• No results found

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

Optimized Certificates – A New Proposal for

Efficient Electronic Document Signature Validation

Martín Augusto G. Vigil

Ricardo Felipe Custódio Joni da Silva Fraga

Juliano Romani

Fernando Carlos Pereira

Federal University of Santa Catarina/Brazil

EuroPKI'08

(2)

Outline

● About the speaker

● Signed documents issues ● Solutions approaches

● Optimized Certificate's approach ● Optimized PKI

● Optimized Certificate Format ● Considerations

● Future work ● Questions

(3)

About the speaker

● Martín Augusto Gagliotti Vigil

– MSc student at Federal University of Santa

Catarina - Brazil

● Computer Security Lab (aka LabSEC)

João de Barro: development of a hardware (HSM)

and software solution to support the federal Brazilian PKI (aka ICP-Brasil)

Electronic documents management

ICPEDU: development of a PKI for universities and

research centers

(4)

Signed documents issues

● What information will be included in a signed

document in order to validate it?

– As little as possible and performing external queries

to acquire missing data when validating a signature

– All necessary data to validate a signature

● What else is required?

(5)

Using external queries approach

Signer Verifiers

Directory

(6)

Embedding everything

Doc Sig TS CC RR Doc Sig TS Root CA CA2 CA5 U1 CRL1 CRL2 CRL3 Doc Sig Root CA CA2 TSA1 CRL1 CRL2 CRLs often become long

(7)

Solution Approaches

● One could use short term certificates (Rivest

1998)

– Certificates do not need to be revoked – CRLs are dismissed

● Drawback in this approach

– Overhead in renewing users certificates

● Generation of a cryptographic key pair ● Generation of a X509 certificate

(8)

Optimized Certificate (OC)

● Aiming at reducing embedded data in a signed

document

– Short term certificate: issuance and expiration date

are equal

● CRL checking for OC is dismissed

● Signed document's time-stamp is dismissed

– Micali's Novomodo validity proof into OCs

● CRL checking for OC's issuer is dismissed ● Fast revocation checking: hash evaluation

(9)

Validation Effort

● Finding out a certification path ● Validating each certificate

– High cost: revocation status checking

● Checking policies Root CA CA2 CA5 CA6 U1 CA1 CA3 CA4 CRL1 CRL2 CRL3

(10)

Optimized Certificate (OC)

Doc Sig OC Root CA Doc Sig TS Root CA CA1 CA3 U1 CRL1 CRL2 CRL3 CRL1

Traditional Signed Doc

Signed Doc with an Optimized Certificate

(11)

OC and Signed Documents

● OC carries traditional certificate's information

and some extra extensions

● Optimized certificate issued for a document

– OC linked to a document's hash code

– OC can work as a document time-stamp

● Implemented using a X509 extension

(12)

OC Certification Authority (OCCA)

Validates doc signature, certificate chain and time-stamp Signer or Verifier OCCA

(13)

OCCA and its PKI level

Root CA OCCA1 U1 CA2 CA5 CA6 CRL1 CRL2 CRL3 U oc1 Uoc2

● Aiming validation performance

(14)

OC and its Validation

● Short term certificate

– Beginning and ending of validity are equal – X509 standard is not changed

(15)

OCCA's certificate and its Validation

● OCCA certificate validation engages Micali's

Novomodo

– Novomodo's proof of OCCA validity embedded in

issued OCs deploying a X509 extension

– X509 standard is not changed

(16)

Optimized PKI Security

● OCCA requests its validity proofs to Root CA

● OCCA issues OCs until its validity proof expires ● In order to issue OCs an attacker needs

OCCA's private key and novomodo secret values owned by Root CA

(17)

OC Interpretation

● Signer can request an OC for a signed

document

– OC date and time should be understood as the

time when the signature was created

– OC date and time can be accepted as proof of

document's existence at that time

(18)

OC Interpretation

● Also a verifier can request an OC for a

third-party signed document

– OC's date and time is the moment of OC's request – OC's date and time is defined by verifier

– OC's date and time correspond to document's

signature time-stamp

● Interpretation flags are embedded in issued

(19)

OC and X509

Version

Extensions

Serial

Issuer

Subject Public Key Info

Document's hash code Micali's novomodo proof

OC's meaning flag Validity

NotBefore = NotAfter Signature Algorithm

Subject

(20)

Considerations

● Optimal document representation

● No external consult needed to validate an OC ● Low costs of certificate validation and storage ● Suitable to environments of limited in energy,

bandwidth and memory

● Improve the efficiency of mass on-line

transactions

● Overhead in traditional certificate validation by

(21)

Future Work

● Formal analysis of OCCA's protocols

● Design and implement a prototype of an OCCA

– Embedding OCCA in our HSM

(22)

Questions?

●Ricardo Felipe Custódio - [email protected] ●Martín Augusto G. Vigil - [email protected]

(23)

Further information

● OCCA's project website

– https://projetos.labsec.ufsc.br/ac-otimizadora-i

● LabSEC's related projects

References

Download now ( PDF - 23 Page - 326.78 KB )

Related documents

A Book for Ielts

a Answer: False. The paragraph talks about drivers and the opinion they have of themselves, not their opinion of other matters or people. The text then goes on to talk about

Introduction Guide pdoc Signer

Click on the OK button in the Signature Capture Window; pDoc Signer will close the window, securely embed the signature in the PDF document, and display the signature in the

Rules under Companies Act, 2013

Act, Annexure, Certifying Authority, Director Identification Number, Digital Signature, Digital Signature Certificate, e-form, electronic registry, electronic mail,

ELECTRONIC SIGNATURE LAW

"certified electronic signature" – a secure electronic signature, for which a certification authority issued an electronic certificate in respect of the signature

TERMS OF USE FOR NOTARIAL PERSONAL REPRESENTATION CERTIFICATES FOR AUTHENTICATION

appropriate for the electronic signature to be verified, as an electronic signature may be based on more than one certification chain, and is up to the verifier to ensure the use

TERMS OF USE FOR PUBLIC LAW CORPORATION PERSONAL CERTIFICATES FOR QUALIFIED DIGITAL SIGNATURE

appropriate for the electronic signature to be verified, as an electronic signature may be based on more than one certification chain, and is up to the verifier to ensure the use

Digital Signature Application

authority. k) Upon signature verification, the digital signature system must verify that the signer’s certificate has not been modified or revoked. The certificate chain should

Tuberculosis and HIV co-infection—focus on the Asia-Pacific region

Increased awareness and concerted action is required to reduce TB/HIV co- infection rates in the Asia-Pacific region and to improve the outcomes of people living with HIV.. Published