Skip to main content
SpringerLink
Log in

How to Avoid the Breakdown of Public Key Infrastructures

Forward Secure Signatures for Certificate Authorities

  • Conference paper
Public Key Infrastructures, Services and Applications (EuroPKI 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7868))

Included in the following conference series:

Abstract

Recent attacks and publications have shown the vulnerability of hierarchical Public Key Infrastructures (PKIs) and the fatal impact of revoked Certification Authority (CA) certificates in the PKIX validity model. Alternative validity models, such as the extended shell and the chain model, improve the situation but rely on independent proofs of existence, which are usually provided using time-stamps. As time-stamps are validated using certificates, they suffer from the same problems as the PKI they are supposed to protect. Our solution to this problem is abandoning time-stamps and providing proof of existence using Forward Secure Signatures (FSS). In particular, we present different possibilities to use the chain model together with FSS, resulting in schemes that include the necessary proofs of existence into the certificates themselves.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kohnfelder, L.: Towards a practical public-key cryptosystem. PhD thesis, Massachusetts Institute of Technology (1978)

    Google Scholar 

  2. ISO: ISO/IEC 9594-8 - Information technology — Open Systems Interconnection — The Directory: Public key and attribute certificate frameworks. ISO (2008)

    Google Scholar 

  3. Adams, C., Cain, P., Pinkas, D., Zuccherato, R.: Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). RFC 3161 (Proposed Standard) (August 2001) Updated by RFC 5816

    Google Scholar 

  4. Comodo: The Recent RA Compromise, http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/ (visited November 2011)

  5. h online: Attack on Israeli Certificate Authority, http://h-online.com/-1264008 (visited November 2011)

  6. h online: Fake Google certificate is the result of a hack, http://h-online.com/-1333728 (visited November 2011)

  7. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Rfc 5280: Internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile. RFC 5280 (Proposed Standard) (2008)

    Google Scholar 

  8. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  9. Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 2560 (Proposed Standard) (June 1999) Updated by RFC 6277

    Google Scholar 

  10. Baier, H., Karatsiolis, V.: Validity models of electronic signatures and their enforcement in practice. In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol. 6391, pp. 255–270. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  11. German Federal Network Agency: Faq, http://www.bundesnetzagentur.de/cln_1911/DE/Sachgebiete/QES/FAQ/faq_node.html (accessed December 2011)

  12. Anderson, R.: Two remarks on public key cryptology. In: Relevant Material Presented by the Author in an Invited Lecture at the 4th ACM Conference on Computer and Communications Security, CCS, pp. 1–4 (1997) (manuscript)

    Google Scholar 

  13. Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  14. Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.P.: The Inconvenient Truth about Web Certificates. In: The Workshop on Economics of Information Security, WEIS (2011)

    Google Scholar 

  15. Dierks, T., Allen, C.: Rfc 2246: The tls protocol version 1.0 (1999)

    Google Scholar 

  16. MBarka, M.B., Stern, J.P.: Observations on certification authority key compromise. In: Camenisch, J., Lambrinoudakis, C. (eds.) EuroPKI 2010. LNCS, vol. 6711, pp. 178–192. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  17. OpenSSL: Cryptography and SSL/TLS toolkit (2012), http://www.openssl.org/

  18. Xu, S., Yung, M.: Expecting the unexpected: Towards robust credential infrastructure. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 201–221. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  19. spiderlabs: Defective By Design? - Certificate Revocation Behavior In Modern Browsers, http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html (visited December 2011)

  20. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. Cryptology ePrint Archive, Report 2011/484 (2011), http://eprint.iacr.org/

  21. Fischlin, M., Lehmann, A., Pietrzak, K.: Robust multi-property combiners for hash functions revisited. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 655–666. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  22. Gutman, P.: PKI: It’s Not Dead, Just Resting. Computer 35, 41–49 (2002)

    Article  Google Scholar 

  23. Rivest, R.L.: Can We Eliminate Certificate Revocation Lists? In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 178–183. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  24. Gassko, I., Gemmell, P.S., MacKenzie, P.: Efficient and fresh certification. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 342–353. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  25. Giuli, P., Maniatis, P., Giuli, T., Baker, M.: Enabling the Long-Term Archival of Signed Documents through Time Stamping. In: Proc. of the 1st USENIX Conference on File and Storage Technologies, pp. 31–46. USENIX Association (2002)

    Google Scholar 

  26. Tzvetkov, V.: Disaster coverable pki model based on majority trust principle. In: Int. Conf. on Information Technology: Coding and Computing, vol. 2, p. 118 (2004)

    Google Scholar 

  27. Surety: Protecting Intellectual Property with a Digital Time Stamp (2011), http://www.surety.com/

  28. ETSI: Electronic signatures and infrastructures (esi); cms advanced electronic signatures (cades), TS 101 733 V1.7.4 (2008)

    Google Scholar 

  29. Kim, B.M., Choi, K.Y., Lee, D.H.: Disaster coverable PKI model utilizing the existing PKI structure. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4277, pp. 537–545. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  30. Go, H.W.: Forward security and certificate management in mobile ad hoc networks. Master thesis, University of Hong Kong (Pokfulam Road, Hong Kong) (2004)

    Google Scholar 

  31. Koga, S., Sakurai, K.: Decentralization methods of certification authority using the digital signature scheme. In: 2nd Annual PKI Research Workshop – Pre-Proceedings, pp. 54–64 (2003)

    Google Scholar 

  32. Le, Z., Ouyang, Y., Ford, J., Makedon, F.: A hierarchical key-insulated signature scheme in the CA trust model. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 280–291. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  33. Le, Z., Ouyang, Y., Xu, Y., Ford, J., Makedon, F.: Preventing unofficial information propagation. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 113–125. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technische Universität Darmstadt, Hochschulstraße 10, 64283, Darmstadt, Germany

    Johannes Braun, Andreas Hülsing, Martín A. G. Vigil & Johannes Buchmann

  2. AGT Group (R&D) GmbH, Hilpertstraße 20a, 64295, Darmstadt, Germany

    Alex Wiesmaier

Authors
  1. Johannes Braun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas Hülsing
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alex Wiesmaier
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martín A. G. Vigil
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Johannes Buchmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento de Informatica, Universita’ degli Studi de Milano, 26013, Crema, CR, Italy

    Sabrina De Capitani di Vimercati

  2. University of London, Royal Holloway, Egham, TW20 0EX, Surrey, UK

    Chris Mitchell

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Braun, J., Hülsing, A., Wiesmaier, A., Vigil, M.A.G., Buchmann, J. (2013). How to Avoid the Breakdown of Public Key Infrastructures. In: De Capitani di Vimercati, S., Mitchell, C. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2012. Lecture Notes in Computer Science, vol 7868. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40012-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40012-4_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40011-7

  • Online ISBN: 978-3-642-40012-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation