Certificate Transparency with Privacy Saba Eskandarian, Eran - - PowerPoint PPT Presentation

certificate transparency with privacy
SMART_READER_LITE
LIVE PREVIEW

Certificate Transparency with Privacy Saba Eskandarian, Eran - - PowerPoint PPT Presentation

Apr 19, 2023 403 likes •724 views

Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford Certificate Authorities Public Key Certificate CA Certificate apo-CA-lypse apo-CA-lypse Certificate Transparency

slide-1
SLIDE 1

Certificate Transparency with Privacy

Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford

slide-2
SLIDE 2

Certificate Authorities

Public Key Certificate Certificate CA

slide-3
SLIDE 3

apo-CA-lypse

slide-4
SLIDE 4

apo-CA-lypse

slide-5
SLIDE 5

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate Certificate CA

slide-6
SLIDE 6

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate Certificate CA Log ...

slide-7
SLIDE 7

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate Certificate CA Log ...

slide-8
SLIDE 8

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate, SCT Certificate, SCT CA Log ... Certificate SCT

slide-9
SLIDE 9

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate, SCT Certificate, SCT CA Log ... Certificate SCT

slide-10
SLIDE 10

Certificate Transparency (CT)

Idea: public, verifiable log of all certificates

Public Key Certificate, SCT Certificate, SCT CA Log ... Certificate SCT

CT logging required by chrome for all sites starting April 2018!

slide-11
SLIDE 11

Transparency and Privacy?

slide-12
SLIDE 12

Our Contributions

  • Redaction of private subdomains
  • Privacy-preserving proof of misbehavior
slide-13
SLIDE 13

CA

Redaction: keeping secrets on a public log

Request Certificate secret.facebook.com Precertificate secret.facebook.com SCT secret.facebook.com Certificate, SCT secret.facebook.com Log ...

Problem: secret.facebook.com is publicly visible on the log!

slide-14
SLIDE 14

CA

Redaction: keeping secrets on a public log

Log ... Request Certificate secret.facebook.com Precertificate secret.facebook.com SCT secret.facebook.com Certificate, SCT secret.facebook.com Redacted Redacted

Problem: secret.facebook.com is publicly visible on the log!

slide-15
SLIDE 15

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... CA

slide-16
SLIDE 16

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... Precertificate

secret.facebook.com

CA

slide-17
SLIDE 17

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... Precertificate

secret.facebook.com

SCT

secret.facebook.com .facebook .com

CA

slide-18
SLIDE 18

Subdomain Redaction via Commitments

Request Certificate

secret.facebook.com secret.facebook.com

Log ... Precertificate

secret.facebook.com

SCT

secret.facebook.com

Certificate

secret.facebook.com

SCT: secret.facebook.com SCT Opening:

.facebook .com

CA

slide-19
SLIDE 19

Subdomain Redaction via Commitments

Page Request: secret.facebook.com

slide-20
SLIDE 20

Subdomain Redaction via Commitments

Page Request: secret.facebook.com Certificate

secret.facebook.com

SCT: secret.facebook.com SCT Opening:

slide-21
SLIDE 21

Subdomain Redaction via Commitments

Page Request: secret.facebook.com Verify( , secret, ) Certificate

secret.facebook.com

SCT: secret.facebook.com SCT Opening:

slide-22
SLIDE 22

Security

Why can’t a malicious site or CA reuse an existing redacted SCT? Binding property of commitment How can a monitor still check the log? Knowledge of number of entries per domain owner reveals extra certificates

slide-23
SLIDE 23

Privacy-Compromising Proof of Exclusion

1 2 3 4 5 6 7 8 9 10 Log Excluded SCT secret.facebook.com

slide-24
SLIDE 24

Privacy-Compromising Proof of Exclusion

1 2 3 4 5 6 7 8 9 10 Log Excluded SCT secret.facebook.com

slide-25
SLIDE 25

Our Privacy-Preserving Approach

  • Auditor proves to vendor that an SCT is missing from log
  • Auditor does not reveal domain name, vendor only learns that log is

misbehaving

slide-26
SLIDE 26

Our Privacy-Preserving Approach

  • Auditor proves to vendor that an SCT is missing from log
  • Auditor does not reveal domain name, vendor only learns that log is

misbehaving Then:

  • Vendor can investigate log
  • Vendor can blindly revoke missing certificate (by pushing a revocation value

to all browsers)

slide-27
SLIDE 27

Our Privacy-Preserving Approach

  • Auditor proves to vendor that an SCT is missing from log
  • Auditor does not reveal domain name, vendor only learns that log is

misbehaving Then:

  • Vendor can investigate log
  • Vendor can blindly revoke missing certificate (by pushing a revocation value

to all browsers) Main tool: zero knowledge

slide-28
SLIDE 28

Our Privacy-Preserving Approach

  • Auditor proves to vendor that an SCT is missing from log
  • Auditor does not reveal domain name, vendor only learns that log is

misbehaving Then:

  • Vendor can investigate log
  • Vendor can blindly revoke missing certificate (by pushing a revocation value

to all browsers) Main tool: zero knowledge Assumption: timestamps in order

slide-29
SLIDE 29

Performance Numbers

Online Costs Proof Size: 333 kB Time to generate: 5.0 seconds Time to verify: 2.3 seconds Offline Costs (storage) Growth of log entry: 480 bytes Growth of SCT: 160 bytes Revocation notice size: 32 bytes

slide-30
SLIDE 30

Summary

  • CT is an exciting new feature of our web infrastructure
  • Transparency raises new privacy concerns
  • Work on privacy-preserving solutions to two issues:

○ Compatibility between CT and need for private domain names ○ Reporting CT log misbehavior without revealing private information