Public Key Cryptography Alternative Models

Transcription

1 Public Key Cryptography Alternative Models Denise H. Goya, Vilc Q. Rufino 1 Departamento de Ciência da Computação Instituto de Matemática e Estatística Universidade de São Paulo (USP), SP - Brasil {dhgoya,vilc}@ime.usp.br Abstract. This paper shows four models of Public Key Cryptography (PKC) that doesn t use or simplifies the use of Public Key Infrastructure (PKI): ID- Based, Self-Certified, Certificateless and Certificate-Based. These models are showing on operations and properties. At the end there is a comparative table that summarizes the main characteristics. 1. Introduction 1.1. Public Key Cryptography with PKI Public key cryptography (PKC) requires a tool to help authenticate public keys. The public key infrastructure (PKI) is the common scheme to authenticate it, PKI is a system to manage and control certificates. There are PKI difficulties, for example: complex process to install and maintain; cost to issue and distribute certificates; cost to recover and validate certificates; and certificate revocation Trust Levels In [Girault 1991] was proposed three trust levels to system authority: At level 1, the authority knows (or can easily compute) users secret keys and, therefore, can impersonate any user at any time without being detected. At level 2, the authority doesn t know (or cannot easily compute) users secret keys. Nevertheless, the authority can still impersonate a user by generating false guarantees (e.g. false certificates). At level 3, the frauds of the authority are detectable. It cannot compute users secret keys, and if it creates another user s keys, it is possible to prove that authority generated false guarantees Cryptographic Workflow The cryptographic operations sequence. The desirable is the entity B can encrypt a message to entity A before entity A interacts (receives or submits something) with system authority.

2 2. The ID-Based Model The ID-based Public Key Cryptography (ID-PKC) is based on user s identity, the public key is a string that identifies the user (name, , n o cel phone, electronic devices ID). In [Shamir 1984] asked for a public key encryption scheme in which the public key can be an arbitrary string. Shamir s original motivation for identity-based encryption was to simplify certificate management in systems where the public key was only the e- mail address. He showed a signature scheme that was based on large number factorization. Until 2001 the ID-based encryption schemes was unsatisfactory. In international event [Boneh and Franklin 2001] was showed an ID-based encryption scheme based on Weil pairing on elliptic curves. After this appears many researches on ID-PKC scheme using bilinear maps between groups like Weil pairing on elliptic curves. In [Boneh et al. 2007] returns ID-PKC scheme based without pairings, this is similar to [Cocks 2001] that is based on the Composite Quadratic Residues How It Works The public key is well defined, it is the user identity. The ID-PKC requires a trusted authority, and key master guardian, called Private Key Generator (PKG). With master key, PKG make all secret keys to all users. This requires delivered on secure channel. To encrypt a message for an entity A or to verify a signature from A, entity B uses the public parameters and the identity of A. key. To decrypt a message from an entity A or to sign for A, entity B uses the secret 2.2. Properties The ID-PKC don t need PKI and certificate repository, because the public key just is the user s identity. Trust level is 1, because the PKG can impersonate any user at any moment since secret keys are calculated by it, so it has key escrow, then it is impossible to guarantee non-repudiation. The master key is used to create all private key, so if occurs secret key violation all system is affected. To do public key revocation just changing the identity string. For example: Compromised ID = JohnSmith-From08JanTo08Dec; New ID = JohnSmith-From08AugTo08Dec; The cryptographic workflow in ID-based encryption, the entity B can encrypt a message to entity A before entity A receives secret key from PKG. The ID-PKC is ideal to used with closed groups like larger companies and governments [Shamir 1984]. Many interesting applications could be implemented with identitybased model; some examples we can cite are temporal services, secure message based

3 on roles, interruption and delay tolerant networks [Misaghi 2008]. In addition, ID-PKC could be used to create alternative protocols to SSL/TSL and to improve security aspects at message level in web services [Crampton et al. 2007]. 3. The Self-Certified Model The Self-Certified public key cryptography (SC-PKC) is based on three attributes to selfcertified the public key: The user s identity, private key and public key. The guarantee is the public key. If one user takes a false public key to encrypt a message, then the final user cann t decrypt it. The SC-PKC model was proposed by [Girault 1991]. But Girault s algorithm had a failure discovered and corrected by [Saeednia 2003]. Saeednia demonstrated that original algorithm was only trust level 1, and proposed new algorithm with trust level 3 but with high computational cost. There are new researches on this model with new approaches, like [Lee and Kim 2002] and [Wu and Lin 2008] How It Works To create the secret key, user and authority disguise their secrets and send to the other. used. User or system authority can make the public key, this depends which protocol is For all algorithms the authority doesn t know user s private key Properties The SC-PKC doesn t use PKI, because the public key is self-certified. So there are no certificate distribution. But SC-PKC need the directory for public key, because the public key isn t only user s identity. The trust level is 3 for the recent algorithms. The recent algorithms permit non-repudiation. The master key is used to certified secret key, but isn t way to generate the user s secret key from master key. 4. Certificateless Public Key Cryptography The concept of certificateless public key cryptography (CL-PKC) was introduced by [Al-Riyami and Paterson 2003]. The authors combined some ideas from identity-based with self-certified model and found a solution that is intermediate between ID-PKC and traditional certificated PKC. CL-PKC does not require the use of digital certificates to guarantee the authenticity of public keys. This occurs because if a non legitimate public key is used then the cryptographic operation cann t be inverted.

4 4.1. How It Works CL-PKC requires a trusted authority, called Key Generating Centre (KGC), that generates partial private keys from the user s identities and KGC s secret key. The full private key is generated only by the user, with a secret information and the partial private key. KGC does not know full private keys, so the key escrow inexists. Public keys are calculated from user s secret information and public parameters. Since public key does not depend on partial private key, an user can generate public keys before he gets the full private keys. So cipher texts can be transmitted without the existence of respective key for decipherment. Moreover, no communications between the user and KGC is necessary for the creation of a public key. In CL-PKC, a repository of public keys can be implemented, or users can distribute your IDs and keys directly to others. To encrypt a message for an entity A or to verify a signature from A, entity B uses the public key and the identity of A. Only with A s full private key it is possible decrypt a message for A or create a signature for A Properties The trust level for KGC in CL-PKC is 2. KGC knows the partial private key and, if he replaces a public key, he can forge signatures and can decrypt texts ciphered with the false public key. In this case, nobody knows if the public key was replaced by KGC or by an user who discovered the partial private key. It is possible increase the trust level if the public key is used in computation of partial private key. A dishonest KGC could generate a non legitimate public key and could compute the partial private key, in order to impersonate an user A. The fraud of KCG can be detected, but only if the false public key used by an user B to encrypt a message for A is compared with the public key that A has. Even in this case, we cannot prove if the dishonest is the KGC or the user B. Thus this modified CL-PKC reaches level between 2 and 3. Comparing with ID-based model, the master key in CL-PKC is less critical. In IDbased, all users and their private keys will be affected if the master key is compromised. In CL-PKC, only partial private keys will be compromised. With only partial private key and without the secret information from an user A nobody could forge a signature or decrypt a message for A. Because public keys can be generated before the partial (and full) private key has been created, some kinds of cryptographic workflows is more easily implemented in CL- PKC than in traditional PKC. For example, a software vendor B needs a simple solution to distribute on-line a serial number for a costumer A, without a credit card infrastructure. A creates its public key and downloads the software and the encrypted serial number with identifier ID A paidb$x. KGC could be a compatible bank; as soon as A had paid $X to B, the bank generates and transmits the partial private key for A. In traditional PKC, more time is needed: the bank must notify the payment to B, and then B can send the key to A. This property is found in ID-PKC too, but not in the self-certified model. Users can create new public keys and maintain the partial private key. It is not required that KGC creates a new partial private key for each new public key. In addition,

5 users can have many public keys at the same time. For some applications these property is interesting. Users can replace your public key if they wanted. If non-repudiation is required, the replacement cannot be made by KGC, because it knows the partial private key. Like ID-based systems, certificateless schemes is ideal for closed groups of users, such as a multinational company, since the headquarters can be the KGC. 5. Certificate-Based The certificate-based public key cryptography model was proposed by [Gentry 2003]. It uses a public key infrastructure that requires less traffic for certificates distribution and validation. In a certificate-based encryption scheme, the certificate is used only at decryption. So, to encrypt a message, neither digital certificate nor validation info are needed; essentially the public key and the identification of the target user are used to encrypt the message How It Works Like in traditional PKC, in certificate-based users creates your own pair of keys. The certification authority (CA) generates a certificate to the user A for a period i, using a signature scheme from ID-based. The certificate is used for decrypt messages to A, within period i. So the certificate works as a partial private key in CL-PKC. Periodically, CA generates new certificates to send to the users. Here, the traffic is smaller because the certificates are different from the certificates in X.509 standard. In certificate-based, only fundamental information to link the user to its public key and CA are necessary. The certificate for A is a signature value from CA, and so it is a small piece of data. Moreover, only the user A receives your certificate, unlike in tradicional PKC where all users that wants to encrypt something to A will get the A s certificate. If a private key is compromised, the owner creates a new pair of keys and solicits a new certificate to CA. But if someone uses the old public key to encrypt, confidentiality is not guaranteed. Hence it is required a mechanism to revoke public keys or a mechanism to ensure that only the newest public key will be used. To encrypt a message from B to A, B gets the identity and the public key of A. Both identity and public key are used in a certificate-based encryption scheme. To decrypt, A uses your secret key and your certificate to recover the plain text Properties If the certificates are public, certificate-based schemes reaches trust level three. Two certificates issued by CA for the same user and same period could be a proof of misbehavior of CA. However is mandatory that only the true user must can replace your public key. Thus, a registration authority may confirm the identity and forward the new certificate solicitation to CA. Otherwise someone could replace the public key, could obtain the new certificate and impersonate another user. Non-repudiation will not guaranteed in this case. In order to have trust level 3 and non-repudiation, certificate-based systems may have a repository of public keys and certificates. Before to encrypt a message and to validate a signature, the user always must query the public keys repository. In this manner,

6 certificate-based differs from traditional PKC with PKI, in traffic size (public keys is smaller than certificates like X.509) and in validation process (in certificate-based neither checks nor validation of certificates is needed). 6. Putting It All Together In public key cryptosystems all users have a pair of keys, say (P, s). Some guarantee is needed to ensure that public key P is really from the owner of the secret s. Often this guarantee, G, is something to link P to its owner, whose identity is Id. In PKC with PKI, the guarantee G is a digital certificate. The Certification Authority, with its secret key, signs the certificate, this indicates that P belongs to the user with identity Id. In Id-based systems, P = Id and G = s. In self-certified model, the public key is self-certified, since public key is calculated from Id and the secrets s and master key. Hence G = P. In certificateless systems, G = s because s contains two parts: the first depends on the secrecy from KGC and the identity Id, the second is the user s secrecy. Thus s guarantees that P belongs to Id. In certificate-based paradigm, G is the certificate. CA uses Id and the master key to create a signature for some information like validity period of certificate. This certificate will be linked to P implicitly, when it has been used as a secret key. In the table 1, all properties discussed are listed side by side. Models Properties With Identity- Self- Certifica- Certificate- PKI Based Certified teless Based Does not require PKI no yes yes yes no Without certificates distribution no yes yes yes no Requires public key repository yes no yes yes yes Trust level 3 1 3(*) 2 3(*) Key escrow no yes no no no Non-repudiation yes no yes(*) yes(**) yes(**) Master key criticalness high high medium medium medium Secure channel for key no yes yes(*) yes no distributing is required Renewing keys no no yes(*) yes no controlled by users Cryptographic workflows no yes no yes no (*) Depends on the protocol (**) If KGC cannot replace public keys Table 1. Comparing public key cryptography models.

7 7. Conclusion In this paper we described some alternatives to the traditional model of public key cryptography with public key infrastructure. Id-based systems, self-certified public key model, certificateless public key cryptosystems and certificate-based systems were studied. Properties as trust level for authority and generation of keys was treated. References Al-Riyami, S. S. and Paterson, K. G. (2003). Certificateless public key cryptography. In Advances in Cryptology - ASIACRYPT 2003, 9th International Conference on the Theory and Application of Cryptology and Information Security, volume 2894 of Lecture Notes in Computer Science, Taipei, Taiwan. Springer. Boneh, D. and Franklin, M. K. (2001). Identity-based encryption from the weil pairing. In CRYPTO 01: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, pages , London, UK. Springer-Verlag. Boneh, D., Gentry, C., and Hamburg, M. (2007). Space-efficient identity based encryptionwithout pairings. In FOCS 07: Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science, pages , Washington, DC, USA. IEEE Computer Society. Cocks, C. (2001). An identity based encryption scheme based on quadratic residues. In Proceedings of the 8th IMA International Conference on Cryptography and Coding, pages , London, UK. Springer-Verlag. Crampton, J., Lim, H. W., and Paterson, K. G. (2007). What can identity-based cryptography offer to web services? In SWS 07: Proceedings of the 2007 ACM workshop on Secure web services, pages 26 36, New York, NY, USA. ACM. Gentry, C. (2003). Certificate-based encryption and the certificate revocation problem. Cryptology eprint Archive, Report 2003/183. Girault, M. (1991). Self-certified public keys. In EuroCrypt 91, volume 547 of Lecture Notes in Computer Science, pages , Brighton, UK. Springer. Lee, B. and Kim, K. (2002). Self-certified signatures. In INDOCRYPT 02: Proceedings of the Third International Conference on Cryptology, pages , London, UK. Springer-Verlag. Misaghi, M. (2008). Um Ambiente Criptográfico Baseado na Identidade. Doutorado, Escola Politécnica, Universidade de São Paulo. Saeednia, S. (2003). A note on girault s self-certified model. Inf. Process. Lett., 86(6): Shamir, A. (1984). Identity-based cryptosystems and signature schemes. In Proceedings of CRYPTO 84 on Advances in cryptology, volume 196/1985 of Lecture Notes in Computer Science, pages 47 53, New York, NY, USA. Springer-Verlag New York, Inc. Wu, T.-S. and Lin, H.-Y. (2008). Ecc based convertible authenticated encryption scheme using self-certified public key systems. International Journal of Algebra, 2(3):