Abstract
Digital signatures are widely used to assure authenticity and integrity of messages (including blockchain transactions). This assurance is based on assumption that the private signing key is kept secret, which may be exposed or compromised without being detected in the real world. Many schemes have been proposed to mitigate this problem, but most schemes are not compatible with widely used digital signature standards and do not help detect private key exposures. In this paper, we propose a Key Compromise Resilient Signature (KCRS) system, which leverages blockchain to detect key compromises and mitigate the consequences. Our solution keeps a log of valid certificates and digital signatures that have been issued on the blockchain, which can deter the abuse of compromised private keys. Since the blockchain is an open system, KCRS also provides a privacy protection mechanism to prevent the public from learning the relationship between signatures. We present a theoretical framework for the security of the system and a provably-secure construction. We also implement a prototype of KCRS and conduct experiments to demonstrate its practicability.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_10
Al-Bassam, M.: Scpki: a smart contract-based PKI and identity system. In: Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts, pp. 35–40. ACM (2017)
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the Thirteenth EuroSys Conference, p. 30. ACM (2018)
Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28
Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Möller, B.: Elliptic curve cryptography (ecc) cipher suites for transport layer security (tls). Technical report (2006)
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: Proceedings of Usenix Security Symposium 2004 (2004)
Chow, J., Pfaff, B., Garfinkel, T., Rosenblum, M.: Shredding your garbage: reducing data lifetime. In: Proceedings 14th USENIX Security Symposium, August 2005
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Dai, W., Parker, T.P., Jin, H., Xu, S.: Enhancing data trustworthiness via assured digital signing. IEEE Trans. Dependable Secure Comput. 9(6), 838–851 (2012)
Ding, X., Tsudik, G., Xu, S.: Leak-free group signatures with immediate revocation. In: 24th International Conference on Distributed Computing Systems (ICDCS 2004), pp. 608–615. IEEE Computer Society (2004)
Ding, X., Tsudik, G., Xu, S.: Leak-free mediated group signatures. J. Comput. Secur. 17(4), 489–514 (2009)
Dodis, Y., Katz, J., Xu, S., Yung, M.: Key-insulated public key cryptosystems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 65–82. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_5
Dodis, Y., Katz, J., Xu, S., Yung, M.: Strong key-insulated signature schemes. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 130–144. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_10
Dodis, Y., Luo, W., Xu, S., Yung, M.: Key-insulated symmetric key cryptography and mitigating attacks against cryptographic cloud software. In: Proceedings ASIACCS 2012, pp. 57–58 (2012)
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Guan, L., Lin, J., Luo, B., Jing, J., Wang, J.: Protecting private keys against memory disclosure attacks using hardware transactional memory. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 3–19 (2015)
Haber, S., Stornetta, W.S.: How to time-stamp a digital document. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 437–455. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_32
Harrison, K., Xu, S.: Protecting cryptographic keys from memory disclosure attacks. In: The 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2007, 25–28 June 2007, Edinburgh, UK, Proceedings, pp. 137–143 (2007)
Itkis, G., Reyzin, L.: SiBIR: signer-base intrusion-resilient signatures. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 499–514. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_32
Krawczyk, H.: Simple forward-secure signatures from any signature scheme. In: ACM Conference on Computer and Communications Security, pp. 108–115 (2000)
Kreps, J., Narkhede, N., Rao, J., et al.: Kafka: a distributed messaging system for log processing. In: Proceedings of the NetDB, pp. 1–7 (2011)
Laurie, B., Langley, A., Kasper, E.: Certificate transparency. Technical report (2013)
Locke, G., Gallagher, P.: Fips pub 186–3: digital signature standard (dss). Federal Information Processing Standards Publication 3, 186–3 (2009)
Loscocco, P., Smalley, S., Muckelbauer, P., Taylor, R., Turner, S., Farrell, J.: The inevitability of failure: the flawed assumption of security in modern computing environments. In: Proceedings 21st National Information Systems Security Conference (NISSC 1998) (1998)
Orman, H.: Blockchain: the emperors new PKI? IEEE Internet Comput. 22(2), 23–28 (2018)
Parker, T.P., Xu, S.: A method for safekeeping cryptographic keys from memory disclosure attacks. In: First International Conference on Trusted Systems (INTRUST 2009), pp. 39–59 (2009)
Shamir, A., van Someren, N.: Playing ‘Hide and Seek’ with stored keys. In: Franklin, M. (ed.) FC 1999. LNCS, vol. 1648, pp. 118–124. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48390-X_9
Xu, S., Li, X., Parker, T.P.: Exploiting social networks for threshold signing: attack-resilience vs. availability. In: Proceedings of ASIACCS 2008, pp. 325–336 (2008)
Xu, S., Li, X., Parker, T.P., Wang, X.: Exploiting trust-based social networks for distributed protection of sensitive data. IEEE Trans. Inf. Forensics Secur. 6(1), 39–52 (2011)
Xu, S., Sandhu, R.: A scalable and secure cryptographic service. In: Barker, S., Ahn, G.-J. (eds.) DBSec 2007. LNCS, vol. 4602, pp. 144–160. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73538-0_12
Xu, S., Yung, M.: Expecting the unexpected: towards robust credential infrastructure. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 201–221. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_12
Acknowledgment
This work is supported in part by AFRL Grant #FA8750-19-1-0019 and NSF CREST Grant #1736209.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Xu, L. et al. (2020). KCRS: A Blockchain-Based Key Compromise Resilient Signature System. In: Zheng, Z., Dai, HN., Tang, M., Chen, X. (eds) Blockchain and Trustworthy Systems. BlockSys 2019. Communications in Computer and Information Science, vol 1156. Springer, Singapore. https://doi.org/10.1007/978-981-15-2777-7_19
Download citation
DOI: https://doi.org/10.1007/978-981-15-2777-7_19
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-2776-0
Online ISBN: 978-981-15-2777-7
eBook Packages: Computer ScienceComputer Science (R0)