowledge of:

slide-26
SLIDE 26

CA verifies proofs and signs

Challenge: 123 Hash of cert: h ZKboo proof

User CA Sign(h)

Challenge Commitment …

abc eee… … 123 fff… … ... ... …

slide-27
SLIDE 27

BlindCA overhead

Loc 1 (No Tor) Loc2 (No Tor) Loc1 (With Tor) 2P-HMAC 0.01 0.03 0.31 2P-CBC 0.20 0.35 0.36 PAO 0.76 1.68 4.31 SMTP Baseline 0.31 0.77 3.33 The median time (seconds) to complete the 2P-HMAC, 2P-CBC (without offline), PAO (without offline) and normal SMTP-TLS

  • PAO Test with Gmail, UW-Madison, and Cornell SMTP servers:
  • PAO (without offline): 1.01s, 1.64s, 1.53s
  • Without PAO: 0.44s, 0.94s, 0.79s
  • BlindCA proof (136 ZKBoo proofs):
  • Size: 85M+
  • Generation: 2.9s
  • Verification: 2.3s
slide-28
SLIDE 28

Session duration is not a good detector

The distribution of the SMTP durations is long-tailed (based on 8K+ SMTP-TLS sessions).

15% > 10s!

slide-29
SLIDE 29

Summary

  • We design the first “blind” CA: a CA that can validate identities and issue

certificates without learning the identity

  • SCI for TLS AES-CBC and AES-GCM (see paper)
  • Participation privacy: does not disclose to any party the identities of users
  • Please see our paper for more details (security proofs, security analysis,

etc.)!

Thank you!

slide-30
SLIDE 30

Title