SE515778C2 - Method of key distribution with built-in possibility for authentication and certification in a hierarchical tree - Google Patents

Abstract

The present invention relates to a method for distribution of cryptographic keys by using public-key handling in a cryptographic method for data communication in a hierarchical communication network, which comprises nodes in the form of administrators and final operators. An identity in the form of a unique prime number which is known to all administrators and final operators is associated with each administrator in the tree. The main administrator of the tree selects one or more directly subordinated administrators. He also selects a basic secret which he keeps secret. The main administrator creates a subsecret for each directly subordinated administrator based on his own secret and the identity of each directly subordinated administrator. The subsecret is allocated to the associated subordinated administrator and he keeps it secret. In a recursive method, subordinated administrators in turn select in a corresponding manner subordinated administrators and create subsecrets for them. The final operators are allocated a pair of keys by their respective administrators, consisting of a private key, selected in a manner similar to the manner in which the identity of subordinated administrators is selected and a public key created in a manner corresponding to the manner in which a subsecret for a subordinated administrator is selected or vice versa.

Description

20 25 30 35 (fl so (31 ~ l§ i -4 (ß 2) The way that is available when it comes to securely attaching an open key to the correct identity is in principle the same as we use in daily life, we prove each other's information (letter of credit, ID document, certificate, ..) and combines these in a chain of trust (chain of trust). An accepted standard for content and appearance in certificates is X.509, see [1].

If the two parties X and Y have a mutual friend, V, who both trust and whose open verification key the two of them have been securely informed about, V can act as a common "certifier" (CA, Certification Authority). V can meet X (preferably face to face to be sure that it really is X) and hand over to X the certificate certX which in principle reads "I V assure that I ååmmdd met X who then for me showed š + plusX.509 + ". V also submits sign (certX, g), where sign (certX, g) stands for V's digital signature and + plusX.509 + stands for the additional information that according to X.509 must be in the certificate, e.g. The duration of the certificate is equivalent to that of certY. When X and Y meet, they can exchange certificates with associated signatures and both can verify that they are authentic. that they both have confidence in V, a common CA (cf. also regarding radio networks below).

It becomes more complicated if X and Y do not have the mutual friend V. The approach then becomes that different CAs issue certificates to each other, they certify each other's keys. If CA for X is called CAX, it applies to Y to be able to present to X a certificate chain where CAX proves CA1, which proves CA2, which proves,, which proves CAY which proves Y. X must for Y present a chain that goes to others the direction. If one does not assume that different CAs have a special relationship to each other (the PGP model, see [1]), it becomes difficult, at least in systems with many actors, to form the chains. One must find common "acquaintances of acquaintances" who can connect sub-chains and form a cohesive chain X-Y. In addition, the resulting chains can become long, which greatly reduces confidence in them.

It will be somewhat more manageable if CA exists in a father-son relationship, in a hierarchy according to the figure. Many systems, not least military, are hierarchical. In the figure, A2 is the common ancestor of X and Y. A2 connects the chains A2 - A22 -A223 -X and A2 - A22 - Y. lllr »10 15 20 25 30 35 UI -ø en w» a co In a hierarchical system In principle, it is sufficient that all actors have been informed in a secure manner of the ancestor's identity A and his verification key g. Then all actors can be linked to certificate chains. However, the entire system is dependent on Ar's signing key g. If this is cleared, the entire tree collapses.

The method of securely linking an identity with the right public key with the help of certificates and certificate chains has been known for a long time. Problems are also known which become apparent when certificate systems are to be implemented in practice. 1. Eye-eye.

When two parties are to prove each other's identities, issue certificates to each other, they must in principle meet "face to face". This is not easy in larger networks, especially if some actors are not human beings but radios, computer programs, etc. 2. Blacklist.

The validity of a certificate is based on the issuer's signing key not being disclosed. Sooner or later this happens (or perhaps that someone finds reason to suspect that a key has been revealed, thereby reducing trust in the certificate). Then new certificates must be created (problem 1 above) and all actors in the network must be notified that the certificate is invalid. Everyone must keep a current blacklist of certificates that must not be included in certificate chains. In large networks, it is very difficult to ensure that everyone has a current blacklist.

The message “add certZ to the blacklist” is itself a very sensitive message that must be checked extra carefully. 3. Large nets.

Problem 2 is accentuated when the two parties, X and Y, are far apart in the tree, in completely different branches. When X and Y meet for the first time, trust in each other's certificate chains is relatively low. One possible way to increase trust is for X to ask his 'closest friends' if they have certificate chains that match the one Y presents. But this is an ad hoc approach that is difficult to quantify and that can lead to a lot of messaging traffic. The basic problem is that in large networks it can be difficult to build certificate chains with a sufficient measure of trust.

A special open-key application is described in ref. [2] Bengtsson, Alf, "Authentication of mobile nodes in packet radio networks", FOA-R-97-00415-503-SE, January 1997, to which 10 15 20 25 30 35 (H v-Û (Vi ~ 4 -: CO 4 where methods for two radio nodes, X and Y, in a packet radio network to authenticate each other are discussed, the node X must be absolutely sure that Y is indeed Y and that data packets with the specified sender Y really come from Y and vice versa. l [2] proposes an open-key method after Diffie-Hellman that allows X and Y and no one else to form a common secret kxy which they then use for mutual authentication. by creating the key pair Ä, š in a common key charging center, NLC, so you have the simplest situation above with NLC as the common friend V.

In [2] is mentioned as an unresolved question how to do when X and Y do not have the same NLC, ie. they do not have a common CA. The conventional solution is to build certificate chains. However, some known problems are mentioned above, and it is doubtful whether automatic management of certificate chains is suitable for implementation in nodes of the radio type.

These problems led to the present invention which means that X and Y can form a common secret and that identities in a CA hierarchy can replace the certificate chains and lead to an implicit certification of open keys. This is done by the invention being given the form which appears from the following independent patent claim. Suitable embodiments of the invention appear from other patent claims.

The invention will be described in more detail below with reference to the accompanying drawing, in which the figure shows a hierarchical tree with administrators and final actors who can use the invention.

A hierarchical tree starts from a root, in the figure called A. The root can be considered as the main administrator of the entire system (tree). The invention is based on the root selecting, and keeping secret, a basic secret that meets specified conditions.

The main administrator A selects one or more new actors that A deems to meet the requirements for them to be able to serve as sub-administrators. Based on its basic secret, A creates new sub-secrets according to an inventive, carefully specified algorithm. Each sub-administrator is assigned, and shall then keep secret, such sub-secret. Each sub-administrator elects its sub-administrators in accordance with the same principles. Through a recursive procedure, the hierarchical tree is built up.

The invention is based on the fact that the algorithm is conditioned by various requirements that must be met, so that an administrator cannot calculate a secret that belongs to someone else, apart from those that are in the branch of the tree that emanates from the administrator himself. If an administrator is cleared, then only this branch of the tree will be cleared.

There are also conditions that must be met, so that a group of administrators in collaboration cannot calculate someone else's secret.

The mentioned secrets are created with the help of an open prime number which is / is closely linked to the administrator's place in the tree. This prime number can be considered as an address or an identity. A sub-secret is used in three ways: 1. To create new sub-secrets in the recursive procedure mentioned. 2. To sign a message. As the address is included in the signing, other actors can be sure that the message has been signed by the correct body (built-in certification). To create a key pair for an open-key system according to Diffie-Hellman, which means that a pair of actors can create a common secret. Since all secrets in the tree are based on the same basic secret, the actor pair can verify that the other party's open key is created by someone in the same tree, a way to “separate friend from enemy” (built-in authentication of group affiliation).

The DH method (after Diffie-Hellman) for two parties to create a common secret is not new. What is new, however, is to base the calculations on a basic secret, which provides a new method of authenticating group affiliation. It is also new to include identities in the calculations in a way that involves implicit certification.

Before the further description, the following names are introduced: Capital letters A, X, etc. identities (names, addresses) simply underlined lowercase _a_, gg, etc. home fi ga nYCk | af fÖf Å. X etc- double underlined lowercase letters â, š, etc. Open nY0k | af for A. X G10- common n, p etc. integers (p and q denote prime numbers) crossed out common a inverse integer, aa mod n = 1 10 15 20 25 30 CA Certification Authority. An actor who is entrusted with strengthening, certifying, identities and keys indexed id A123 child no. 3 to parent A12 The root of the tree has the identity A. The number indecis indicates the level in the tree.

The method means a new way of using the DH method to form secrets for use as crypto keys. The DH method is described in U.S. Patent 4,200,770, which is hereby referred to as ref. [3].

The DH method is based on the fact that there are one-way functions z = f (g, x), ie. even with knowledge of g and z, it is practically impossible to calculate x (on the other hand, one who knows g and x can calculate z). In addition, the DH method requires that the function f must be able to be applied in two steps with input data x and y, respectively, where you get the same result regardless of the order of x and y. f (f (g, y), x), which in this patent application is called sequence independent.

Two such functions that can be used in the DH method are the exponential function in finite integer arithmetic and multiplication on an elliptical curve. In these two cases you get z = f (g, x) = g * modulo n, where n is an integer, respectively Z = f (G, x) = G x, where G (and Z) are points on an elliptical curve E and x an integer modulo n, where n is the number of points on E. For a more detailed description, including requirements for the numbers x and n, refer to ref. [1] and ref. [4], Menezes A., Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 1993, which is incorporated herein by reference.

This proposed method is based on the fact that there are functions that are one-way functions with respect to both of their variables. Ie. under certain conditions it applies both that if one knows z where z = f (g, x) then does not give knowledge of g the opportunity to calculate x (as above) nor does knowledge of x give the opportunity to calculate g. Then g constitutes a basic secret which the main administrator can choose and which provides the opportunity to authenticate group membership. The two above-mentioned functions, exponentiation and multiplication on an elliptical curve, can both be used.

In the following, in connection with the figure, an accurate description is given of an embodiment of the invention which utilizes the exponential function in finite integer arithmetic. 10 15 20 25 30 35 The main administrator A selects prime numbers according to n = 2-p-q (A can in itself choose a product of several prime numbers). The product is intended to prevent the calculation of inverse, cf. sections l and IV below. g is an even number and has a factor in common with n. Otherwise, two children get an opportunity to work together to calculate their father's secret, cf. IV. n is made known to everyone while p, q and g are kept secret.

The administrators of the tree are assigned their prime number as identity (address). A1 is thus a first prime number, A2 the next prime number, A3 the worst, etc. How to make this assignment is arbitrary. You can, for example, use b '"prime numbers for level m in the tree, where b is the maximum number of children per parent. This results in "holes" in the form of unused prime numbers. If you instead want to "save" prime numbers, you can use b prime numbers per level in the tree. Prime numbers will then be "reused" in several places in the tree and the risk increases that administrators in collaboration can calculate another's secret (see below).

The main thing with the assignment of identities is that it is done so that everyone knows unambiguously which prime number belongs to a certain position in the tree. If you do not need implicit certification in any application, this requirement is waived. The largest prime number reserved for addresses is designated L.

A assigns his closest subordinates Aj each his secret h, by exponentiating his own secret modulo n with the subordinate's identity, i.e. h, = g * mod n. The subordinates cannot calculate g (cf. sections I and IV below).

This is repeated recursively. A1 assigns e.g. their subordinates A1; secrets h ”= (g ^ 'f" mod n. The subordinates cannot calculate g *.

The administrators of the tree can calculate all the secrets of their entire subordinate branch of the tree. Since the identities are prime numbers, an administrator cannot calculate a secret in another branch himself. In addition, if you do not require two or more administrators to be able to calculate a secret together, you must require that no identities can be written as the sum of two or more others. Otherwise, a secret can be formed by multiplying two others. This places 10 15 20 25 30 H1: Å (fl ww GQ 8 requirements on the prime numbers that are not investigated here. For example, it is appropriate to use the prime numbers "backwards", ie that the prime numbers in level 1 are greater than in level 2, etc. .

The final actors, X, Y, etc., are assigned a key pair by their administrator, eg Y of A23 in the figure. The secret key y must be> L so that Y will not be able to disguise himself as an administrator. The open key y is calculated by the administrator by exposing his secret with y modulo n, ie. y = (g ^ = ^ ”f 'mod n.

You can also do the opposite, leave y secret and y open. Then you get the same structure as for the administrators' secrets and identities. This reduces the freedom in choosing keys. On the other hand, the final players can also be linked to a position in the tree, which means that the need for a certificate is eliminated.

The two actors X and Y form, if necessary, a common secret kx. It is calculated by the actor taking his opponent's public key and exposing that module with the product of his own secret key and the identities of all his superior administrators. X and Y, respectively, calculate km and km, respectively, where ÅzÅnÅz-za- = (QMM) X mod n and kxyz = (9 ÅzÅuAmšyzÅnxmod n. only (see section Vl below) if the same basic secret g was used in the calculations.This is a criterion for authentication of group affiliation.Only X and Y and their immediate superior administrators can calculate kw The final actors (eg X) are awarded a certificate (cold the certificate, designed, for example, according to the standard X.509, by its respective administrator. The certificate is given as input to a commonly known hash function (eg MD5 or the unit function h (m) = m), the output becomes an integer tx.

The administrator calculates a digital signature s, by modulo n exposing his own secret with tx, ie. s, = (g AMA ”) t 'mod n _ The certificate c, and the digital signature s, are assigned to X. 10 15 20 25 30 35 9 Another actor (eg Y) can verify that a certificate is genuine and that it must have been signed by an administrator at a specific position in the tree. This eliminates the need to form chains of certificates where the administrators between X and Y prove each other's authenticity. The verification takes place as follows.

Y has received from X a certificate c and a signature s. In the certificate, among other things. stand which administrator has calculated s. This is what Y wants to verify. He can then multiply the identities together up to the position in the tree that claims to have signed the certificate, with designations according to the above he forms B = AzAzzAm. He forms the corresponding product for his own position D = A2A23. Furthermore, he forms with the help of the generally known hash function t = h (c).

Y can now, based on his own public key, form ya '= (g Bly' = (g B 'fr, all calculated modulo n. He can also form so! Mod n from the received signature.

If he now gets the same value, he can (see section VI below) conclude that the certificate is signed by the identity Am and that the content is reliable.

Some of the mathematics used in this embodiment of the invention are set forth below without comment or inference. In other respects, reference is made to [1] and special literature.

In the i-th root it is "impossible" if n is not a prime number (eg n = pq), it is as difficult as determining the factors in n. Ie even if I know n, b and i and know that b = g ' mod n, you can not calculate g if you do not know the factors in This is used in RSA encryption, which is why it has been well studied what requirements apply for the i-th root to be "impossible". ll Discrete logarithm is "impossible". With the same designations as in I above, you can not calculate even if you know n, b and g. This is also used in RSA encryption. lll If (if and only if) a and n are relatively prime (they have no common factors> 1), then an unambiguous inverse a exists so that aa mod n = 1 In the method the inversion is used - if a and n have something in common factor there is no inverse a _ 10 15 20 25 30 (H so (fl ~ 4 ~ a co m- .- 10 Under certain conditions the root in section I is "easy" to calculate without factor division n based on two expressions calculated with same modulus.

The conditions are that you know n (but not p and q) and b, i, c, j, where b = gi mod n and c = gi mod n. In addition, i and j must be relatively prime and likewise g and n relatively first.

This can be deduced using Euler's fi function tp see [1], which is n - 1 if n is a prime number. Otherwise tp is a product where the factors in are included, eg q> = (p - 1) (q - 1) if n = p q. If the inverse of g exists (ie if g and n are relatively prime) it can be written using (p, g ”mod n = 1, ie a = 9W If i and j are relatively prime (and> 0) one can use the Euclidean algorithm [1] to determine the integer coefficients r and the equation ri + sj = 1. One of the coefficients (say r) must be negative.

If g and n are relatively prime, we know that there is inverse b to b (to c also for that matter). With Euclid's algorithm one can calculate b. One can now form b "cs mod n = b (° ** 1) <'° cs mod n = gmrm fi gsi mod n = gi ° g °°°° gsi mod n = g ( '° (' ° gsj mod n = gmsj mod n = g.

Under the conditions above, g = b "cs mod n is obtained without factor division.

DH method, ref. [3].

Based on ll above, you get a method for two parties, X and Y to construct a common secret that no one else can calculate. Both parties know the integers g and n. X forms a key pair> _ <, š from š = g * mode n. X must keep Ä secret while š is openly communicated to Y (who according to section ll cannot calculate Ä). Analogous procedure for Y. Now X and Y and only the two, can calculate kw by taking the other party's open key and exposing it with its own secret key, kxy = g !! mod n. 10 15 20 VI l [3] g is assumed to be openly known. In the present invention it is utilized that g can be kept secret (see sections 1 and IV above), which provides a new method of authenticating group affiliation. l [3] states that n should be a prime number. In the present invention, n = p q is used, which also works well (a cornerstone for RSA encryption). i-te root is certainly not unambiguous. The invention is based on the fact that a quantity k has been calculated in two ways via exponentiation with the same i, one has k = gi mod n = hi mod n. But from this one can not generally conclude that g = h. This only applies if i and = 1). But unambiguity is not a condition for the method, but what is stated in I could be reformulated: "There should be a 'sufficiently small probability' that one should be able to calculate something g that satisfies b = gi mod n, even if one knows n, b and in but do not know the factors in ”.

With regard to general requirements of a cryptographic nature, it is published in e.g. [1] which modulus n are inappropriate. Likewise, one must, for example, be observant that one does not choose factors that mean that the outcome space for exponentiations becomes too small, which could make an exhaustive search realistic.

Claims (10)

10 15 20 25 30 35 12 Patent claims: 1. In a cryptographic method for data communication in a communication network, comprising administrators and final actors, detailed procedure for distribution of cryptographic keys using open-key management, characterized in that the method provides for authentication and certification by the administrators and the the final actors are part of a hierarchical structure comprising a main administrator, none, one or more hierarchical levels comprising sub-administrators, each sub-administrator attached to a subordinate administrator and with no one or more subordinate administrators, and said final actors, each final actor attached to a parent administrator, that the principal administrator selects and keeps a basic secret, the principal administrator's own secret, that the principal administrator chooses one or more directly subordinate administrators, that to each administrator, principal administrator as well as sub-administrator an identity in the form of a unique prime number known to all administrators and final actors, that the principal administrator creates, using a function of two variables, which is one-way with respect to both variables and sequence independent with respect to one variable and where the principal administrator's own secret and the identity of the respective subordinate administrators constitute the variables, a sub-secret for each directly subordinate administrator, which secret is assigned to each subordinate administrator and which he keeps secret, that subordinate administrators in turn choose, correspondingly in a recursive procedure, subordinate to administrators and create secrets to them based on the identities of the latter and the one in resp. case the subordinate of the administrator and that the final actors are assigned a key pair by their respective administrators, consisting of a secret key, chosen in a similar way as the identity is chosen for subordinate administrators and an open key created in the same way as a sub-secret is created for a subordinate administrator or vice versa. 10 15 20 25 30 35 1,515 vvs 13 Method according to claim 1, characterized in that, if necessary, two actors check each other's authenticity by combining the other party's open key with their own secret key and a product of identities. 3. A method according to claim 1 or 2, characterized in that no identities constitute the sum of other identities. Method according to one of the preceding claims, characterized in that the prime numbers which constitute the identities of the administrators are chosen so that the largest prime number is returned to the main administrator and that the prime numbers are gradually lower, level by level in the hierarchy. Method according to one of the preceding claims, characterized in that, in the case specified in claim 1, where the secret key of the final actors is selected in a manner similar to the identity of subordinate administrators, this secret key, in the form of a prime number, is selected greater than each of the administrators' identities. Method according to any one of claims 1-5, characterized in that sub-secrets are created as functions of the class multiplication on an elliptical curve. A method according to any one of claims 1-5, characterized in that sub-secrets are created as functions of the class of exponential functions. A method according to claim 7, characterized in that an administrator assigns his subordinate administrators A, each his secret h, by exposing his own secret g modulo n with the subordinate's identity, ie. h, = g ^ 'mode n, where n is selected as the product of at least two prime numbers p and q, g is an even number with a factor common to n and A, are the identities of the subordinate administrators in the form of prime numbers and where n and A , are known to all while p, q and g are kept secret. 9. A method according to claim 8, characterized in that, in the case specified in claim 1, where the secret key of the final actors is selected in a similar way as the identities of subordinate administrators, two actors check if necessary. see 772 14 each other's authenticity by exposing each other's open keys modulo n with the product of their secret key and the identities of all their superior administrators, the consistency of the results stating that both are authentic actors and that, in what is stated in claim 1 ' vice versa ”case, where the final key of the final actors is chosen in a similar way as the identities of subordinate administrators, two actors check each other's authenticity if necessary by exposing their secret key module with the product of the other party's public key and the identities of all administrators, where consistency of the results indicates that both are authentic actors. 10. A method according to claim 8, characterized in that, in the case specified in claim 1, where the secret key of the final actors is chosen in a similar way as the identities of subordinate administrators, an administrator issues a certificate meaning that a certain open key belongs to a certain current actor and that the certificate is created by a certain administrator with a certain known identity, the administrator also calculates a digital signature by modulo n exposing his own secret with the certificate or the result of any known hash function output when the input is the certificate, after which the authenticity of the certificate can be verified by an administrator or actor by exposing the module n its public key with the product of the identities up to and including the person claiming to have written the certificate and the certificate or the result of any known hash function output when the input is the certificate and compare this result with the signature exponential modulo n with prod the identity of his and his superiors' identities and his secret key, accustomed / id conformity of the results indicates that the certificate is genuine and signed by the person who claimed to have done so.