Certificate Transparency with Privacy Saba Eskandarian, Eran - - PowerPoint PPT Presentation

certificate transparency with privacy
SMART_READER_LITE
LIVE PREVIEW

Certificate Transparency with Privacy Saba Eskandarian, Eran - - PowerPoint PPT Presentation

Oct 06, 2023 525 likes •1.17k views

Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford Certificate Authorities Public Key Certificate Authorities Public Key Certificate CA Certificate apo-CA-lypse

slide-1
SLIDE 1

Certificate Transparency with Privacy

Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford

slide-2
SLIDE 2

Certificate Authorities

Public Key

slide-3
SLIDE 3

Certificate Authorities

Public Key Certificate Certificate CA

slide-4
SLIDE 4

apo-CA-lypse

slide-5
SLIDE 5

apo-CA-lypse

slide-6
SLIDE 6

Outline

  • Certificate Transparency
  • Redaction of private subdomains
  • Privacy-preserving proof of misbehavior
slide-7
SLIDE 7

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate Certificate CA

slide-8
SLIDE 8

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate Certificate CA Log ...

slide-9
SLIDE 9

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate Certificate CA Log ...

slide-10
SLIDE 10

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate, SCT Certificate, SCT CA Log ... Certificate SCT

slide-11
SLIDE 11

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate, SCT Certificate, SCT CA Log ... Certificate SCT

slide-12
SLIDE 12

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate, SCT Certificate, SCT CA Log ... Certificate SCT

CT logging required by chrome for all sites starting October 2017!

slide-13
SLIDE 13

Transparency and Privacy?

slide-14
SLIDE 14

Outline

  • Certificate Transparency
  • Redaction of private subdomains
  • Privacy-preserving proof of misbehavior
slide-15
SLIDE 15

CA

Redaction: keeping secrets on a public log

Request Certificate secret.facebook.com Precertificate secret.facebook.com SCT secret.facebook.com Certificate, SCT secret.facebook.com Log ...

Problem: secret.facebook.com is publicly visible on the log!

slide-16
SLIDE 16

CA

Redaction: keeping secrets on a public log

Log ... Request Certificate secret.facebook.com Precertificate secret.facebook.com SCT secret.facebook.com Certificate, SCT secret.facebook.com Redacted Redacted

Problem: secret.facebook.com is publicly visible on the log!

slide-17
SLIDE 17

Usage: c ← Commit(m, r) Verify(c, m, r) Security Properties: Hiding: given commitment Commit(m, r), can’t find m Binding: given commitment Commit(m, r), can’t decommit to m’ ≠ m

Tools: Commitments

r val Commit(m, r)

slide-18
SLIDE 18

Usage: c ← Commit(m, r) Verify(c, m, r) Security Properties: Hiding: given commitment Commit(m, r), can’t find m Binding: given commitment Commit(m, r), can’t decommit to m’ ≠ m

Tools: Commitments

r

slide-19
SLIDE 19

Usage: c ← Commit(m, r) Verify(c, m, r) Security Properties: Hiding: given commitment Commit(m, r), can’t find m Binding: given commitment Commit(m, r), can’t decommit to m’ ≠ m

Tools: Commitments

r val r Verify( , val, r)

slide-20
SLIDE 20

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... CA

slide-21
SLIDE 21

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... Precertificate

secret.facebook.com

CA

slide-22
SLIDE 22

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... Precertificate

secret.facebook.com

SCT

secret.facebook.com .facebook .com

CA

slide-23
SLIDE 23

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... Precertificate

secret.facebook.com

SCT

secret.facebook.com

Certificate

secret.facebook.com

SCT: secret.facebook.com SCT Opening:

.facebook .com

CA

slide-24
SLIDE 24

Subdomain Redaction via Commitments

Page Request: secret.facebook.com

slide-25
SLIDE 25

Subdomain Redaction via Commitments

Page Request: secret.facebook.com Certificate

secret.facebook.com

SCT: secret.facebook.com SCT Opening:

slide-26
SLIDE 26

Subdomain Redaction via Commitments

Page Request: secret.facebook.com Verify( , secret, ) Certificate

secret.facebook.com

SCT: secret.facebook.com SCT Opening:

slide-27
SLIDE 27

Security

How can a monitor still check the log? Knowledge of number of entries per domain owner reveals extra certificates Why can’t a malicious site or CA reuse an existing redacted SCT? Binding property of commitment

slide-28
SLIDE 28

Outline

  • Certificate Transparency
  • Redaction of private subdomains
  • Privacy-preserving proof of misbehavior
slide-29
SLIDE 29

Privacy-Compromising Proof of Exclusion

1 2 3 4 5 6 7 8 9 10 Log Excluded SCT secret.facebook.com

slide-30
SLIDE 30

Privacy-Compromising Proof of Exclusion

1 2 3 4 5 6 7 8 9 10 Log Excluded SCT secret.facebook.com

slide-31
SLIDE 31

Goals

  • Auditor proves to vendor that an SCT is missing from log
  • Auditor does not reveal domain name, vendor only learns that log is

misbehaving

slide-32
SLIDE 32

Goals

  • Auditor proves to vendor that an SCT is missing from log
  • Auditor does not reveal domain name, vendor only learns that log is

misbehaving Then:

  • Vendor can investigate log
  • Vendor can blindly revoke missing certificate (by pushing a revocation value

to all browsers)

slide-33
SLIDE 33

Goals

  • Auditor proves to vendor that an SCT is missing from log
  • Auditor does not reveal domain name, vendor only learns that log is

misbehaving Then:

  • Vendor can investigate log
  • Vendor can blindly revoke missing certificate (by pushing a revocation value

to all browsers) Assumption: timestamps in order

slide-34
SLIDE 34

What Does Auditor Prove?

1 2 3 4 5 6 7 8 9 10 Log Excluded SCT

slide-35
SLIDE 35

What Does Auditor Prove?

1 t=4 2 t=18 3 t=21 4 t=27 5 t=30 6 t=38 7 t=41 8 t=42 9 t=50 10 t=59 Log t=25 Excluded SCT

Assumption: timestamps in order

slide-36
SLIDE 36

What Does Auditor Prove?

1 t=4 2 t=18 3 t=21 4 t=27 5 t=30 6 t=38 7 t=41 8 t=42 9 t=50 10 t=59 Log t=25 Excluded SCT

Assumption: timestamps in order

slide-37
SLIDE 37

What Does Auditor Prove?

1 t=4 2 t=18 3 t=21 4 t=27 5 t=30 6 t=38 7 t=41 8 t=42 9 t=50 10 t=59 Log t=25 3 t=21 4 t=27

slide-38
SLIDE 38

What Does Auditor Prove?

1 t=4 2 t=18 3 t=21 4 t=27 5 t=30 6 t=38 7 t=41 8 t=42 9 t=50 10 t=59 Log What about privacy?! t=25 3 t=21 4 t=27

slide-39
SLIDE 39

Tools: Additively Homomorphic Commitments

val2 val1

slide-40
SLIDE 40

Tools: Additively Homomorphic Commitments

val2 val1

+

slide-41
SLIDE 41

Tools: Additively Homomorphic Commitments

val2 val1 val1+val2

+ =

slide-42
SLIDE 42

Tools: Zero-Knowledge Proofs

A

slide-43
SLIDE 43

Tools: Zero-Knowledge Proofs

=

A B

slide-44
SLIDE 44

Tools: Zero-Knowledge Proofs

= 0 < < 5

A B A A

slide-45
SLIDE 45

Tools: Zero-Knowledge Proofs

= 0 < < 5

A B A A val

val sk

slide-46
SLIDE 46

Tools: Zero-Knowledge Proofs

= 0 < < 5

A B A A val

val sk

slide-47
SLIDE 47

Tools: Zero-Knowledge Proofs

= 0 < < 5

A B A A val

val sk

slide-48
SLIDE 48

Proof of Exclusion

1 t=4 2 t=18 3 t=21 4 t=27 5 t=30 6 t=38 7 t=41 8 t=42 9 t=50 10 t=59 Log What about privacy?! t=25 3 t=21 4 t=27

slide-49
SLIDE 49

Proof of Exclusion

1 t=4 2 t=18 3 t=21 4 t=27 5 t=30 6 t=38 7 t=41 8 t=42 9 t=50 10 t=59 Log What about privacy?! X Y Z Index(X) Time(X) Index(Z) Time(Z) Time(Y)

slide-50
SLIDE 50

Proof of Exclusion

Y X Z

slide-51
SLIDE 51

Index(X) Index(Z) Time(Z) Time(X)

Proof of Exclusion

Time(Y)

+ 1 = < <

Y X Z

slide-52
SLIDE 52

Index(X) Index(Z) Time(Z) Time(X)

Proof of Exclusion

Time(Y)

+ 1 = < <

Y X Z

slide-53
SLIDE 53

Index(X) Index(Z) Time(Z) Time(X)

Proof of Exclusion

Time(Y)

+ 1 = < <

Y X Z

slide-54
SLIDE 54

Index(X) Index(Z) Time(Z) Time(X)

Proof of Exclusion

Time(Y)

+ 1 = < <

Y X Z Are these numbers really from the log?

slide-55
SLIDE 55

5 4 3 12 11

Proof of Exclusion

+ 1 = < <

Y X Z hehehe...

slide-56
SLIDE 56

Proof of Exclusion

Needed for proof X

Index(X) Time(X)

slide-57
SLIDE 57

skH

Proof of Exclusion

New signatures from log Needed for proof X

Index(X) Time(X) H(x)+Index(X) H(x) H(x)+Time(X)

skI skT

slide-58
SLIDE 58

Proof of Exclusion

New signatures from log Needed for proof X

Index(X) Time(X) H(X)

skH

H(x)+Index(X) H(x) H(x)+Time(X)

skI skT

slide-59
SLIDE 59

Proof of Exclusion

New signatures from log Needed for proof X

Index(X) Time(X) H(X)

+ +

skH

H(x)+Index(X) H(x) H(x)+Time(X)

skI skT

slide-60
SLIDE 60

Proof of Exclusion

New signatures from log Needed for proof X

Index(X) Time(X) H(X) H(x)+Index(X) H(x)+Time(X)

+ +

skH

H(x)+Index(X) H(x) H(x)+Time(X)

skI skT

slide-61
SLIDE 61

Proof of Exclusion

New signatures from log Needed for proof X

Index(X) Time(X) H(X) H(x)+Index(X) H(x)+Time(X)

+ +

skH

H(x)+Index(X) H(x) H(x)+Time(X)

skI skT

slide-62
SLIDE 62

Performance Numbers

Online Costs Proof Size: 333 kB Time to generate: 5.0 seconds Time to verify: 2.3 seconds Offline Costs (storage) Growth of log entry: 480 bytes Growth of SCT: 160 bytes Revocation notice size: 32 bytes

slide-63
SLIDE 63

Summary

  • CT is an exciting new feature of our web infrastructure
  • Transparency raises new privacy concerns
  • Work on privacy-preserving solutions to two issues:

○ Compatibility between CT and need for private domain names ○ Reporting CT log misbehavior without revealing private information See paper for details and security proofs: https://arxiv.org/pdf/1703.02209.pdf