COCA: a secure distributed online certification authority

COCA is a fault-tolerant and secure on-line certification authority that has been built and deployed both in a local area network and in the Internet. Replication is used to achieve availability; proactive recovery with threshold cryptography is used for digitally signing certificates in a way that defends against mobile adversaries which attack, compromise, and control one replica for a limited period of time before moving on to another. Relatively weak assumptions characterize environments in which COCA''s protocols will execute correctly. No assumption is made about execution speed and message delivery delays; channels are expected to exhibit only intermittent reliability; and with 3t+1 COCA servers up to t may be faulty or compromised. The result is a system with inherent defenses to certain denial of service attacks because, by their very nature, weak assumptions are difficult for attackers to invalidate. In addition, traditional techniques, including request authorization, resource management based on segregation and scheduling different classes of requests, as well as caching results of expensive cryptographic operations further reduce COCA''s vulnerability to denial of service attacks. Results from experiments in a local area network and the Internet allow a quantitative evaluation of the various means COCA employs to resist denial of service attacks.

[1]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[2]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[3]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[4]  Virgil D. Gligor A Note on Denial-of-Service in Operating Systems , 1984, IEEE Transactions on Software Engineering.

[5]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[6]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[7]  David Chaum,et al.  Blinding for Unanticipated Signatures , 1987, EUROCRYPT.

[8]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[9]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[10]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[11]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[12]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[13]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[14]  Morrie Gasser,et al.  The Digital Distributed System Security Architecture , 1989 .

[15]  Virgil D. Gligor,et al.  A Specification and Verification Method for Preventing Denial of Service , 1990, IEEE Trans. Software Eng..

[16]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[17]  J.J. Tardo,et al.  SPX: global authentication using public key certificates , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[19]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[20]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  Morrie Gasser,et al.  DASS: Distributed Authentication Security Service , 1992, IFIP Congress.

[22]  H. Imai,et al.  Efficient and secure multiparty generation of digital signatures based on discrete logarithms , 1993 .

[23]  Li Gong,et al.  Increasing Availability and Security of an Authentication Service , 1993, IEEE J. Sel. Areas Commun..

[24]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[25]  Ran Canetti,et al.  Maintaining Security in the Presence of Transient Faults , 1994, CRYPTO.

[26]  Robbert van Renesse,et al.  A security architecture for fault-tolerant systems , 1994, TOCS.

[27]  L. Harn Group-oriented (t, n) threshold digital signature scheme and digital multisignature , 1994 .

[28]  Stuart G. Stubblebine,et al.  Recent-secure authentication: enforcing revocation in distributed systems , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[29]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[30]  Jonathan K. Millen,et al.  Denial of Service: A Perspective , 1995 .

[31]  Stanisław Jarecki,et al.  Proactive secret sharing and public key cryptosystems , 1995 .

[32]  Matthew K. Franklin,et al.  The Omega Key Management Service , 1996, J. Comput. Secur..

[33]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[34]  Moti Yung,et al.  Proactive RSA , 1997, CRYPTO.

[35]  Michael K. Reiter,et al.  Distributing trust with the Rampart toolkit , 1996, CACM.

[36]  Yvo Desmedt,et al.  Trust and security: A new look at the Byzantine generals problem , 1996, Network Threats.

[37]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[38]  Ueli Maurer,et al.  Modelling a Public-Key Infrastructure , 1996, ESORICS.

[39]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[40]  Moti Yung,et al.  Optimal-resilience proactive public-key cryptosystems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[41]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[42]  Michael K. Reiter,et al.  Path independence for authentication in large-scale systems , 1997, CCS '97.

[43]  Farnam Jahanian,et al.  Internet routing instability , 1997, SIGCOMM '97.

[44]  Yvo Desmedt,et al.  Some Recent Research Aspects of Threshold Cryptography , 1997, ISW.

[45]  Louise E. Moser,et al.  Solving Consensus in a Byzantine Environment Using an Unreliable Fault Detector , 1997, OPODIS.

[46]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[47]  Michael Myers Revocation: Options and Challenges , 1998, Financial Cryptography.

[48]  Michael K. Reiter,et al.  Byzantine quorum systems , 1997, STOC '97.

[49]  Moti Yung,et al.  Distributed Public Key Cryptosystems , 1998, Public Key Cryptography.

[50]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[51]  Michael K. Reiter,et al.  Secure and scalable replication in Phalanx , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[52]  Ronald L. Rivest,et al.  Can We Eliminate Certificate Revocations Lists? , 1998, Financial Cryptography.

[53]  Tal Rabin,et al.  A Simplified Approach to Threshold and Proactive RSA , 1998, CRYPTO.

[54]  Barbara Fox,et al.  Certificate Recocation: Mechanics and Meaning , 1998, Financial Cryptography.

[55]  T. Draelos,et al.  Proactive DSA application and implementation , 1998 .

[56]  Ari Juels,et al.  $evwu Dfw , 1998 .

[57]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[58]  Rolf Oppliger,et al.  Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks , 1999, Communications and Multimedia Security.

[59]  Amir Herzberg,et al.  The proactive security toolkit and applications , 1999, CCS '99.

[60]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[61]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[62]  Rachid Guerraoui,et al.  Abstractions for devising Byzantine-resilient state machine replication , 2000, Proceedings 19th IEEE Symposium on Reliable Distributed Systems SRDS-2000.

[63]  Pradeep K. Khosla,et al.  Survivable Information Storage Systems , 2000, Computer.

[64]  Tal Rabin,et al.  Secure distributed storage and retrieval , 2000, Theor. Comput. Sci..

[65]  Miguel Castro,et al.  Proactive recovery in a Byzantine-fault-tolerant system , 2000, OSDI.

[66]  Dan Boneh,et al.  Building intrusion tolerant applications , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[67]  Michel Raynal,et al.  From crash fault-tolerance to arbitrary-fault tolerance: towards a modular approach , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[68]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..

[69]  Christian Cachin,et al.  Distributing trust on the Internet , 2001, 2001 International Conference on Dependable Systems and Networks.

[70]  Hugo Krawczyk,et al.  Robust Threshold DSS Signatures , 1996, Inf. Comput..