1. Field of the Invention
The present invention relates to an online certificate status protocol (OCSP) for verifying a certificate of a user online in a public key infrastructure (PKI), and more particularly, to a system and method for detecting exposure of an OCSP responder's session private key in a distributed OCSP based on key-insulted signature (D-OCSP-KIS) where multiple OCSP responders exist.
2. Description of the Related Art
Various cryptographic algorithms have been developed for security on the Internet. A cryptographic algorithm requires a confidentiality function for keeping information secret, a function for performing authentication to identify a person who sends information, a function for checking the integrity of information, and a non-repudiation function for preventing denial of the fact that an information provider provides information.
As a cryptographic algorithm having such functions, a cryptographic algorithm using a key has been widely used. The key-based cryptographic algorithm includes a symmetric encryption algorithm or a secret key algorithm which uses a single secret key, and an asymmetric encryption algorithm or a public key algorithm which uses a combination of a public key and a private key. A message digest (MD), which is not a cryptographic algorithm, is used to check integrity of received information and to perform authentication for an information sender.
The symmetric encryption algorithm is an algorithm in which a decryption key is derived from an encryption key and vice versa, and performs both encryption and decryption using a single secret key. A person who sends information or a message encrypts the information or message using a secret key and then sends the encrypted information, and a person who receives the encrypted information decrypts the encrypted information using the same secret key. The symmetric encryption algorithm has an advantage in that it can perform encryption and decryption rapidly, and can employ various encryption techniques and thus has many applications. On the other hand, it has a disadvantage in that it is difficult to produce and manage a secret key when there are many users and safe transmission of the secret should be guaranteed. Symmetric encryption algorithms include Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), RC2, RC5, SEED, and so on.
The public key encryption algorithm uses an encryption key and a decryption key which are different from each other. That is, an encryption key cannot be derived from a decryption key, and vice versa. The public key encryption algorithm uses a public key which is a combination of an encryption key and a private key. Since the public key is open to the public, a sender encrypts desired information using a receiver's public key and then sends the encrypted information, and a receiver decrypts the encrypted information using his/her private key. Ciphertext can be decrypted using a private key corresponding to a public key used for encryption, it does not require transmission of a secret key. However, the public key encryption algorithm is slow to encrypt and decrypt and thus is inconvenient when encrypting and decrypting large volumes of information. Public key infrastructure (PKI) encryption algorithms include Rivest-Shamir-Adelman (RSA), LUC, Diffie-Hellman, Elliptic Curve, and so on.
Meanwhile, the message digest algorithm is used to secure the integrity of information as described above. The message digest algorithm converts given information or a message into a hash value having a predetermined length using a one-way hash function. The ciphertext is transmitted together with the message digest, and a receiver decrypts it into plaintext and obtains a hash value of the plaintext, and then compares the obtained hash value to the received hash value. When the two hash values are identical, it means that there is no change in information during transmission. Message digest algorithms include Snefru, CRC-32, CRC-16, MD2, MD4, MD5, SHA, Haval, and so on.
The type of cryptographic algorithm most widely used in electronic commercial transactions is a hybrid type which is a mix of both asymmetric and symmetric encryption. In the hybrid type cryptographic algorithm, a message is encrypted by the secret key algorithm using a secret key, and the secret key is encrypted by the public key algorithm using a receiver's public key, and then the two ciphertexts are transmitted. The receiver decrypts the secret key using his/her private key and then decrypts the message using the decrypted secret key. For authentication, integrity and non-repudiation, something encrypted by a private key of a sender who sends the message digest (which is referred to as a “digital signature”) is generally transmitted together. The receiver decrypts the message digest using the sender's public key and then compares it with a message digest of the decrypted plaintext, thereby authenticating the sender and achieving content integrity and non-repudiation.
The above-described cryptographic algorithm is disclosed in Korean Publication No. 2000-72218, entitled: “METHOD FOR MANAGING AND SYNCHRONIZING SECURITY DATA IN INTERNET USING ENCRYPTION AND DIGITAL SIGNITURE” and Korean Publication No. 2004-37051, entitled: “DOCUMENT SECURITY SYSTEM AND METHOD FOR THE SAME AND RECORDING MEDIUM FOR EXECUTING THE PROGRAM CAPABLE OF READING COMPUTER”.
The PKI encryption algorithm described above provides extensive security such as authentication, integrity, and non-repudiation by using the public key algorithm. A main feature of the PKI encryption algorithm is the digital certificate in which identify information of an entity such as a user or an organization is linked to its public key and then digitally signed by a certificate authority (CA). When a private key of an entity or entity information is exposed, the entity requests the CA to revoke its certificate. Information indicating whether a certificate is revoked or not is referred to as certificate status information (CSI), and a certificate revocation list (CRL) is one well-known method for obtaining and managing CSI.
The CRL is simple, but the cost of communications between a user and a CA's directory or repository is high. For this reason, several methods have been suggested to reduce the size and cost of communicating CSI, such as a delta-CRL, CRL Distributed Points (CRL DPs), Over-issued CRLs, Indirect CRLs, Dynamic CRL DPs, Freshest CRLs, Certificate Revocation Trees (CRTs), NOVOMODO, and Authenticated Directory.
When a client or a user wants the CSI in a timely manner, an online certificate status detecting method such as OCSP is more convenient than an offline method such as the CRL.
Using the OCSP, the client does not need to download the CRL from the directory of the CA, so that the communication cost is low and the client does not need a memory for storing the CRL. However, if the CSI requests are centralized to one OCSP responder, the OCSP responder may be attacked by a denial of service (DoS). To reduce the risk of a DoS attack, the OCSP responder may compute a signature value for responses in a short time. However, this may also result in replay attacks.
In order to reduce overload of one OCSP responder in the traditional OCSP, a distributed-OCSP (D-OCSP) in which multiple OCSP responders coexist has been introduced. If distributed OCSP responders have the same private key in the D-OCSP, an risk of exposure of the private key becomes very high. Thus, each OCSP responder has a different private key, and a client should obtain certificates of all OCSP responders to detect the CSI of the OCSP responders. However, this may also result in a high communication cost and increased memory consumption. In order to solve these problems, a single public key method in D-OCSP-KIS was proposed by Koga and Sakurai.
In D-OCSP-KIS, each OCSP responder has a different private key, but they all have the same certificate. Thus, the number of certificates is reduced, a communication cost is low, a computation time is short, and memory consumption is low.
However, the D-OCSP-KIS has several problems. If an attacker obtains a session private key of an OCSP responder within a certain time period (e.g., one day), the private key of a different OCSP responder cannot be computed without a master private key. Since a hash value is impossible to compute reversely, a hash value of a previous time period cannot be computed. However, the attacker may pretend to be an OCSP responder while the real OCSP responder does not recognize, and may send a wrong response to a client using a snatched hash value. As a result, both a user and an electronic commerce server are vulnerable to serious damage. In addition, computation, storage and distribution of a hash chain may be a load on the CA.
That is, the D-OCSP-KIS verifies a certificate status such that the CA issues an OCSP responder's certificate having a hash value which indicates whether the OCSP responder's certificate is valid or not each time period (e.g., one day). However, when the session private key is secretly exposed to the attacker during a certain time period, the attacker can disguise himself or herself as the OCSP responder to snatch the hash value and send a wrong response to the client using the snatched has value, thereby causing bad damage to the electronic commerce server and its users.