RevCast : Fast, Private Certificate Revocation over FM radio Aaron - - PowerPoint PPT Presentation

RevCast: Fast, Private Certificate Revocation

• ver FM radio

Aaron Schulman Stanford University Dave Levin University of Maryland Neil Spring
 University of Maryland

Authentication in the PKI

I want an encrypted connection.

Authentication in the PKI

I want an encrypted connection.

Authentication in the PKI

Certificate #12

Signed by CA:

I want an encrypted connection.

Authentication in the PKI

Certificate #12

Signed by CA:

The CA ( ) attests that is controlled by

Is bound to ?

Authentication in the PKI

Certificate #12

Signed by CA:

The CA ( ) attests that is controlled by

Is bound to ?

Authentication in the PKI

Certificate #12

Signed by CA:

Trusted 
 Root CAs

The CA ( ) attests that is controlled by

Is bound to ?

Authentication in the PKI

Certificate #12

Signed by CA:

Trusted 
 Root CAs

The CA ( ) attests that is controlled by

✔

Revocation in the PKI

Trusted 
 Root CAs

C Certificate #12

Signed by CA:

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation

Certificate #12

Signed by CA:

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation

Certificate #12

Signed by CA:

The CA ( ) breaks the binding of with

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation

Certificate #12

Signed by CA:

The CA ( ) breaks the binding of with

✔

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation

Certificate #12

Signed by CA:

The CA ( ) breaks the binding of with

❌

✔

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation

Certificate #12

Signed by CA:

The CA ( ) breaks the binding of with

❌

✔

Revocation in the PKI

Trusted 
 Root CAs

C

Certificate #12

Revocation

Certificate #12

Signed by CA:

The CA ( ) breaks the binding of with

❌

✔

One revocation every 1.1 seconds for all CAs on the Internet

Every device needs revocations

C

Revocation

Certificate #12

Signed by CA:

Every device needs revocations

C

Revocation

Certificate #12

Signed by CA:

Properties of revocation systems

Properties of revocation systems

10s Timeliness Clients’ revocation
 state should be
 up-to-date, ideally
 within 10s of seconds

Properties of revocation systems

10s Timeliness Clients’ revocation
 state should be
 up-to-date, ideally
 within 10s of seconds

$ $ $ $ $ $

Low-cost dissemination The distribution
 mechanism must scale
 with CAs, certificates, and clients

Properties of revocation systems

10s Timeliness Clients’ revocation
 state should be
 up-to-date, ideally
 within 10s of seconds

$ $ $ $ $ $

Low-cost dissemination The distribution
 mechanism must scale
 with CAs, certificates, and clients Privacy Users’ browsing
 habits should not
 have to be revealed

Properties of revocation systems

10s Timeliness Clients’ revocation
 state should be
 up-to-date, ideally
 within 10s of seconds

$ $ $ $ $ $

Low-cost dissemination The distribution
 mechanism must scale
 with CAs, certificates, and clients Privacy Users’ browsing
 habits should not
 have to be revealed

It is generally regarded that no system can possibly achieve all three.

Properties of revocation systems

10s Timeliness Clients’ revocation
 state should be
 up-to-date, ideally
 within 10s of seconds

$ $ $ $ $ $

Low-cost dissemination The distribution
 mechanism must scale
 with CAs, certificates, and clients Privacy Users’ browsing
 habits should not
 have to be revealed

It is generally regarded that no system can possibly achieve all three.

RevCast

✔ ✔ ✔

Certificate Revocation Lists
 (CRL) Online Certificate Status Protocol (OCSP) OCSP Stapling Short lived certs

Existing revocation systems

CA

Client Client Client Client

Org

CRL

124, 24 21, 2521

Revocation

Certificate #12

Certificate #12

Still ok

Still ok

CA

Org

CA

Certificate #12

CA

CA

Client Client Client Client

Org

CA

Org

CA

CA

CRLs

❌ ❌

✔

OCSP

✔

❌ ❌

Short lived

✔*

❌

✔

Stapling

✔

❌

✔

Existing revocation systems

Client

CA CA

Client

Client

CA

Client

CA

CRLs

❌ ❌

✔

OCSP

✔

❌ ❌

Short lived

✔*

❌

✔

Stapling

✔

❌

✔

Existing revocation systems

All of these protocols rely on unicast transmission of revocations

Client

CA CA

Client

Client

CA

Client

CA

Unicast is not well suited

for distributing revocations

Doesn’t scale to distributing to every device on the Internet Failures are benign indication of connectivity issues (soft-fail) Multicast revocation is also flawed (Sybils, MITM, DoS)

RevCast

Revocation

Certificate #12

Signed by CA:

We propose broadcasting revocations over FM RDS

Tower: http://cityspottercards.com/

RevCast

Revocation

Certificate #12

Signed by CA:

We propose broadcasting revocations over FM RDS

Tower: http://cityspottercards.com/

FM RDS coverage is ideal for disseminating revocations

• Transmitters are where people are
• Up to 10 million people per tower

200,000 150,000 100,000 50,000

Properties of revocation systems

Privacy

Radio broadcasts are inherently receiver anonymous

$ $ $ $ $ $

Low-cost dissemination

One transmission covers up to 10 million
 & Under-monotized

Properties of revocation systems

Privacy

Radio broadcasts are inherently receiver anonymous

$ $ $ $ $ $

Low-cost dissemination

One transmission covers up to 10 million
 & Under-monotized

Properties of revocation systems

Privacy

Radio broadcasts are inherently receiver anonymous

$ $ $ $ $ $

Low-cost dissemination

One transmission covers up to 10 million
 & Under-monotized

• Solved. Let’s go party like it’s 1989!

One tiny problem. RDS has an effective bitrate of 421.8 bps.

10s

Timeliness?

RevCast protocol - fitting revocations in 421.8 bps


Evaluate RevCast with 2 months of revocations

Rest of the talk

Revoking over FM RDS

CAs Radio station Receivers

Revoking over FM RDS

CAs Radio station Receivers

R R

R

1

2

3

R

R R

1

2

3

Revoking over FM RDS

CAs Radio station Receivers

R R

R

1

2

3

Losses can go undetected

CAs Radio station

R

R

R R

R

Receivers

1

2

3 1

2 R3

Losses can go undetected

CAs Radio station

R

R

R R

R

Receivers

1

2

3 1

2 R3

❌

Losses can go undetected

CAs Radio station

R

R

R R

R

Receivers

1

2

3 1

2 R3

❌

❌

Losses can go undetected

CAs Radio station

R

R

R R

R

Receivers

1

2

3 1

2 R3

❌

GoDaddy didn’t revoke

❌

Making losses detectible with “nothing now”

CAs Radio station

R

R

R R

Receivers

1

2

1

2

Nn

Nn

3 3

Making losses detectible with “nothing now”

CAs Radio station

R

R

R R

Receivers

1

2

1

2 GoDaddy says they didn’t revoke

Nn

Nn

3 3

Making losses detectible with “nothing now”

CAs Radio station

R

R

R R

Receivers

1

2

1

2 GoDaddy says they didn’t revoke

Nn

Nn

3 3

❌

Making losses detectible with “nothing now”

CAs Radio station

R

R

R R

Receivers

1

2

1

2 GoDaddy says they didn’t revoke

Nn

Nn

3 3

❌

❌

Making losses detectible with “nothing now”

CAs Radio station

R

R

R R

Receivers

1

2

1

2

Nn

Nn

3 3

❌

❌

Danger!!! I am not up- to-date with GoDaddy

Sleeping receivers can lose synchronization

CAs Radio station

R

R

R R

Receivers

1

2

1

2

Nn

Nn

3 3

Z

Z

Z

Sleeping receivers can lose synchronization

CAs Radio station

R

R

R R

Receivers

1

2

1

2

Nn

Nn

3 3 What did I miss?

Sleeping receivers stay up-to-date with “Nothing since”

CAs Radio station

R

R

R R

Receivers

1

2

1

2

Ns

Ns

3 3

Z

Z

Z

Sleeping receivers stay up-to-date with “Nothing since”

CAs Radio station

R

R

R R

Receivers

1

2

1

2

Ns

Ns

3 3 I didn’t miss anything from GoDaddy

RevCast messages

Nn

Ns

Nothing now Nothing since

All other CAs

Must sign every 10s

R

Revocation

Revoking 
 CAs

Shortening “nothing now” and “nothing since”

{M} {M}

Shortening “nothing now” and “nothing since”

{M} {M} {M} {M}

Shortening “nothing now” and “nothing since”

{M} {M} {M} {M}

Problem: FM RDS doesn’t scale to hundreds of signatures

Shortening “nothing now” and “nothing since”

{M} {M}

Problem: FM RDS doesn’t scale to hundreds of signatures

{M}

Shortening “nothing now” and “nothing since”

{M} {M}

Problem: FM RDS doesn’t scale to hundreds of signatures

[Boldyreva 2003]

Multi-signatures: combine multiple CA signatures into one

{M}

Shortening “nothing now” and “nothing since”

{M} {M} {M} {M} {M}

Problem: FM RDS doesn’t scale to hundreds of signatures

2.89 seconds for both “nothing new” and “nothing since”

[Boldyreva 2003]

Multi-signatures: combine multiple CA signatures into one

R1

Nn

R1

2

RevCast summary

CAs Radio station Receivers

2

Nn

2

Ns

3

Ns

3

Evaluation

• 1. How quickly can RevCast send updates?

• 2. How would RevCast handle a worst case scenario?

• 3. Is RevCast practical?

Evaluation

978 CRLs extracted from Rapid7’s scan of the entire IPv4 space

102 103 104 105 1 2013 2 3 4 5 6 7 8 9 10 11 12 1 2014 2 3 4 5 # of Revocations Per Day Month: Year: Heartbleed Weekday Saturday Sunday

Evaluation

978 CRLs extracted from Rapid7’s scan of the entire IPv4 space

Security takes the weekends off

102 103 104 105 1 2013 2 3 4 5 6 7 8 9 10 11 12 1 2014 2 3 4 5 # of Revocations Per Day Month: Year: Heartbleed Weekday Saturday Sunday

Evaluation

978 CRLs extracted from Rapid7’s scan of the entire IPv4 space

Security takes the weekends off 114,021 402,747

102 103 104 105 1 2013 2 3 4 5 6 7 8 9 10 11 12 1 2014 2 3 4 5 # of Revocations Per Day Month: Year: Heartbleed Weekday Saturday Sunday

How quickly can RevCast update?

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.01 0.1 1 10 100 CDF Fraction of interval required Interval (s) 10 20 60 120

How quickly can RevCast update?

96% of 10sec intervals 99.999% of 2min intervals

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.01 0.1 1 10 100 CDF Fraction of interval required Interval (s) 10 20 60 120

Worst-case scenario

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.1 1 10 100 CDF Fraction of interval required Interval (10s) Pre-heartbleed Post-heartbleed

Worst-case scenario

70% of time, up-to-date within 10 seconds

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.1 1 10 100 CDF Fraction of interval required Interval (10s) Pre-heartbleed Post-heartbleed

Worst-case scenario

70% of time, up-to-date within 10 seconds

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.1 1 10 100 CDF Fraction of interval required Interval (10s) Pre-heartbleed Post-heartbleed

The most extreme takes 15.5 minutes

Why does RevCast work?

In a small window, there are usually
 few revocations

0.00 0.20 0.40 0.60 0.80 1.00 1 10 100 1000 CDF Revocations Per Interval Interval (s) 20 120

Why does RevCast work?

In a small window, there are usually
 few revocations

0.00 0.20 0.40 0.60 0.80 1.00 1 10 100 1000 CDF Revocations Per Interval Interval (s) 20 120

Why does RevCast work?

Different CAs rarely
 revoke within the same window In a small window, there are usually
 few revocations

0.00 0.20 0.40 0.60 0.80 1.00 1 10 100 CDF CAs Revoking Per Interval Interval (s) 20 120

Why does RevCast work?

Different CAs rarely
 revoke within the same window In a small window, there are usually
 few revocations

• Most CAs co-sign “nothing now” messages
• When they do have something to revoke, it’s a small list

0.00 0.20 0.40 0.60 0.80 1.00 1 10 100 CDF CAs Revoking Per Interval Interval (s) 20 120

FM RDS is ideal for disseminating revocations

Receivers:

• Tiny and cheap (2.5 x 2.5 mm)
• Already built into many devices*


Robustness:

• 10 error correcting bits for every 16 bits
• VHF & FM (same used for emergency weather radio)

*receivers not antennas

Conclusions

It is possible to design a revocation system that provides timelines, privacy, and is low cost. Broadcasting revocations is a novel application of
 multi-signatures.

Practical in today’s Internet, and necessary in tomorrow’s.