Certificateless Public Key Cryptography

Similar documents
On the Security of a Certificateless Public-Key Encryption

Public-Key Cryptography Techniques Evaluation

Public-key Cryptography: Theory and Practice

Structure-Preserving Certificateless Encryption and Its Application

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Remove Key Escrow from The Identity-Based Encryption System

Key Escrow free Identity-based Cryptosystem

An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

A Short Certificate-based Signature Scheme with Provable Security

An IBE Scheme to Exchange Authenticated Secret Keys

Cryptography and Network Security

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

On the security of a certificateless signature scheme in the standard model

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

An Enhanced Certificateless Authenticated Key Agreement Protocol

Chapter 9: Key Management

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

TRNG Based Key Generation for Certificateless Signcryption

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

CT30A8800 Secured communications

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

CSE 565 Computer Security Fall 2018

Digital Certificates Demystified

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Overview of Authentication Systems

Key Agreement Schemes

Diffie-Hellman. Part 1 Cryptography 136

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Cryptography and Network Security Chapter 14

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture Notes 14 : Public-Key Infrastructure

Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Public-Key Infrastructure NETS E2008

Crypto meets Web Security: Certificates and SSL/TLS

Cryptanalysis on Two Certificateless Signature Schemes

Further Observations on Certificate-Base Encryption and its Generic Construction from Certificateless Public Key Encryption

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Signature Validity States

Session key establishment protocols

Session key establishment protocols

Digital signatures: How it s done in PDF

The Identity-Based Encryption Advantage

Server-based Certificate Validation Protocol

Lecture 2 Applied Cryptography (Part 2)

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

T Cryptography and Data Security

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Malicious KGC Attacks in Certificateless Cryptography

Identity-Based Decryption

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings

Signature schemes variations

ECE 646 Lecture 3. Key management

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

Public Key Infrastructures

Security Digital Certificate Manager

Authentication in Distributed Systems

IBM i Version 7.2. Security Digital Certificate Manager IBM

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Introduction to Cryptography Lecture 10

Design of Secure VoIP using ID-Based Cryptosystem

User Authentication. Modified By: Dr. Ramzi Saifan

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Public Key Establishment

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

CBE from CL-PKE: A Generic Construction and Efficient Schemes

Public Key Algorithms

LPKI - A Lightweight Public Key Infrastructure for the Mobile Environments

Public Key Cryptography Options for Trusted Host Identities in HIP

Cryptographic Concepts

Applied Cryptography and Computer Security CSE 664 Spring 2017

Overview. SSL Cryptography Overview CHAPTER 1

Key Management and Distribution

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

IBM. Security Digital Certificate Manager. IBM i 7.1

CS Computer Networks 1: Authentication

Certificateless Onion Routing

KEY DISTRIBUTION AND USER AUTHENTICATION

Advanced Topics in Cryptography

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Grenzen der Kryptographie

Cryptography and Network Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

A Novel Identity-based Group Signature Scheme from Bilinear Maps

Using Cryptography CMSC 414. October 16, 2017

Notes for Lecture 14

UNIT - IV Cryptographic Hash Function 31.1

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

How to Construct Identity-Based Signatures without the Key Escrow Problem

SM9 identity-based cryptographic algorithms Part 2: Digital signature algorithm

Distributed ID-based Signature Using Tamper-Resistant Module

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Network Security Essentials

Transcription:

Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1

Public Key Cryptography (PKC) Also known as asymmetric cryptography. Each user has two keys: public and private. Alice's public key typically used for: encryption to Alice by Bob. verification of Alice's signatures by Bob. Alice's private key typically used for: decryption by Alice. signing by Alice. No need for Alice and Bob to share a common key before they begin secure communications! Compare with symmetric key cryptography. 2

Public Key Cryptography (PKC) A significant problem in PKC is verification of the authenticity of public keys: Users must be assured that they cannot be fooled into using a false public key! Solutions for authenticity of public keys: 1. Public Key Infrastructure (PKI) 2. Identity based Cryptography 3. Self Certified Public Key Cryptography 4. Certificate based Public Key Cryptography (CB PKC) 5. Certificateless Public Key Cryptography (CL PKC) 3

1. Public Key Infrastructure (PKI) PKI is a system for supporting deployment of PKC By the term traditional PKI we mean: a combination of hardware, software and policies; needed to deploy and manage certificates; to produce trust in public keys; used in a particular application or set of applications. 4

Digital Certificates A certificate binds an entity with its public key. The certificate is issued and signed by a trusted Certificate Authority (CA). Certificate = an entity s description (name, etc.) + entity s public key + expiration date, serial number, etc. + CA s name + a signature issued by a CA Digital signature: CA signature = certificate hash, encrypted with CA s private key

PKI Components Registration Authority (RA) Authenticates individuals/entities, optionally checks for possession of private key matching public key. Passes off result to Certification Authority. Certification Authority (CA) Issues certificates: CA issues signatures binding public keys and identities. Relying parties need authentic copy of CA s public key Directory Service Directory of public keys/certificates. Revocation Service May involve distribution of Certificate Revocation List (CRL) or on-line certificate status checking (OCSP). 6

Using PKI RA Issue Cert CA Directory CRL Key Pair 7

Some PKI Problems Acute where consumers/end-user populations (humans) are involved. Legal and regulatory Interoperability and standards Costs and business models Some technical issues: How is revocation to be handled? How should the CA be designed and run? How should keys and algorithms be managed? Certificates and their management are the source of some problems. 8

2. Identity based Cryptography Public keys derived directly from system identities (e-mail address, mobile number, IP address, etc). The first idea due to Shamir (1984) but it was just an ID-based signature scheme. Construction of practical and secure ID-based encryption scheme was an open problem until 2001 when Boneh and Franklin (proposed in Crypto 01): A Pairing-based IBE scheme, practical and provably secure. 9

2. Identity based Cryptography email encrypted using public key: alice@gmail.com TA / KGC master-key 10

2. Identity based Cryptography (in Reality) TA / KGC Secure channel Authentic public parameters Alice s ID 11

2. Advantages of ID PKC Certificate-free No production, checking, management or distribution of certificates. Directory-less Bob can encrypt for Alice without looking-up Alice s public key first. Alice need not have her private key when she receives Bob s encryption. Automatic revocation Can extend identifier to include a validity period. Alice s private key becomes useless at end of each period. Alice needs to obtain private key for current period in order to decrypt new messages. No need for CRLs or OCSP. support for key recovery TA can calculate private key for any user. May be needed e.g. when user leaves the organisation. Enables applications like content scanning of e-mail at the server. 12

2. Disadvantages of ID PKC Effect of Catastrophic Compromise: What is the cost of compromise of the master secret? All past encrypted messages are exposed & all old signatures become worthless. Potentially higher than cost of compromise of CA s signing key in PKI: CA in PKI can re-issue all certificates under new signing key without compromising clients private keys. Key Escrow TA can calculate all the private keys in the system. We need to trust TA not to abuse this privilege. PKI is more flexible in this respect. Inability to Provide Non-repudiation Another consequence of key escrow. TA could forge signatures if an ID-based signature were adopted. So need to trust TA not to do that. EU electronic signature legislation requires private key to be under sole control of signer in order for signatures to be fully recognised. So It is incompatible with some legislative regimes. 13

3. Self Certified PKC Introduced by Girault (Crypto 91) to reduce storage and computation costs: No key escrow No need for hash functions in computing public keys No need for a secure channel between CA and user. Users are associated with a 3 tuple (ID, s, P): (User's identity, User chosen private key, the public key that doubles as a certificate). CA issues a certificate on ID, which is then used as the public key. (different from traditional PKI, where users have separate certificate validating their public keys. P cannot be immediately derived from ID (varies from IDbased schemes) 14

4. Certificate based Public Key Cryptography (CB PKC) Introduced by Gentry (Eurocrypt 2003). Simplifies revocation in traditional PKIs. Alice s private key consists of two components: The private part S A of a traditional key pair (S A,P A ). A time-dependent certificate S CA (t) pushed to Alice on a regular basis by the CA, so long as Alice not revoked. Bob can compute a matching public key using only the CA s public parameters, time t and Alice s public component P A. Bob is assured that Alice can only decrypt if the CA has issued certificate S CA (t) for the current time interval t. 15

4. Certificate based PKC (CB PKC) CA P A CA public parameters S CA (t) P A t S A + S CA (t) + 16

5. Certificateless Public Key Cryptography (CL PKC) Introduced by Al-Riyami and Paterson (Asiacrypt 2003). A thriving sub-area of ID-PKC. Design objective: Remove the key escrow problem of ID- PKC without introducing certificates. 17

CL-PKC Certificateless Public Key Cryptography Public Key Infrastructure Identity-based Cryptography CL-PKC: A paradigm for generating trust in public keys. Lies midway between traditional PKI and ID-PKC in terms of trust model and functionality 18

Why CL PKC? No certificates used (PKI) Low storage and communication bandwidth No need to verify certificates (certificate chains) Higher degree of privacy Public keys are always valid No need for CRLs No key escrow (ID PKC) TA cannot recover session keys TA cannot forge signatures 19

CL PKC Alice secret value Alice s identity Partial private key Key Generation Center (KGC) Bob Private Key partial private key + secret value Public Key secret value public generator master-key 20

CL-PKE Alice s secret x A determines public key P A TA TA public parameters (Alice s secret) x A S A (Alice s private key) PPK A (TA-generated partial private key) P A ID A Key Pair P A (Alice s public key) Encryption Key 21

CL-PKE Each user generates its own public key from a randomly generated secret value. KGC provides a partial private key for a user s identity. Encryption requires the user s public key and the user s identity. Decryption requires a private key based on the user s secret value and partial private key. 22

CL-PKE Features No key escrow. User generated secret component x A protects against eavesdropping TA. No explicit certification of public keys required. Adversary does not know partial private key PPK A so cannot calculate the full private key. Should assume that TA is not engaged in active adversarial behavior. A complete suite of certificateless cryptographic primitives is available: Digital Signatures Key Exchange (KE) and Authenticated Key Exchange (AKE) protocols Hierarchical schemes Signcryption 23

CL-PKC Drawbacks Is not purely identity based. Identifier and public key needed for encryption. Secure channel needed for delivery of partial private keys as in ID PKC. Revocation is a potential problem Does not attain full security of traditional PKI, since TA might cheat. But TA must mount an active attack for replacing public keys (in ID PKC, it could be done by a passive attack). 24

Al Riyami & Paterson s Certificateless AKE (2003) KGC s master private key: s KGC s master public key P KGC = sp Public parameters: (G 1,G T, e, q, P, P KGC, h, h ) Alice s secret value: x A Q A =h(id A ) Alice s partial private key (issued by KGC): D A = sq A Alice s Public key: (X A, Y A )=(x i P, x i P KGC ) K A = e(q B, Y B ) a e(s A, T B ) = e(q B, x B sp) a e(x A sq A, bp) = e(x B sq B, ap) e(q A, x A sp) b = e(s B, T A ) e(q A, Y A ) b = K B 25

Another Certificateless AKE Protocol Key Generation Center Master-key: s KGC public key: sp Partial private key D A = sq A Partial private key D B = sq B Private key S A = <D A,x A > Public key P A = x A P Alice a T A = ap T A, P A T B, P B Bob b T B = bp Private key S B = <D B,x B > Public key P B = x B P K A = ê(q B, P B + sp) a ê(x A Q A + D A,T B ) K B = ê(q A, P A + sp) b ê(x B Q B + D B,T A ) K = ê(q B, P) a(s+x B ) ê(q A,P) b(s+x A ) 26

Another Certificateless AKE Protocol (with multiple KGC) KGC 1 Master-key: s 1 KGC public key: s 1 P standardized elliptic curve parameters KGC 2 Master-key: s 2 KGC public key: s 2 P Partial private key D A = s 1 Q A Partial private key D B = s 2 Q B Private key S A = <D A,x A > Public key P A = x A P Alice a T A = ap T A, P A T B, P B Bob b T B = bp Private key S B = <D B,x B > Public key P B = x B P K A = ê(q B, P B + s 2 P) a ê(x A Q A + D A,T B ) K B = ê(q A, P A + s 1 P) b ê(x B Q B + D B,T A ) K = ê(q B, P) a(s 2 +x B ) ê(q A,P) b(s 1 +x A ) 27

A Certificateless AKE Protocol without bilinear pairings (He et. al, 2011) 28

Strongly Secure Certificateless Encryption ID pk mpk 1 mpk 2 m (Dent et al., PKC 08) CE E E C 1 C 2 C 3 NIZK proof that (C 1,C 2,C 3 ) are all + encryptions of the same message. ID and pk are the user s identity and public key. mpk 1 and mpk 2 are part of the system parameters Decryption process uses the certificateless encryption scheme One passively secure certificateless encryption scheme: CE Two instances of a passively secure public key encryption schemes: E

Questions? 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback