WO2000064098A1 - Procede de distribution de cles cryptographiques dans un reseau de communications - Google Patents
Procede de distribution de cles cryptographiques dans un reseau de communications Download PDFInfo
- Publication number
- WO2000064098A1 WO2000064098A1 PCT/SE2000/000721 SE0000721W WO0064098A1 WO 2000064098 A1 WO2000064098 A1 WO 2000064098A1 SE 0000721 W SE0000721 W SE 0000721W WO 0064098 A1 WO0064098 A1 WO 0064098A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- administrator
- administrators
- subordinated
- operators
- identities
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Definitions
- the present invention relates to a method for distribution of cryptographic keys by using public-key handling.
- the method is used in a cryptographic method for data communication in a communication network, which comprises nodes in the form of administrators and final operators.
- the method gives the possibility of authentication and certification.
- the secret key x is usually called the signing key.
- X can sign an arbitrary digital data quantity M (document, image, program, anything).
- M can send M+sign(M,x) (i.e. M + the digital signature) to a receiver, Y.
- M the verification key which is public and thus known by Y
- Y can verify that M really comes from X, that M is genuine etc, but under the very important condition that there is an absolutely secure method of associating an public-key & with the correct identity X. If an enemy operator Z who is capable of creating the pair of keys z, z can slip in the false information that z is to be associated with X, this means that Z can disguise himself and give himself out as X.
- the method which is available in respect of securely associating an public key with the correct identity is essentially the same as the one used in daily life, we confirm each other's credentials, (credit verification, ID document, certificate) and combine these in a chain of trust.
- the term certificate is used for such a message that should, inter alia, associate a key with an identity.
- An acknowledged standard for contents and appearance in certificates is X.509, see [1].
- V can function as a common “certification authority” (CA).
- CA Certification authority
- V can meet X (preferably face to face to be positive that it is really X) and hand over to X the certificate certX which essentially runs "I V ensure that on yymmdd I met X who then presented to me , +plusX.509+".
- V also hands over sign(certX, ⁇ ) where sign(certX, ) stands for V's digital signature and +plusX.509+ stands for the additional information that according to X.509 is to be found in the certificate, such as information about the period of validity of the certificate.
- certY When after that X and Y meet, they can exchange certificates and the associated signatures and both can verify that they are authentic. Thus they will have a reliable association of the counterparty's identity with his public key. This is based on the fact that they both rely on V, a common CA (cf. also regarding radio networks below).
- CA Xl Y must be able to present to X a chain of certificates where CA X certifies CAL who certifies CA 2 , who certifies, ... , who certifies CA Y who certifies Y. X must present to Y a chain in the other direction. If it is not conditioned that different CA have a special relation to each other (the PGP model, see [1]), it will, at least in systems involving many operators, be difficult to form the chains. It is necessary to find common "friends of friends" who can associate subchains and form a continuous chain X-Y. Moreover, the resulting chains can be long, which significantly decreases credit in them.
- A is a common ancestor of X and Y.
- a 2 connects the chains A2-A22-A223-X and A2-A23-Y.
- the validity of a certificate is based on the fact that the issuer's signing key has not been revealed. This occurs sooner or later (or perhaps someone finds reason to suspect that a key has been revealed, thus decreasing credit in the certificate). Then new certificates must be created (problem 1 above) and all operators in the network must be informed that the certificate is invalid. Everybody must keep a valid black list with certificates that are not allowed to be included in chains of certificates. In large networks it is very difficult to ensure that everybody has a valid black list. The message "add certZ to the black list" is in itself a very sensitive message which must be checked particularly carefully.
- [2] suggests an public-key method according to Diffie-Hellman in which X and Y and no one else can form a common secret k xy which they then use for mutual authentication.
- the binding of public key to correct identity is assumed to take place by the pairs of keys x, & being created in a common key charging centre, NLC.
- NLC common friend V.
- a hierarchical tree starts from a root, in the Figure called A.
- the root can be considered the main administrator of the entire system (tree).
- the invention is based on the fact that the root selects, and keeps secret, a basic secret which satisfies specified conditions.
- the main administrator A selects one or more new operators which are considered by A to satisfy the requirements that are placed to allow them to serve as sub- administrators.
- A creates, starting from his basic secret, new subsecrets according to an inventive, carefully specified algorithm. Each subadministrator is allocated, and must then keep secret, such a subsecret. Each subadministrator selects his subadministrators according to the same principles. In a recursive method, the hierarchical tree is composed.
- the invention is based on the fact that the algorithm is conditioned by different requirements that must be satisfied so that an administrator cannot work out a secret that belongs to somebody else, apart from those available in that branch of the tree that starts from the administrator himself. If an administrator is disclosed, merely this branch of the tree will thus be disclosed. Moreover there are conditions that must be satisfied so that a group of administrators in co-operation should not be able to work out somebody else's secret.
- subsecrets mentioned are created by means of a public prime number which unambiguously is associated with the administrator's place in the tree. This prime number can be considered an address or an identity.
- a subsecret can be used in three ways:
- the DH method (according to Diffie-Hellman) for two parties of creating a mutual secret is not new. However, it is new to base the calculations on a basic secret, which gives a new method of authenticating group membership. It is also new to let identities be included in the calculations in a way that means implicit certification.
- the method involves a new way of using the DH method to form secrets for use as cryptographic keys.
- the DH method is described in US Patent 4,200,770, which is herewith incorporated by reference [3].
- the two above-mentioned functions, exponentiating and multiplication on an elliptic curve, can both be used.
- the product is intended to prevent calculation of inverse, cf. sections I and IV below.
- g is an even number and has a factor shared with n. Otherwise, two children will have the possibility of calculating, in co-operation, their father's secret, cf. IV. n is made known to everybody, whereas p, q and g are kept secret.
- the administrators in the tree are each allocated a prime number as identity
- A thus is a first prime number, A 2 the next prime number, A 3 the next etc.
- the making of this allocation is arbitrary. For example, it is possible to use b m prime numbers for level m in the tree, where b is the maximum number of children per parent. This results in "holes” in the form of unused prime numbers. If instead one wants to "save” prime numbers, it is possible to use b prime numbers per level in the tree. Prime numbers will then be "reused” in several positions in the tree and the risk increases that administrators in co-operation can calculate somebody else's secret (see below).
- the main feature of the allocation of identities is that it is carried out in such manner that everybody unambiguously knows which prime number belongs to a certain position in the tree. If, in some application, implicit certification is not needed, this requirement is omitted.
- the greatest prime number reserved for addresses is designated L.
- the administrators in the tree can calculate all secrets in their entire subordinated branch of the tree.
- identities being prime numbers
- an administrator cannot by himself calculate a secret in some other branch. If, besides, it is required that two or more administrators should not jointly be able to work out a secret, it is a requirement that it should not be possible to write an identity as the sum of two or more other identities. Otherwise a secret can be formed by multiplication of two others. This places demands on the prime numbers that will not be analysed here. For example, it is suitable to use the prime numbers "backwards", i.e. that the prime numbers on level 1 are greater than on level 2 etc.
- the final operators, X, Y etc, are assigned a pair of keys by their administrator, for example Y by A 23 in the Figure.
- the private key y should be >L for Y not to be able to disguise himself as administrator.
- the administrator calculates the public key y
- the two operators X and Y form, when necessary, a mutual secret kx y .
- This is cal- culated by the operator taking his counterparty's public key and exponentiating it modulo n with the product of his own private key and the identities of all his superior administrators.
- Correspondence is valid (see, however, section VI below) only if the same basic secret g has been used in the calculations. This is a criterion for authentication of group membership. Merely X and Y and their closest super- ordinated administrators can calculate k accessibilityy.
- a certificate (to be named c*), designed, for example, according to the standard X.509, is assigned to the final operators (e.g. X) by their respective administrators.
- the certificate it is stated, inter alia, that the public-key & belongs to the operator having the identity X and that it has been created by the administrator having the identity A 223 .
- the certificate , and the digital signature s x are assigned to X.
- Another operator e.g. Y
- Y Another operator can verify that a certificate is genuine and that it must have been signed by an administrator in a certain position in the tree. Thus there will be no need for forming chains of certificates where the administrators between X and Y confirm each other's authenticity. The verification occurs as follows.
- Y has received from X a certificate c and a signature s.
- the reverse is used - if a and n have a common factor, no inverse a exists.
- the root in section I is "easy" to calculate without factorising n starting from two expressions calculated by using the same modulus.
- i and j must be relatively prime as well as g and n relatively prime.
- g is assumed to be publicly known. In the present invention, the fact is used that g can be kept secret (see sections I and IV above), which results in a new method of authenticating group membership.
- n has to be a prime number.
- n p q, which also functions well (a foundation stone for
- the ith root is not reliably unambiguous.
Abstract
L'invention concerne un procédé de distribution de clés cryptographiques faisant appel à un traitement à clé publique dans un procédé cryptographique de communications de données dans un réseau de communications hiérarchique, qui comprend des noeuds sous la forme d'administrateurs et d'opérateurs finals. Une identité, sous la forme d'un nombre premier unique connu de tous les administrateurs et opérateurs finals, est associée à chaque administrateur dans l'arbre. L'administrateur principal de l'arbre choisit au moins un administrateur directement subordonné. Il choisit également un secret de base qu'il garde secret. L'administrateur principal crée un sous secret pour chaque administrateur directement subordonné sur la base de son propre secret et l'identité de chaque administrateur directement subordonné. Le sous secret est attribué à l'administrateur subordonné associé qui le garde secret. Selon un procédé récurrent, les administrateurs subordonnés choisissent à leur tour d'une manière correspondante des administrateurs subordonnés et créent pour eux des sous secrets. Les opérateurs finals reçoivent de leurs administrateurs respectifs une paire de clés, soit une clé privée, choisie de la même manière dont l'identité des administrateurs subordonnés est choisie, et une clé publique créée de la même manière dont le sous secret d'un administrateur subordonné est choisi ou vice et versa.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE9901358A SE515778C2 (sv) | 1999-04-16 | 1999-04-16 | Metod för nyckeldistribution med inbyggd möjlighet till autenticering och certifiering i ett hierarktiskt träd |
SE9901358-3 | 1999-04-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000064098A1 true WO2000064098A1 (fr) | 2000-10-26 |
Family
ID=20415233
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2000/000721 WO2000064098A1 (fr) | 1999-04-16 | 2000-04-14 | Procede de distribution de cles cryptographiques dans un reseau de communications |
Country Status (2)
Country | Link |
---|---|
SE (1) | SE515778C2 (fr) |
WO (1) | WO2000064098A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002017557A1 (fr) * | 2000-08-22 | 2002-02-28 | Smarttrust Systems Oy | Chaine d'identite securisee |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4200770A (en) * | 1977-09-06 | 1980-04-29 | Stanford University | Cryptographic apparatus and method |
US5651066A (en) * | 1994-04-28 | 1997-07-22 | Nippon Telegraph And Telephone Corporation | Cipher key distribution system effectively preventing illegitimate use and charging of enciphered information |
EP0793367A2 (fr) * | 1996-02-29 | 1997-09-03 | Oki Electric Industry Co., Ltd. | Procédé et système de distribution de clé |
US5745574A (en) * | 1995-12-15 | 1998-04-28 | Entegrity Solutions Corporation | Security infrastructure for electronic transactions |
WO1998049805A1 (fr) * | 1997-04-25 | 1998-11-05 | Koninklijke Kpn N.V. | Systeme de distribution de cles |
-
1999
- 1999-04-16 SE SE9901358A patent/SE515778C2/sv not_active IP Right Cessation
-
2000
- 2000-04-14 WO PCT/SE2000/000721 patent/WO2000064098A1/fr active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4200770A (en) * | 1977-09-06 | 1980-04-29 | Stanford University | Cryptographic apparatus and method |
US5651066A (en) * | 1994-04-28 | 1997-07-22 | Nippon Telegraph And Telephone Corporation | Cipher key distribution system effectively preventing illegitimate use and charging of enciphered information |
US5745574A (en) * | 1995-12-15 | 1998-04-28 | Entegrity Solutions Corporation | Security infrastructure for electronic transactions |
EP0793367A2 (fr) * | 1996-02-29 | 1997-09-03 | Oki Electric Industry Co., Ltd. | Procédé et système de distribution de clé |
WO1998049805A1 (fr) * | 1997-04-25 | 1998-11-05 | Koninklijke Kpn N.V. | Systeme de distribution de cles |
Non-Patent Citations (1)
Title |
---|
SANTOSH CHOKHANI: "Toward a national public key infrastructure", IEEE COMMUNICATIONS MAGAZINE, vol. 32, no. 9, September 1994 (1994-09-01), pages 70 - 74 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002017557A1 (fr) * | 2000-08-22 | 2002-02-28 | Smarttrust Systems Oy | Chaine d'identite securisee |
Also Published As
Publication number | Publication date |
---|---|
SE9901358L (sv) | 2000-10-17 |
SE9901358D0 (sv) | 1999-04-16 |
SE515778C2 (sv) | 2001-10-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Karati et al. | A pairing-free and provably secure certificateless signature scheme | |
Wang et al. | Security analysis of some proxy signatures | |
Shao | Proxy signature schemes based on factoring | |
Brickell et al. | Enhanced privacy ID from bilinear pairing | |
EP2148465A1 (fr) | Procédé pour l'application de schémas de signature implicites | |
WO2004104797A1 (fr) | Utilisation de secrets certifies en communication | |
GB2321834A (en) | Cryptographic signature verification using two private keys. | |
JPH08328472A (ja) | 認証交換方法、復元型電子署名方法、付加型電子署名方法、鍵交換方法、復元型公衆電子署名方法、付加型公衆電子署名方法およびブラインド電子署名方法 | |
KR0144086B1 (ko) | 인증교환과 전자서명 방법 | |
JP2002534701A (ja) | 寄託されない署名専用キーを用いた自動回復可能な自動可能暗号システム | |
JP2004208263A (ja) | バイリニアペアリングを用いた個人識別情報に基づくブラインド署名装置及び方法 | |
WO2019110399A1 (fr) | Dispositif et procédé de signature bipartite | |
Anada et al. | RSA public keys with inside structure: Proofs of key generation and identities for web-of-trust | |
CN112989436B (zh) | 一种基于区块链平台的多重签名方法 | |
Susilo et al. | Tripartite concurrent signatures | |
Hsu et al. | Self-certified threshold proxy signature schemes with message recovery, nonrepudiation, and traceability | |
Seo et al. | A mediated proxy signature scheme with fast revocation for electronic transactions | |
JPH09298537A (ja) | ディジタル署名方式およびそれを用いた情報通信システム | |
Chen | A DAA scheme using batch proof and verification | |
WO2000064098A1 (fr) | Procede de distribution de cles cryptographiques dans un reseau de communications | |
Ismail et al. | A new signature scheme based on multiple hard number theoretic problems | |
Shao | Digital signature schemes based on factoring and discrete logarithms | |
Kaliski Jr | On hash function firewalls in signature schemes | |
Wu et al. | Self-certified multi-proxy signature schemes with message recovery | |
JPH1084341A (ja) | メッセージ付加形デジタル署名方法及びそれに対した検証方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): JP US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |