certificate transparency saba eskandarian, eran messeri ...saba/slides/ctpriv.pdf · summary ct is...
TRANSCRIPT
Certificate Transparency with Privacy
Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford
Certificate Authorities
Public Key
Certificate Authorities
Public Key
CertificateCertificate
CA
apo-CA-lypse
apo-CA-lypse
Outline
● Certificate Transparency
● Redaction of private subdomains
● Privacy-preserving proof of misbehavior
Certificate Transparency (CT)
Idea: public, verifiable log of all certificates
Public Key
CertificateCertificate
CA
Certificate Transparency (CT)
Idea: public, verifiable log of all certificates
Public Key
CertificateCertificate
CA
Log
...
Certificate Transparency (CT)
Idea: public, verifiable log of all certificates
Public Key
CertificateCertificate
CA
Log
...
Certificate Transparency (CT)
Idea: public, verifiable log of all certificates
Public Key
Certificate, SCTCertificate, SCT
CA
Log
...
Certificate
SCT
Certificate Transparency (CT)
Idea: public, verifiable log of all certificates
Public Key
Certificate, SCTCertificate, SCT
CA
Log
...
Certificate
SCT
Certificate Transparency (CT)
Idea: public, verifiable log of all certificates
Public Key
Certificate, SCTCertificate, SCT
CA
Log
...
Certificate
SCT
CT logging required by chrome for all sites starting October 2017!
Transparency and Privacy?
Outline
● Certificate Transparency
● Redaction of private subdomains
● Privacy-preserving proof of misbehavior
CA
Redaction: keeping secrets on a public log
Request Certificatesecret.facebook.com
Precertificatesecret.facebook.com
SCTsecret.facebook.com
Certificate, SCTsecret.facebook.com
Log
...
Problem: secret.facebook.com is publicly visible on the log!
CA
Redaction: keeping secrets on a public log
Log
...
Request Certificatesecret.facebook.com
Precertificatesecret.facebook.com
SCTsecret.facebook.com
Certificate, SCTsecret.facebook.com
Redacted
Redacted
Problem: secret.facebook.com is publicly visible on the log!
Usage:
c ← Commit(m, r)
Verify(c, m, r)
Security Properties:
Hiding: given commitment Commit(m, r), can’t find m
Binding: given commitment Commit(m, r), can’t decommit to m’ ≠ m
Tools: Commitments
r
val
Commit(m, r)
Usage:
c ← Commit(m, r)
Verify(c, m, r)
Security Properties:
Hiding: given commitment Commit(m, r), can’t find m
Binding: given commitment Commit(m, r), can’t decommit to m’ ≠ m
Tools: Commitments
r
Usage:
c ← Commit(m, r)
Verify(c, m, r)
Security Properties:
Hiding: given commitment Commit(m, r), can’t find m
Binding: given commitment Commit(m, r), can’t decommit to m’ ≠ m
Tools: Commitments
r
valr
Verify( , val, r)
Subdomain Redaction via Commitments
Request Certificate
secret.facebook.comsecret.facebook.com
Log
...
CA
Subdomain Redaction via Commitments
Request Certificate
secret.facebook.comsecret.facebook.com
Log
...
Precertificate
secret.facebook.com
CA
Subdomain Redaction via Commitments
Request Certificate
secret.facebook.comsecret.facebook.com
Log
...
Precertificate
secret.facebook.com
SCT
secret.facebook.com
.com
CA
Subdomain Redaction via Commitments
Request Certificate
secret.facebook.comsecret.facebook.com
Log
...
Precertificate
secret.facebook.com
SCT
secret.facebook.com
Certificatesecret.facebook.com
SCT: secret.facebook.comSCT Opening: .facebook
.com
CA
Subdomain Redaction via Commitments
Page Request: secret.facebook.com
Subdomain Redaction via Commitments
Page Request: secret.facebook.com
Certificatesecret.facebook.com
SCT: secret.facebook.comSCT Opening:
Subdomain Redaction via Commitments
Page Request: secret.facebook.com
Verify( , secret, )
Certificatesecret.facebook.com
SCT: secret.facebook.comSCT Opening:
SecurityHow can a monitor still check the log?
Knowledge of number of entries per domain owner reveals extra certificates
Why can’t a malicious site or CA reuse an existing redacted SCT?
Binding property of commitment
Outline
● Certificate Transparency
● Redaction of private subdomains
● Privacy-preserving proof of misbehavior
Privacy-Compromising Proof of Exclusion
1 2 3 4 5 6 7 8 9 10Log
Excluded SCT
secret.facebook.com
Privacy-Compromising Proof of Exclusion
1 2 3 4 5 6 7 8 9 10Log
Excluded SCT
secret.facebook.com
Goals● Auditor proves to vendor that an SCT is missing from log● Auditor does not reveal domain name, vendor only learns that log is
misbehaving
Goals● Auditor proves to vendor that an SCT is missing from log● Auditor does not reveal domain name, vendor only learns that log is
misbehaving
Then:
● Vendor can investigate log● Vendor can blindly revoke missing certificate (by pushing a revocation value
to all browsers)
Goals● Auditor proves to vendor that an SCT is missing from log● Auditor does not reveal domain name, vendor only learns that log is
misbehaving
Then:
● Vendor can investigate log● Vendor can blindly revoke missing certificate (by pushing a revocation value
to all browsers)
Assumption: timestamps in order
What Does Auditor Prove?
1 2 3 4 5 6 7 8 9 10Log
Excluded SCT
What Does Auditor Prove?
1t=4
2t=18
3t=21
4t=27
5t=30
6t=38
7t=41
8t=42
9t=50
10t=59
Log
t=25Excluded SCT
Assumption: timestamps in order
What Does Auditor Prove?
1t=4
2t=18
3t=21
4t=27
5t=30
6t=38
7t=41
8t=42
9t=50
10t=59
Log
t=25Excluded SCT
Assumption: timestamps in order
What Does Auditor Prove?
1t=4
2t=18
3t=21
4t=27
5t=30
6t=38
7t=41
8t=42
9t=50
10t=59
Log
t=253t=21
4t=27
What Does Auditor Prove?
1t=4
2t=18
3t=21
4t=27
5t=30
6t=38
7t=41
8t=42
9t=50
10t=59
Log
What about privacy?!
t=253t=21
4t=27
Tools: Additively Homomorphic Commitments
val2val1
Tools: Additively Homomorphic Commitments
val2val1 +
Tools: Additively Homomorphic Commitments
val2val1 val1+val2+ =
Tools: Zero-Knowledge Proofs
A
Tools: Zero-Knowledge Proofs
=A B
Tools: Zero-Knowledge Proofs
=
0 < < 5
A B
AA
Tools: Zero-Knowledge Proofs
=
0 < < 5
A B
AA
valvalsk
Tools: Zero-Knowledge Proofs
=
0 < < 5
A B
AA
valvalsk
Tools: Zero-Knowledge Proofs
=
0 < < 5
A B
AA
valvalsk
Proof of Exclusion
1t=4
2t=18
3t=21
4t=27
5t=30
6t=38
7t=41
8t=42
9t=50
10t=59
Log
What about privacy?!
t=253t=21
4t=27
Proof of Exclusion
1t=4
2t=18
3t=21
4t=27
5t=30
6t=38
7t=41
8t=42
9t=50
10t=59
Log
What about privacy?!
X Y Z
Index(X)Time(X)
Index(Z)Time(Z)
Time(Y)
Proof of Exclusion
Y
X
Z
Index(X) Index(Z)
Time(Z)Time(X)
Proof of Exclusion
Time(Y)
+ 1 =
< <Y
X
Z
Index(X) Index(Z)
Time(Z)Time(X)
Proof of Exclusion
Time(Y)
+ 1 =
< <Y
X
Z
Index(X) Index(Z)
Time(Z)Time(X)
Proof of Exclusion
Time(Y)
+ 1 =
< <Y
X
Z
Index(X) Index(Z)
Time(Z)Time(X)
Proof of Exclusion
Time(Y)
+ 1 =
< <Y
X
Z
Are these numbers really from the log?
543
1211
Proof of Exclusion
+ 1 =
< <Y
X
Z
hehehe...
Proof of Exclusion
Needed for proof
X
Index(X) Time(X)
skH
Proof of Exclusion
New signatures from log
Needed for proof
X
Index(X) Time(X)
H(x)+Index(X) H(x) H(x)+Time(X)
skI skT
Proof of Exclusion
New signatures from log
Needed for proof
X
Index(X) Time(X)
H(X)
skH
H(x)+Index(X) H(x) H(x)+Time(X)
skI skT
Proof of Exclusion
New signatures from log
Needed for proof
X
Index(X) Time(X)
H(X)+ +
skH
H(x)+Index(X) H(x) H(x)+Time(X)
skI skT
Proof of Exclusion
New signatures from log
Needed for proof
X
Index(X) Time(X)
H(X)H(x)+Index(X) H(x)+Time(X)+ +
skH
H(x)+Index(X) H(x) H(x)+Time(X)
skI skT
Proof of Exclusion
New signatures from log
Needed for proof
X
Index(X) Time(X)
H(X)H(x)+Index(X) H(x)+Time(X)+ +
skH
H(x)+Index(X) H(x) H(x)+Time(X)
skI skT
Performance Numbers
Online Costs
Proof Size: 333 kB
Time to generate: 5.0 seconds
Time to verify: 2.3 seconds
Offline Costs (storage)
Growth of log entry: 480 bytes
Growth of SCT: 160 bytes
Revocation notice size: 32 bytes
Summary● CT is an exciting new feature of our web infrastructure
● Transparency raises new privacy concerns
● Work on privacy-preserving solutions to two issues:
○ Compatibility between CT and need for private domain names
○ Reporting CT log misbehavior without revealing private information
See paper for details and security proofs: https://arxiv.org/pdf/1703.02209.pdf