ARECA: a highly attack resilient certification authority

SSRS '03 Pub Date : 2003-10-31 DOI:10.1145/1036921.1036927

Jiwu Jing, Peng Liu, D. Feng, Ji Xiang, Neng Gao, Jingqiang Lin

{"title":"ARECA: a highly attack resilient certification authority","authors":"Jiwu Jing, Peng Liu, D. Feng, Ji Xiang, Neng Gao, Jingqiang Lin","doi":"10.1145/1036921.1036927","DOIUrl":null,"url":null,"abstract":"Certification Authorities (CA) are a critical component of a PKI. All the certificates issued by a CA will become invalid when the (signing) private key of the CA is compromised. Hence it is a very important issue to protect the private key of an online CA. ARECA systems, built on top of threshold cryptography, ensure the security of a CA through a series of defense-in-depth protections. ARECA systems won't be compromised when a few system components are compromised or some system administrators betray. The private key of a CA is protected by distributing different shares of the key to different (signing) components and by ensuring that any component of the CA is unable to reconstruct the private key. In addition, the multi-layer system architecture of ARECA makes it very difficult to attack from outside. Several threshold-cryptography-based methods are proposed in the literature to construct an intrusion tolerant CA, and the uniqueness of ARECA is that it engineers a novel two phase signature composition scheme and a multi-layer CA protection architecture. As a result, ARECA is (a) practical, (b) highly resilient to both insider and outsider attacks that compromise one or more components, and (c) can prevent a variety of outside attacks.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"SSRS '03","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1036921.1036927","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

Certification Authorities (CA) are a critical component of a PKI. All the certificates issued by a CA will become invalid when the (signing) private key of the CA is compromised. Hence it is a very important issue to protect the private key of an online CA. ARECA systems, built on top of threshold cryptography, ensure the security of a CA through a series of defense-in-depth protections. ARECA systems won't be compromised when a few system components are compromised or some system administrators betray. The private key of a CA is protected by distributing different shares of the key to different (signing) components and by ensuring that any component of the CA is unable to reconstruct the private key. In addition, the multi-layer system architecture of ARECA makes it very difficult to attack from outside. Several threshold-cryptography-based methods are proposed in the literature to construct an intrusion tolerant CA, and the uniqueness of ARECA is that it engineers a novel two phase signature composition scheme and a multi-layer CA protection architecture. As a result, ARECA is (a) practical, (b) highly resilient to both insider and outsider attacks that compromise one or more components, and (c) can prevent a variety of outside attacks.

查看原文本刊更多论文

ARECA:具有高度抗攻击能力的证书颁发机构

证书颁发机构(CA)是PKI的关键组成部分。当CA的(签名)私钥泄露时，CA颁发的所有证书都将失效。因此，如何保护在线CA的私钥是一个非常重要的问题。建立在阈值密码学基础上的ARECA系统，通过一系列的纵深防御来保证CA的安全。当一些系统组件被破坏或一些系统管理员背叛时，ARECA系统不会受到损害。通过将密钥的不同共享分发给不同的(签名)组件，并确保CA的任何组件都无法重构私钥，CA的私钥得到了保护。此外，ARECA的多层体系结构使得从外部攻击非常困难。文献中提出了几种基于阈值密码学的方法来构建入侵容忍CA，而ARECA的独特之处在于它设计了一种新颖的两阶段签名组合方案和多层CA保护体系结构。因此，ARECA具有(a)实用性，(b)对危及一个或多个组件的内部和外部攻击具有高度弹性，以及(c)可以防止各种外部攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

SSRS '03

自引率

0.00%

发文量