COCA: a secure distributed online certification authority

COCA is a fault-tolerant and secure online certification authority that has been built and deployed both in a local area network and in the Internet. Extremely weak assumptions characterize environments in which COCA's protocols execute correctly: no assumption is made about execution speed and message delivery delays; channels are expected to exhibit only intermittent reliability; and with 3t + 1 COCA servers up to t may be faulty or compromised. COCA is the first system to integrate a Byzantine quorum system (used to achieve availability) with proactive recovery (used to defend against mobile adversaries which attack, compromise, and control one replica for a limited period of time before moving on to another). In addition to tackling problems associated with combining fault-tolerance and security, new proactive recovery protocols had to be developed. Experimental results give a quantitative evaluation for the cost and effectiveness of the protocols.

[1]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[2]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[3]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[4]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[5]  Virgil D. Gligor A Note on Denial-of-Service in Operating Systems , 1984, IEEE Transactions on Software Engineering.

[6]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[7]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[8]  David Chaum,et al.  Blinding for Unanticipated Signatures , 1987, EUROCRYPT.

[9]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[10]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[11]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[12]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[13]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[14]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[15]  Morrie Gasser,et al.  The Digital Distributed System Security Architecture , 1989 .

[16]  Virgil D. Gligor,et al.  A Specification and Verification Method for Preventing Denial of Service , 1990, IEEE Trans. Software Eng..

[17]  Chris Mitchell,et al.  Security defects in CCITT recommendation X.509: the directory authentication framework , 1990, CCRV.

[18]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[19]  J.J. Tardo,et al.  SPX: global authentication using public key certificates , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[21]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[22]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[23]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Morrie Gasser,et al.  DASS: Distributed Authentication Security Service , 1992, IFIP Congress.

[25]  H. Imai,et al.  Efficient and secure multiparty generation of digital signatures based on discrete logarithms , 1993 .

[26]  Li Gong,et al.  Increasing Availability and Security of an Authentication Service , 1993, IEEE J. Sel. Areas Commun..

[27]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[28]  Ran Canetti,et al.  Maintaining Security in the Presence of Transient Faults , 1994, CRYPTO.

[29]  Robbert van Renesse,et al.  A security architecture for fault-tolerant systems , 1994, TOCS.

[30]  L. Harn Group-oriented (t, n) threshold digital signature scheme and digital multisignature , 1994 .

[31]  Stuart G. Stubblebine,et al.  Recent-secure authentication: enforcing revocation in distributed systems , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[32]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[33]  Carl E. Landwehr,et al.  Dependable Computing for Critical Applications 4 , 1995, Dependable Computing and Fault-Tolerant Systems.

[34]  Paul Syverson,et al.  Fail-Stop Protocols: An Approach to Designing Secure Protocols (Preprint) , 1995 .

[35]  Jonathan K. Millen,et al.  Denial of Service: A Perspective , 1995 .

[36]  Stanisław Jarecki,et al.  Proactive secret sharing and public key cryptosystems , 1995 .

[37]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[38]  Moti Yung,et al.  Proactive RSA , 1997, CRYPTO.

[39]  Michael K. Reiter,et al.  Distributing trust with the Rampart toolkit , 1996, CACM.

[40]  Alan O. Freier,et al.  SSL Protocol Version 3.0 Internet Draft , 1996 .

[41]  Yvo Desmedt,et al.  Trust and security: A new look at the Byzantine generals problem , 1996, Network Threats.

[42]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[43]  Matthew K. Franklin,et al.  The Ω key management service , 1996, CCS '96.

[44]  Ueli Maurer,et al.  Modelling a Public-Key Infrastructure , 1996, ESORICS.

[45]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[46]  Stanislav,et al.  Robust and E cient Sharing of RSA FunctionsRosario , 1996 .

[47]  Moti Yung,et al.  Optimal-resilience proactive public-key cryptosystems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[48]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[49]  Michael K. Reiter,et al.  Path independence for authentication in large-scale systems , 1997, CCS '97.

[50]  Yvo Desmedt,et al.  Some Recent Research Aspects of Threshold Cryptography , 1997, ISW.

[51]  Louise E. Moser,et al.  Solving Consensus in a Byzantine Environment Using an Unreliable Fault Detector , 1997, OPODIS.

[52]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[53]  Tal Rabin,et al.  Secure distributed storage and retrieval , 1997, Theor. Comput. Sci..

[54]  Michael Myers Revocation: Options and Challenges , 1998, Financial Cryptography.

[55]  Michael K. Reiter,et al.  Byzantine quorum systems , 1997, STOC '97.

[56]  Moti Yung,et al.  Distributed Public Key Cryptosystems , 1998, Public Key Cryptography.

[57]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[58]  Michael K. Reiter,et al.  Secure and scalable replication in Phalanx , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[59]  Farnam Jahanian,et al.  Internet routing instability , 1997, SIGCOMM '97.

[60]  Ronald L. Rivest,et al.  Can We Eliminate Certificate Revocations Lists? , 1998, Financial Cryptography.

[61]  Tal Rabin,et al.  A Simplified Approach to Threshold and Proactive RSA , 1998, CRYPTO.

[62]  Barbara Fox,et al.  Certificate Recocation: Mechanics and Meaning , 1998, Financial Cryptography.

[63]  Robert S. Cahn,et al.  Design and Implementation of a Secure Distributed Data Repository , 1998 .

[64]  T. Draelos,et al.  Proactive DSA application and implementation , 1998 .

[65]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[66]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[67]  Rolf Oppliger,et al.  Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks , 1999, Communications and Multimedia Security.

[68]  Amir Herzberg,et al.  The proactive security toolkit and applications , 1999, CCS '99.

[69]  John G. Brainard,et al.  Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks , 1999, NDSS.

[70]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[71]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[72]  Rachid Guerraoui,et al.  Abstractions for devising Byzantine-resilient state machine replication , 2000, Proceedings 19th IEEE Symposium on Reliable Distributed Systems SRDS-2000.

[73]  Patrick D. McDaniel,et al.  A Response to ''Can We Eliminate Certificate Revocation Lists?'' , 2000, Financial Cryptography.

[74]  Pradeep K. Khosla,et al.  Survivable Information Storage Systems , 2000, Computer.

[75]  Miguel Castro,et al.  Proactive recovery in a Byzantine-fault-tolerant system , 2000, OSDI.

[76]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 2000, Journal of Cryptology.

[77]  Dan Boneh,et al.  Building intrusion tolerant applications , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[78]  Michel Raynal,et al.  From crash fault-tolerance to arbitrary-fault tolerance: towards a modular approach , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[79]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..

[80]  Peter Sylvester,et al.  Data validation and certification server protocols , 2001 .

[81]  Christian Cachin,et al.  Distributing trust on the Internet , 2001, 2001 International Conference on Dependable Systems and Networks.

[82]  Carlisle M. Adams,et al.  Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols , 2001, RFC.

[83]  Hugo Krawczyk,et al.  Robust Threshold DSS Signatures , 1996, Inf. Comput..

[84]  Gregory T. Byrd,et al.  Yalta: A Secure Collaborative Space for Dynamic Coalitions , 2001 .

[85]  Robbert van Renesse,et al.  APSS: proactive secret sharing in asynchronous systems , 2005, TSEC.

[86]  Yvo Desmedt,et al.  Threshold cryptography , 1994, Eur. Trans. Telecommun..