KeyEscrowinMutuallyMistrustingDomains?



Similar documents
timeout StoR!msg0 RtoS?ack0

PSR J Full Band Fit (PLEC1) Energy Band Fits. dn/de (erg cm -11. Energy (GeV)

Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks

Website Development Plans

Performance Modeling in Industry A Case Study on Storage Virtualization

Dear Customer, Many thanks Domain Administration Team

Telecommunication Services Engineering (TSE) Lab. Chapter III 4G Long Term Evolution (LTE) and Evolved Packet Core (EPC)

Chapter 11. Topics Covered. Chapter 11 Objectives. Risk, Return, and Capital Budgeting

Building Customer Confidence through SSL Certificates and SuperCerts

Formal Methods in Security Protocols Analysis

What is an SSL Certificate?

EFFICIENT KNOWLEDGE BASE MANAGEMENT IN DCSP


Full and Complete Binary Trees

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Algebra I. In this technological age, mathematics is more important than ever. When students

State of South Carolina Information Technology Classification Revisions FOR THE STATE OF SOUTH CAROLINA INTERNAL USE ONLY

17. SIMPLE LINEAR REGRESSION II

How To Validate Synchronous Reactivesystems

ISEB MANAGER S CERTIFICATE IN ITIL INFRASTRUCTURE MANAGEMENT. Guidelines for candidates who are taking the ICT Infrastructure Examination

NETWORKS AND THE INTERNET

3C05: Unified Software Development Process

If n is odd, then 3n + 7 is even.

Collatz Sequence. Fibbonacci Sequence. n is even; Recurrence Relation: a n+1 = a n + a n 1.

COMMUTATIVE RINGS. Definition: A domain is a commutative ring R that satisfies the cancellation law for multiplication:

Indiana State Core Curriculum Standards updated 2009 Algebra I

Welcome to HomeTown Bank s Secure ! User Guide

LTE Security. EventHelix.com. Encryption and Integrity Protection in LTE. telecommunication design systems engineering real-time and embedded systems

The Software Process. Software Process Activities. Functional Specification

Algebra 2 Notes AII.7 Functions: Review, Domain/Range. Function: Domain: Range:

Information Systems and Services (ISS) Post Reference No: 9B0932 Effective/Revised: September 2009

Checkpoint firewall Quick Integration Guide. for PacketFence version 4.6.0

= C + I + G + NX ECON 302. Lecture 4: Aggregate Expenditures/Keynesian Model: Equilibrium in the Goods Market/Loanable Funds Market

MAT12X Intermediate Algebra

Georgia Department of Education Common Core Georgia Performance Standards Framework Teacher Edition Coordinate Algebra Unit 4

Somansa Data Security and Regulatory Compliance for Healthcare

These are some practice questions for CHAPTER 23. Each question should have a single answer. But be careful. There may be errors in the answer key!

Cloud Services. Lync. IM/ Web Conferencing Admin Quick Start Guide

TechnischeUniversitatChemnitz-Zwickau

Appendix C-8 IOC / FOC Target Timeline. Special Notice D15PS00295 Nationwide Public Safety Broadband Network (NPSBN)

Amply Fws Modules (Aflk n, Sonlu Zay f Eklenmifl Modüller)

Chapter 11. Topics Covered. Chapter 11 Objectives. Risk, Return, and Capital Budgeting

Outline. Outline. Outline

MAT 135 Midterm Review Dugopolski Sections 2.2,2.3,2.5,2.6,3.3,3.5,4.1,4.2,5.7,5.8,6.1,6.2,6.3

IRREDUCIBLE OPERATOR SEMIGROUPS SUCH THAT AB AND BA ARE PROPORTIONAL. 1. Introduction

Session Border Controller and IP Multimedia Standards. Mika Lehtinen

Configure ActiveSync with a single Exchange server (Exchange sync for an iphone)

CLOSED AND EXACT DIFFERENTIAL FORMS IN R n

SHARING BETWEEN TERRESTRIAL FLIGHT TELEPHONE SYSTEM (TFTS) AND RADIO ASTRONOMY IN THE 1.6 GHz BAND. Paris, May 1992

MobileIron Quick Integration Guide. for PacketFence version 4.5.1

Binary Search Trees CMPSC 122

Networks and the Internet A Primer for Prosecutors and Investigators

1.6 A LIBRARY OF PARENT FUNCTIONS. Copyright Cengage Learning. All rights reserved.

Some remarks on Phragmén-Lindelöf theorems for weak solutions of the stationary Schrödinger operator

12.5 Equations of Lines and Planes

Firewall Verification and Redundancy Checking are Equivalent

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

An Architecture Concept for Mobile P2P File Sharing Services

Interim Assessment Statement of Purpose

SECURITY OF WIRELESS HOME AUTOMATION SYSTEMS A WORLD BESIDE TCP/IP

ASSOCIATE DEGREE NURSING PROGRAM. Mission

Lecture 3 : The Natural Exponential Function: f(x) = exp(x) = e x. y = exp(x) if and only if x = ln(y)

FINAL EXAM SECTIONS AND OBJECTIVES FOR COLLEGE ALGEBRA

High School Functions Interpreting Functions Understand the concept of a function and use function notation.

On Data Recovery in Distributed Databases

NOTES ON LINEAR TRANSFORMATIONS

Maximizing volume given a surface area constraint

Lecture 4: Properties of stock options

LOAD BALANCING AS A STRATEGY LEARNING TASK

TCIL/16/12/07/2015(WI) 22 nd July NIT for Pre-bid Tie-up for Disaster Management EoI

MSGCU SECURE MESSAGE CENTER

Investigation of Chebyshev Polynomials

New Security Options in DB2 for z/os Release 9 and 10

Warm Up. Write an equation given the slope and y-intercept. Write an equation of the line shown.

ASSUMPTION LIFE PARPLUS. Participating Whole Life Insurance

Rules for Unibz It And eurac.edu

How To Choose A Business Continuity Solution

Differentiating under an integral sign

Transcription:

KeyEscrowinMutuallyMistrustingDomains? Abstract.Inthispaperwepresentakeyescrowsystemwhichmeets L.Chen,D.GollmannandC.J.Mitchell possiblerequirementsforinternationalkeyescrow,wheredierentdomainsmaynottrusteachother.inthissystemmultiplethirdparties, E-mail:fliqun,dieter,cjmg@dcs.rhbnc.ac.uk RoyalHolloway,UniversityofLondon Egham,SurreyTW200EX,UK InformationSecurityGroup risedagenciesintherelevantdomainswithwarrantedaccesstotheusers' communications.weproposetwoescrowedkeyagreementmechanisms, ofprovidinguserswithkeymanagementservicesandprovidingautho- whoaretrustedcollectivelybutnotindividually,performthedualrole bothdesignedforthecasewherethepairofcommunicatingusersare mains.thesecondmechanismusesatransferableandveriablesecret ahidden`shadow-key'.therstmechanismmakesuseofasingleset ofkeyescrowagenciesmoderatelytrustedbymutuallymistrustingdo- itmoredicultfordeviantuserstosubverttheescrowedkeybyusing thatallentitiesareinvolvedinthekeygenerationprocesshelpsmake indierentdomains,inwhichthepairofusersandallthethirdparties sharingschemetotransferkeysharesbetweentwogroupsofkeyescrow agencies,whereonegroupisineachdomain. jointlygenerateacryptographickeyforend-to-endencryption.thefact usertracinordertocombatcrimeandprotectnationalsecurity.akeyescrow dictoryrequirements.ontheonehanduserswanttocommunicatesecurelywith 1Introduction 1.1Keyescrowinmutuallymistrustingdomains Inmodernsecuretelecommunicationssystemstherearelikelytobetwocontra- systemisdesignedtomeettheneedsofbothusersandgovernments,wherea otherusers,andontheotherhandgovernmentshaverequirementstointercept toprovidethelawenforcementagenciesofalltherelevantcountries,e.g.the keyescrowsystemshaverecentlybeenproposed,andforanoverviewoftheeld, thereaderisreferredto[4]. authorised.followingtheusgovernment'sclipperproposals,[1],anumberof (orasetofagencies)andlaterdeliveredtogovernmentagencieswhenlawfully cryptographickeyforusercommunicationsisescrowedwithakeyescrowagency?thisworkhasbeenjointlyfundedbytheukepsrcunderresearchgrant GR/J17173andtheEuropeanCommissionunderACTSprojectAC095(ASPeCT). Whenuserscommunicateinternationally,thereisapotentialrequirement

originatinganddestinationcountriesforthecommunication,withwarranted accesstotheusertrac.forexample,aglobalmobiletelecommunicationssystemmightprovideanend-to-endcondentialityservicetotwomobileusersin morecomplicated,thesetwocountrieswilltypicallynottrustoneother(such twodierentcountries,andlawenforcementagenciesinboththesecountries lawenforcementagencyinonecountrymightnotwishtolettheircounterpart mightindependentlywishtointerceptthesecommunications.tomakematters whomaybegiventherighttoaccesscommunicationswithinasingledomain. inanyothercountryknowthataparticularuser'scommunicationsarebeing domainsarereferredtoasmutuallydistrustingcountriesin[6]);forexample,a beresponsibleformaintainingalltheinformationnecessarytoprovideaccessto interceptionagencies,whenpresentedwiththeappropriatelegalauthorisation. FinallywerefertoescrowagenciesorTrustedThirdParties(TTPs)whowill interceptionauthoritieswherewemeanbodiessuchaslawenforcementagencies eralitywerefertodomainsinsteadofcountriesthroughout.wealsoreferto intercepted. outthatthecountriesinvolveddonottrustoneanother;forthemaximumgen- Wenowstateourrequirementsforkeyescrowinaninternational(i.e.a Weareconcernedherewithinternationalkeyescrow,andweassumethrough- multi-domain)context. 1.Nodomaincanindividuallycontrolthegenerationofanescrowedkey,and hencetheescrowedkeycannotbechosenbyentitiesinonlyonedomainand 1.2Priorapproaches 3.Theentitiesinanydomaincanensurethecorrectnessandfreshnessofthe 2.Theinterceptionauthoritiesinanydomaincangainaccesstoanescrowed capableofbeingescrowedinallrelevantdomainsindependently. escrowedkey. keywithoutcommunicatingwithanyotherdomain,i.e.thekeyhastobe thentransferredtotheotherdomain. munications.asessionkeyforend-to-endencryptionisestablishedbasedon providingthetwointerceptionagencieswithwarrantedaccesstotheusers'com- domains,thentherelevantpairofttps(oneineachdomain)collaboratively Jeeries,MitchellandWalker[8]recentlyproposedanovelkeyescrowmechanismsuitableforinternationaluse,calledthe`JMW'mechanismforshort.In thatschemeeveryuserhasanassociatedttp.iftwousers,communicating acombinationofasecretkeysharedbetweenthemandthereceiver'sname, andanotherasymmetrickeyagreementpairfortheotheruser(thesender)is generatedbyhimself.thereceivercomputesthesessionkeybycombininghis (thereceiver)isseparatelycomputedbybothttps(oneineachdomain)using Die-Hellmankeyexchange[5].Anasymmetrickeyagreementpairforoneuser witheachothersecurelybyusingend-to-endencryption,arelocatedindierent performthedualroleofprovidingtheuserswithkeymanagementservicesand privatekey(transferredsecurelyfromhisownttp)withthesender'spublic

amongtheusers,ttpsandinterceptionagencies. above.however,itrequiresthefollowingassumptionsabouttrustrelationships sessionkeyfromthettpinthesamedomain. keybycombininghisprivatekeywiththereceiver'spublickey(obtainedfrom thesender'sownttp).interceptionagenciesineachdomaincanretrievethe key(sentwiththeencryptedmessage).thesendercomputesthesamesession 2.EachTTPbelievesthattheuser,asasender,willprovidethecorrectpublic 1.EachuserbelievesthattheirownTTP(aswellastheTTPsofanyother Notethatthismechanismmeetsthethreerequirementsforkeyescrowlisted 3.EachTTPbelievesthattheotherTTPwillcontributeproperkeyagreement 4.EachinterceptionagencybelievesthattheTTPinitsdomainwillprovide key(matchingthesecretkeyheusesforsecuringmessageshesends). valuesandcerticates,andwillnotrevealtheescrowedkeyillegally. thecorrectescrowedkeywhenrequested. andcerticates,andwillnotrevealtheescrowedkeyillegally. userswithwhichtheycommunicate)willissueproperkeyagreementvalues contributionstoanescrowedkeyandtorevealthekeylegally,andusersalso domain. 1.3Ourcontribution Inthispaperwesupposethat,insomeenvironmentswhereinternationalkey escrowisrequired,ttpsmaynotbetrustedindividuallytoprovideproper whichrequiresakeyescrowagency(oragencies)tobetrustedbymorethanone In[6],FrankelandYunggiveadierentschemeforinternationalkeyescrow, maynotbetrustedtoprovidepropercontributionstoanescrowedkey. 1.Theschemesuseasetofmoderatelytrustedthirdpartiesinsteadofasingle Weconsidertworelatedkeyescrowmechanismswiththefollowingproperties. Forthepurposesofthispaper,moderatelytrustedthirdpartiesaretrusted collectively,butnotindividually,byusers,interceptionagenciesandanother setofttps. Keysplittingschemeshavepreviouslybeenusedforsplittinganescrowed TTP,inaneorttopreventasingleTTPfromcorruptinganescrowedkey. 2.Theyuseaveriablesecretsharingschemeinordertopreventdeviantusers Suchaschemeallowsanysubsetofkofthenescrowagenciestoaectthe keyintonsharesescrowedbynagenciesinproposedkeyescrowsystems 3.Theyuseananeexpansibleveriablesecretsharingschemetoletusers fromrecoveringacompletekey. (e.g.see[4,9,11,12]);wealsomakeuseofakoutofnthresholdscheme. recoveryofacompletekey,butprohibitsanygroupoffewerthankagencies fromsubvertingthesecretsharingschemebyprovidingimpropershares.such andthirdpartiesjointlygenerateanescrowedkey,thuspreventingdeviant aschemehaspreviouslybeenadoptedinakeyescrowsystemtoletagroup ofkeyescrowagenciesverifythattheyhavevalidshares[9]. usersfromobtaininga`shadow-key'(notavailabletotheescrowagency).

atransferableveriablesecretsharingschemeandananeexpansibleveriable 4.Thesecondschememakesuseofatransferableveriablesecretsharing andyung'sidea,[6],makesuseofasinglegroupofkeyescrowagenciesmoderatelytrustedbymutuallymistrustingdomains.thesecondscheme,whichis maynottrusteachother. secretsharingschemebasedontheshamirsecretsharingscheme,[15],andthe Pedersenveriablesecretsharingscheme,[13].Wethenproposetwomechanisms forinternationalkeyescrowinsection3.therst,whichincorporatesfrankel Theremainderofthepaperissubdividedasfollows.Insection2,wepresent schemetotransfersharesbetweentwosetsofkeyescrowagencieswhich analternativetothejmwmechanism,adoptsthetransferableandveriable keybyusingtheaneexpansibleveriablesecretsharingscheme. Inbothmechanisms,usersandkeyescrowagenciesjointlygenerateanescrowed secretsharingschemetotransfersharesbetweentwosetsofmoderatelytrusted keyescrowagencies,onesetwithineachoftwomutuallymistrustingdomains. 2VeriableSecretSharing InthissectionwerstbrieydescribetheShamirsecretsharingscheme[15] domains.weconcludebygivingtwoopenquestions. trustedthirdparties,potentiallyuntrustworthyusersandmultiplemistrusting ofentityinvolvedinaninternationalkeyescrowsystem,namelymoderately Insection4,weconsiderpossibletrustrelationshipsamongthethreetypes schemes.thisworkwillprovidethebasisforthekeyescrowschemesdescribed functionofasharedsecret,usingmodicationsoftheshamirandpedersen 2.1TheShamirscheme subsequently. transferasharedsecretbetweentwodomains,andalsohowtoshareanane andthepedersenveriablesecretsharingscheme[13].wethendiscusshowto A(k;n)-thresholdsecretsharingschemeisaprotocolinwhichadealerdistributespartialinformation(ashare)aboutasecrettoeachofnparticipants suchthat Supposepandqarelargeprimessuchthatqdividesp?1,andgisanelementof anygroupofatleastkparticipantscancomputethesecret. nogroupoffewerthankparticipantscanobtainanyinformationaboutthe becomputedmodulop. orderqinzp.itisassumedthatp,qandgarepubliclyknown.theseparameters willbeusedthroughoutthispaper.unlessotherwisestatedallarithmeticwill WenowdescribetheShamir(k;n)-thresholdsecretsharingscheme,[15]. secret,and

Pn(wheren<q)thedealerchoosesapolynomialofdegreek?1: wheref2zq[x]anda0=s.eachparticipantpi(1in)receivessi=f(xi) fori6=j). ashisprivateshare,wherexi2zq?f0gispublicinformationaboutpi(xi6=xj, LetthesecretsbeanelementofZq.InordertodistributesamongP1,..., P2,...,Pk)canndf(x)bytheinterpolationformula, Anykparticipants(withoutlossofgeneralityweassumethattheyareP1, f(x)=kxi=1(yh6=ix?xh f(x)=a0+a1x+:::+ak?1xk?1; Thus s=f(0)=kxi=1(yh6=ixh xi?xh)f(xi)=kxi=1(yh6=ix?xh xh?xi)si: xi?xh)si: ThissecretcanbedistributedtoandveriedbyP1,...,Pn,inthefollowingway: Assumethatadealerhasasecrets2Zqandcorrespondingpublicvalueh=gs. 2.2ThePedersenscheme 1.ThedealercomputessharessiusingtheShamirsecretsharingschemebyrst 2.ThedealersendsthesharesisecretlytoPi(1in)andbroadcastsa a0=sandthencomputingsi=f(xi)(1in).herexiispublic choosingapolynomialf(x)=a0+a1x+:::+ak?1xk?1overzqsatisfying 3.EachPi(1in)computeshi=k?1 informationaboutpiaspreviously. vericationsequencev=(ga0;ga1;:::;gak?1) toallnparticipants. IfthisdoesnotholdthenPibroadcastssiandstops.OtherwisePiaccepts theshare. andverieswhether hi=gsi: Yj=0(gaj)(xi)j; 4.Anykparticipants,whohaveacceptedtheirshares,canndsasdescribed intheshamirsecretsharingschemeabove.

1<kminfm;ng. ablesecretsharingscheme,wherek,m,andnarepositiveintegerssatisfying ipants.westartbystatingourrequirementsfora(k;m;n)-transferableveri- 2.3Transferableveriablesecretsharing Wenowconsiderhowtotransferasharedsecretbetweentwogroupsofpartic- TheparticipantsQj(1jn)mustbeabletoverifytheirownprivate NogroupoffewerthankparticipantsinQ1,...,Qncanobtainanyinformationabouts. AnygroupofatleastkparticipantsinQ1,...,Qn,whohaveacceptedtheir AsecretssharedbymparticipantsP1,...,Pmneedstobetransferredto, shares,cancomputes. andthensharedby,anothernparticipantsq1,...,qn. shareswithoutcommunicatingwithotherparticipantsinthesamedomain. Algorithm1AssumethatmparticipantsPi(1im)shareasecrets2Zq ShamirandPedersenschemes. usingthepedersenscheme.thissecretcanbetransferredtoandveriedby anothernparticipantsqj(1jn),inthefollowingway: Wenowpresentatransferableveriablesecretsharingschemebasedonthe 1.EachPi(1im)computesnewsharessij(1jn)usingtheShamir 2.Pi(1im)sendssijsecretlytoQj(1jn)andbroadcastsa secretsharingschemeby: rstchoosingapolynomialfi(x)=ai0+ai1x+:::+ai(k?1)xk?1overzq 3.OnreceiptofsijandVi(1im),Qj(1jn)computes vericationsequencevi=(gai0;:::;gai(k?1)) toallnparticipantsq1,...,qn. thencomputingsij=fi(xj).herexjispublicinformationaboutqj. satisfyingai0=si,and Ifthisdoesnothold,Qjbroadcastssijandstops.OtherwiseQjacceptsthe andverieswhether hij=k?1 hij=gsij: Yl=0(gail)(xj)l; Theorem2Theabovealgorithmhasthefollowingproperties. share.

Proof 1.AnygroupofatleastkparticipantsinQ1,...,Qn,whohaveacceptedtheir 2.NogroupoffewerthankparticipantsinQ1,...,Qncanobtainanyinformationaboutsi(1im)ands. sharesfollowingalgorithm1,canndsi(1im),andhencecompute asusedtoprovethesamestatementsforthepedersenscheme. 3.EachQj(1jn)canverifysij(1im)andgswithoutcommunicatingwithotherparticipantsinthesamedomain. Allthreepartsofthetheoremholdbyusingpreciselythesamearguments s. TTPsinonedomaintoanothersetofTTPsinaseconddomaininMechanism 7describedinthenextsection.Thetwogroupsofparticipantsdonothaveto Thisschemewillbeusedtotransferapartialescrowedkeyfromasetof trusteachother.iffewerthankparticipantsinanydomainfollowthescheme, thesecrettransfercannotbesuccessful,butnoonecansubvertthealgorithm byforcinganyoneelsetoacceptafraudulentsecret. 2 Wenowconsiderananeexpansionofthresholdsecretsharing.Westartby 2.4Aneexpansibleveriablesecretsharing statingourrequirementsfor`aneexpansion'. ontheshamirandpedersenschemes. Asecrets2ZqissharedbymparticipantsP1,...,Pm.Itsanefunction Algorithm3AssumethatmparticipantsPi(1im)shareasecrets2Zq Nogroupoffewerthankparticipantscanobtainanyinformationaboutw. Anygroupofatleastkparticipantscancomputew. Wenowpresentananeexpansibleveriablesecretsharingschemebased w=as+b,wherea;b2zqanda6=0,needstobesharedbythesame usingthepedersenscheme,andknowpublicinformationa2zq?f0gand participants.hereaandbarepublicinformationaboutpi(1im). b2zq.anewsecretw=as+b2zqcanbesharedandveriedbythesamem participantswithoutcommunicatingwithoneanother.thenewshareswiare Theorem4Theabovealgorithmhasthefollowingproperties. Thecorrespondingpublickeysare gwi=gasi+b=(gsi)agb;and gw=gas+b=(gs)agb: wi=asi+b:

1.Itmeetstherequirementsforaneexpansiblesecretsharing. escrowedkeyinmechanism5andmechanism7describedbelow.because Proof 2.Pi(1im)canverifywi(1im)andgwwithoutcommunicating thecontributionisnotknowntousers,itisdicultfortheuserstosubvertthe toestablishthepropertiesofthepedersenscheme. Thisschemewillbeusedtoletthirdpartiesprovideancontributiontoan Thistheoremagainfollowsusingpreciselythesameargumentsasareused withotherparticipants. escrowedkeybyusingahidden`shadow-public-key',thecorresponding`shadowprivate-key'ofwhichcannotbecomputedbyusingarealkeypairand`shadowpublic-key'[9]. 2 Wemakethefollowingassumptionsforourmodelofaninternationalkeyescrow 3.1Assumptions system. 3Escrowedkeyagreement TwoentitiesAandB,locatedinmutuallymistrustingdomains,wantto Intherstscheme(Mechanism5)asinglesetofTTPsfT1,...,Tmgare ThecommunicationsbetweenAandBhavetomeetpotentiallegalrequirementsforwarrantedinterception.Interceptionagenciesineachdomainare shareanysecret. beforetheauthenticationandkeydistributionprocessingstartstheydonot communicatesecurelywitheachother.forthispurposetheyneedtoverify oneanother'sidentityandestablishasharedsessionkeykab,although agenciesfortheinterceptionagenciesinbothdomains.inthesecondscheme usedasbothmultipleauthenticationserversfortheusers,andkeyescrow butmayrequireaccesstothesessionkeykab. notactivelyinvolvedintheauthenticationandkeydistributionprocedures, 3.2Mechanism1 interceptionagenciescollectively,butnotindividually. ineachdomain,areusedasmultipleauthenticationserversfortheusers andkeyescrowagenciesfortheinterceptionagencies.inbothcasestheyare KAB,andescrowingthesessionkey.Theyaretrustedbyboththeusersand responsibleforverifyinga'sandb'sidentities,establishingasessionkey (Mechanism7)twosetsofTTPsfT1,...,TmgandfU1,...,Ung,onegroup [5]andtheveriablesecretsharingschemesdescribedinsection2.Inthemechanism,AandBareusersinseparatedomains,andmmoderatelyTTPsT1,..., ThisescrowedkeyagreementschemeisbasedonDie-Hellmankeyexchange

positiveintegerk(km),anysetofkttpscancomputethesessionkey andgenerateaprivateintegerstab.theschemeisdesignedsothatforsome establishedbetweenaandb,butnogroupofk?1orlessttpscanderiveany functionfshalltakeasinputthesharedsecretkeyandthenamesofaandb, TTPsagreeacommonlyheldsecretkeyK(T1;:::;Tm)andafunctionf.This ticatedchannelswithti(1im).asinthejmwmechanism,thesem Tmworkforbothusersasauthenticationservers,andforinterceptionagencies inbothdomainsaskeyescrowagencies.weassumethataandbhaveauthen- usefulinformationaboutthissessionkey. Mechanism5AsetofTTPsT1,...,TmassisttwousersAandBinestablishingasessionkeyKAB,andescrowthekeycollectively. 1.AsecretlychoosesandstoresitsprivatekeyagreementvalueSA,andcomputesthecorrespondingpublicvaluePA(=gSA),theprivatesharesSAi sequencevaasdenedinsubsection2.2,andthensendssaiandvatoti (1im). avericationsequencevb,andsendingsbiandvbtoti(1im)). (1im)ofSAasdenedinsubsection2.1,andthepublicverication 2.BfollowsthesameprocedureasA(choosingSB,creatingprivatesharesSBi, 3.Ti(1im)veriesSAi,PA,andSBi,PBasdescribedinsubsection 4.Ti(1im)doesthefollowing: otherwisetiacceptstheshare. 2.2.Ifthevericationfails,Tibroadcaststhesuspectsharevalueandstops; kttpscancomputekab(whichiswhatisrequiredforescrowpurposes). Theorem6Theabovemechanismhasthepropertythatanygroupofatleast 5.AandBseparatelycomputeasessionkeyas: calculatespat(=pstab sendspattobandpbttoa. obtainsstabbyusingthefunctionfwithk(t1;:::;tm),aandb, KAB=(PAT)SB=(PBT)SA=gSASBSTAB: A)andPBT(=PSTAB B),and theshamirschemediscussedinsubsection2.1above).hencetheycancompute Proof AnygroupofatleastkTTPscancomputeSAandSB(bythepropertiesof colluding,andnogroupoffewerthankthirdpartiescanobtainanyinformation partycanforceaorbtoacceptawrongmessageunlessallthethirdpartiesare aboutkab. andtheresultfollows. KABfrombeingescrowedbyusingahidden`shadow-key'.Inaddition,nothird ThemechanismhasbeendesignedtomakeitdicultforAandBtoprevent KAB=gSASBSTAB 2

meanthatkabalsochanges).thiscouldbeachievedbyincludingadate-stamp bydomainsotherthanthetwodomainsbeingserved,orbya`super-domain' inthefunctionfusedtocomputestab. includingthetwodomains,oroneorotherofthetwodomains. internationalsecuretelecommunications.thesetcouldconsistofttpslicensed atelytrustedbymutuallymistrustingdomains,dependsontherequirementsfor Themethodusedtocomposeasetofkeyescrowagencies,whoaremoder- lettingthetwouserschoosethekey(see[7]),lettingasetofttpsgeneratethe key(see[3]),andlettingoneuserandtwottpsgeneratethekey(see[8]),this jointlygeneratethekey,sothatitmaybemoredicultforusersandttpsto subvertthekey. mechanismforcesallinvolvedentities,i.e.bothusersandthesetofttps,to Comparedwithanumberofotherproposedkeyagreementschemes,suchas, ItwouldbedesirableifSTABcouldbechangedfromtimetotime(whichwill 2.Inthismechanism,AandBareusersindierentdomains.Therearem 3.3Mechanism2 [5]andthetransferableveriablesecretsharingschemedescribedinsection ThisescrowedkeyagreementschemeisbasedonDie-Hellmankeyexchange TTPsU1,...,UnworkingforBasauthenticationservers(inB'sdomain).These TTPsT1,...,TmworkingforAasauthenticationservers(inA'sdomain),andn serversalsooperateaskeyescrowagenciesfortheinterceptionagenciesintheir respectivedomains.eachsetofthirdpartiesismoderatelytrustedbytheirusers andinterceptionagencies.usersandinterceptionagenciesdonotcommunicate withttpsoutsidetheirdomain.ttpti(1im)cancommunicatewith Uj(1jn).Again,weassumethatAhasanauthenticatedchannelwith eachti,andbhasanauthenticatedchannelwitheachuj.eachgroupofttps fshalltakeasinputthesharedsecretkeysandthenamesofaandb,and agreeasecretkeyk(t1;:::;tm)ork(u1;:::;un)andafunctionf.thisfunction AandB(respectively)toestablishasessionkeyKAB.Eachsetofthirdparties escrowthekeycollectively. Mechanism7TwosetsofTTPsfT1,...,TmgandfU1,...,Ungassisttwousers aboutthissessionkey. andb,butnogroupofk?1orlessttpscanderiveanyusefulinformation orotherofthetwodomainscancomputethesessionkeyestablishedbetweena generateprivateintegersstabandsuabrespectively.theschemeisdesigned sothatforsomepositiveintegerk(kminfm;ng),anysetofkttpsfromone 1.AsecretlychoosesandstoresitsprivatekeyagreementvalueSA,andcomputesthefollowingvalues: thepublicvericationsequencevaasdenedinsubsection2.2,andthen thecorrespondingpublicvaluepa(=gsa), theprivatesharessai(1im)asdenedinsubsection2.1,and sendssaiandvatoti(1im).

2.Ti(1im)veriesSAiandPAasdescribedinsubsection2.2.IfthevericationfailsthenTibroadcaststhesuspectsharevalueandstops;otherwise Tiacceptstheshare. 3.BsecretlychoosesandstoresitsprivatekeyagreementvalueSB,andcomputesthefollowingvalues: Ujacceptstheshare. icationfailsthenujbroadcaststhesuspectsharevalueandstops;otherwise thecorrespondingpublicvaluepb(=gsb), theprivatesharessbj(1jn)asdenedinsubsection2.1,and thepublicvericationsequencevbasdenedinsubsection2.2,andthen calculatespat(=pstab obtainsstabbyusingthefunctionfwithk(t1;:::;tm),aandb, sendssbjandvbtouj(1jn). 5.Ti(1im)doesthefollowing: 4.Uj(1jn)veriesSBjandPBasdescribedinsubsection2.2.Ifthever- 6.Uj(1jn)veriesSAijSTAB,VAiandPATasdescribedinsubsection 2.3.IfthevericationfailsthenUjbroadcaststhesuspectsharevalueand calculatessaij(1jn)fromsaiasdenedinsubsection2.3, Finally,TisendsSAijSTAB,VAiandPATtoUj(1jn). computesthe`privateshares'saijstab,andtheircorrespondingpublic sequencevaiasdenedinsubsection2.2. valuesgsaijstabasdenedinsubsection2.4,andthepublicverication A), 7.Uj(1jn)doesthefollowing: stops,otherwiseujacceptstheshare. calculatespatu(=psuab obtainssuabbyusingthefunctionfwithk(u1;:::;un),aandb, 8.Ti(1im)veriesSBjiSUAB,VBjandPBUasdescribedinsubsection sendssbjisuab,vbjandpbutoti(1im). calculatespbu(=psuab calculatessbji(1im)fromsbjasdenedinsubsection2.3, computesthe`privateshares'sbjisuab,andtheircorrespondingpublic valuesgsbjisuabasdenedinsubsection2.4,andthepublicverication sequencevbjasdenedinsubsection2.2,and,nally, B), AT)andsendsittoB, kttps(ineitherdomain)cancomputekab. Theorem8Theabovemechanismhasthepropertythatanygroupofatleast 9.AandBcannowseparatelycomputethesessionkey: 2.3.IfthevericationfailsthenTibroadcaststhesuspectsharevalueand ittoa. stops,otherwisetiacceptstheshare,calculatespbtu(=pstab KAB=(PBTU)SA=(PATU)SB=gSASBSTABSUAB: BU)andsends Proof Theprooffollowsimmediatelyfromtheresultsinsubsection3.2above.2

thepreviousmechanism,itissuggestedthatstabandsuabshouldbechanged totrusteachother,asmentionedinsubsection2.3.forthesamereasonsasin asoftenasrequired. 4Furtherconsiderations Inakeyescrowsystem,thedieringrequirementsofusersandinterceptionauthoritiesarefurthercomplicatedbytheintroductionofthekeyescrowagencieciesforpreventingcriminalusersfromabusingescrowedkeys.Boththeusers andinterceptionagenciesshouldbeinapositiontocheckthatthekeyescrow theotherdomaincannotsubverttheescrowedkeys. relationshipsamongstthesethreegroupsofentitiesbecomesstillmorecompli- agenciescannotrevealescrowedkeysillegally.ininternationalkeyescrow,the domainhaveapotentialrequirementtocheckthatthekeyescrowagenciesin catedbecausemorethanonedomainisinvolved.thekeyescrowagenciesinone 4.1Moderatelytrustedthirdparties Therearetwomajorreasonswhywemakeuseofmoderatelytrustedthirdparties inthispaper. thevariousentitiesinvolved. Ifinterceptionagenciesarenotactivelyinvolvedinsessionkeyestablishment Inthissection,wediscussionsomeaspectsofthetrustrelationshipsbetween Inthismechanism,thetwosetsofthirdpartiesinbothdomainsdonothave (orttps).thekeyescrowagenciesareresponsibletotheinterceptionagen- Iftwouserssharingnosecretwanttocommunicatesecuritywitheachother, forpossiblydeviantusersanddonotstoreeverysessionkeythemselves,key ofthemmightbecollectivelytrustedbytheinterceptionagencies. escrowagenciesarerequiredtoprovideavalidkeywhenlawfullyauthorised. theyneedanauthenticationserviceprovidedbyauthenticationservers.althoughtheserversmaynotbetrustedindividually,agroupofthemmight Althoughthekeyescrowagenciesmaynotbetrustedindividually,agroup agenciesinpreviouslyproposedkeyescrowsystems.therstapproachinvolves [2,15])havebeenusedforsplittinganescrowedkeyintonsharesescrowedbyn `splitting'withannoutofnscheme,whereallncomponentsareneededto restoreagivenkey[12].thesecondapproachusessplittingwithankoutofn thresholdscheme,whichallowsanysubsetofkofthenescrowagenciestoaect Fourkindsofkeysplittingschemesbasedonsecretsharingschemes(e.g. therecoveryofacompletekey,butprohibitsanygroupoffewerthankagencies becollectivelytrustedbytheirusers. (n;t;u)-escrowscheme,whichallowsasubsetoftheescrowagenciestorecover fromrecoveringacompletekey[9].thethirdapproachinvolvessplittingwithan akey,wheretescrowagenciescouldconspirewithoutcompromisingakey,and n?uagenciescould`withhold'theircomponentswithoutinterferingwithkey

recovery(t<un)[11].thelastapproachinvolvessplittingwitha`general ofescrowagenciesthatcanworktogethertorestoreakey[4]. tually,anyoneofthesefoursplittingschemescouldhavebeenchosen,andin moderatelytrustedthirdparties.notealsothattheideaofreiteretal.regardingsecuregroupimplementationin[14]canbeusedtoestablishsuchasetof monotoneaccessstructure',whichallowsforthespecicationofarbitrarysubsets 4.2Untrustworthyusers practicethechoicewoulddependontherequirementsforestablishingasetof moderatelytrustedthirdpartiesandtheirgroupkey. Wehaveusedthesecondapproachinthemechanismsdescribedhere.Ac- S0)isa`shadow'keypair,andP0=f(P)wherefisaneasilycomputedand (P,S)and(P0,S0),where(P,S)isaproper(public-key,private-key)pair,(P0, agreement.inthisattack,eachoftwoattackersinsteadgeneratestwokeypairs interceptionauthoritycancomputeanescrowedkeybyusingdie-hellmankey interceptionauthoritytheabilitytoreconstructs,sothatboththeusersand exchange.eachnormalusergeneratesapair(p,s),publishespandgivesan howthisattackmightworkinakeyescrowsystembasedondie-hellmankey KilianandLeightongavea`shadow-public-key'attackin[9],andwenowsee Wenowconsiderthecasewhereusersarenottrustworthyinakeyescrowsystem. separatelycomputea`shadow-escrowed-key'byusinghis`shadow-private-key' ordinaryuser,butkeepss0reservedashisshadowprivatekey.bothattackers publiclyknownfunction.eachofthemuses(p,s)inthesamewayaswouldan andtheother's`shadow-public-key'.ifitisinfeasibletoobtains0byknowingp, P0andS,theinterceptionauthoritycannotobtainthe`shadow-escrowed-key'. tion2.4,whichprovidedthebasisofusersandthirdpartiesjointlygenerating Furthermoretheinterceptionauthoritymaynotdetectthischeating. anescrowedkeyinordertopreventtheusersfromusingahidden`shadow-key'. whichisinfeasiblycomputedbyusingp,p0ands. NotethatitonlymakessensetopreventcriminalusersfromobtainingaS0 ingthekeyescrowsystembyusingimproperkeys,forexamples,usinganold escrowedkeyinsteadofacurrentone,usingamodicationoftheescrowedkey, e.g.whichmaybeapubliclyknownfunctionoftherealescrowedkey,andusing Wepresentedananeexpansibleveriablesecretsharingschemeinsubsec- ands.althoughtheseabusesarealldetectable,akeyescrowmechanismmay a`shadow-public-key',wheres0mayfeasiblybecomputedbyknowingp,p0 nevercheckforsuchabuses,givingdeviantusersgreaterleewayintheirabuses. as,keepingalloldescrowedkeysinavalidperiodtocheckiftheyareused Thefurtherproblemishowinpracticetopreventcriminalusersfromabus- again,andmonitoringallcommunicationchannelsbetweensuspectedcriminal users[10].unfortunately,theseapproachesmaynotbepractical,particularly,in thecurrentescrowkeyiftheusersshareasecretorcanusetheirownsecurity complicatedmobiletelecommunicationssystems. Anumberofapproachescouldbeusedtopreventtheaboveabuses,such Infact,itisimpossibleforakeyescrowsystemtoforcetwouserstouseonly

agenciesinordertoauthenticateoneanother'sidentityandestablishashared byusinganoldescrowedkeyoramodiedescrowedkey.howeverwehavenot communicatesecurelywitheachother,havetogetassistancefromkeyescrow answeredthequestionofhowtoforceuserstouseonlythecurrentescrowed sessionkey.weassumeitisdetectableiftheuserssubvertkeyescrowsystems system.forthepurposesofthispaper,wesupposethattwousers,whowantto 4.3Multiplemistrustingdomains withtwomobilecompaniesbelongtocountriesgandh,andareroamingin Sofarwehavediscussedkeyescrowinmutuallymistrustingdomains.However, arecitizensofcountriescandd,workforcountrieseandf,areregistered twocountriesiandj.theirtracmightconceivablyneedtobeintercepted somemodernsecurecommunicationsmaycovermorethantwodomains.for example,inaglobalmobiletelecommunicationssystem,twousers,respectively, anddeviseaninternationalkeyescrowsystemwhichprovidesallgovernments byagenciesinanyofcountriesc?j,andhenceitmaybenecessarytotry involvedwithwarrantedaccesstousercommunications.tomakemattersmore complicated,thecountriesinvolvedmaynotalltrusteachother. large. maynotbepractical,particularlywhenthenumberofdomainsinvolvedisquite involvedhavetocollaboratetoprovidecontributionstotheescrowedkey.this asdescribedinsubsection3.3,couldalsobeusedforthispurpose,atleastin theory.theproblemisthateachsetofkeyescrowagenciesineachdomain purpose.however,whetherornotasetofkeyescrowagenciescouldbeset upwhicharemoderatelytrustedbymultiplemistrustingdomains,dependson politicalconsiderationsbeyondthescopeofthispaper.thesecondmechanism, Ourrstmechanism,asdescribedinsubsection3.2,couldbeusedforthis inmutuallymistrustingdomainsandanalyseditsuse. 5Conclusions Wehavedescribedakeyescrowsystemusingmoderatelytrustedthirdparties Dothereexistpracticalkeyescrowsystemsforcinguserstouseonlythe Thefollowingopenquestionsareofpotentialpracticalimportance. References 1.NationalInstituteofStandardsandTechnology.FIPSPublication185:Escrowed Canapracticalkeyescrowschemebedesignedforthecasewheremorethan spanmorethanonedomain? currentescrowedsessionkey? EncryptionStandard.February1994. twodomainsareinvolved,andwhereescrowagenciesarenotpermittedto

2.G.R.Blakley.Safeguardingcryptographickeys.IntheProceedingsofAFIPS1979 3.L.Chen,D.Gollmann,andC.Mitchell.Keydistributionwithoutindividual NCC,Vol.48,Arlington,Va.,pages313{317,June1979. 6.Y.FrankelandM.Yung.Escrowencryptionsystemsvisited:attacks,analysis 5.W.DieandM.E.Hellman.Newdirectionsincryptography.IEEETransactions 4.D.E.DenningandD.K.Branstad.Ataxonomyforkeyescrowencryptionsystems. oninformationtheory,22:644{654,november1976. anddesigns.ind.coppersmith,editor,lecturenotesincomputerscience963, CommunicationsoftheACM,39(3):34{40,1996. trustedauthenticationservers.inproceedings:the8thieeecomputersecurity AdvancesinCryptology CRYPTO'95,pages222{235.Springer{Verlag,1995. California,June1995. FoundationsWorkshop,pages30{36.IEEEComputerSocietyPress,LosAlamitos, 7.L.Gong.Increasingavailabilityandsecurityofanauthenticationservice.IEEE 10.A.K.Lenstra,P.Winkler,andY.Yacobi.Akeyescrowsystemwithwarrant 8.N.Jeeries,C.Mitchell,andM.Walker.Aproposedarchitecturefortrusted thirdpartyservices.ine.dawsonandj.golic,editors,lecturenotesincomputerscience1029,cryptography:policyandalgorithmsconference,pages98{104. Springer-Verlag,1996. editor,lecturenotesincomputerscience963,advancesincryptology-crypto JournalonSelectedAreasinCommunications,11:657{662,1993. 11.S.MicaliandR.Sidney.Asimplemethodforgeneratingandsharingpseudorandomfunctions,withapplicationstoclipper-likekeyescrowsystems.InD. Software,toappearOctober1996. Coppersmith,editor,LectureNotesinComputerScience963,AdvancesinCryp- 9.J.KilianandT.Leighton.Faircryptosystems,revisited.InD.Coppersmith, 12.J.Nechvatal.Apublic-keybasedkeyescrowsystem.JournalofSystemsand '95,pages208{221.Springer{Verlag,1995. 13.T.P.Pedersen.Distributedproverswithapplicationstoundeniablesignatures. bounds.ind.coppersmith,editor,lecturenotesincomputerscience963,advancesincryptology-crypto'95,pages197{207.springer{verlag,1995. 14.M.K.Reiter,K.P.Birman,andR.vanRenesse.Asecurityarchitectureforfaulttolerantsystems.ACMTransactionsonComputerSystems,12:340{371,1994. 15.A.Shamir.Howtoshareasecret.CommunicationsoftheACM,22:612{613,1979. tology-crypto'95,pages185{196.springer{verlag,1995. InD.W.Davies,editor,LectureNotesinComputerScience547,Advancesin Cryptology:Proc.Eurocrypt'91,pages221{238.Berlin:Springer-Verlag,1991. ThisarticlewasprocessedusingtheLATEXmacropackagewithLLNCSstyle

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information