WO2000064098A1 - Procede de distribution de cles cryptographiques dans un reseau de communications - Google Patents

Procede de distribution de cles cryptographiques dans un reseau de communications Download PDF

Info

Publication number
WO2000064098A1
WO2000064098A1 PCT/SE2000/000721 SE0000721W WO0064098A1 WO 2000064098 A1 WO2000064098 A1 WO 2000064098A1 SE 0000721 W SE0000721 W SE 0000721W WO 0064098 A1 WO0064098 A1 WO 0064098A1
Authority
WO
WIPO (PCT)
Prior art keywords
administrator
administrators
subordinated
operators
identities
Prior art date
Application number
PCT/SE2000/000721
Other languages
English (en)
Inventor
Alf Bengtsson
Original Assignee
Försvarets Forskningsanstalt
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Försvarets Forskningsanstalt filed Critical Försvarets Forskningsanstalt
Publication of WO2000064098A1 publication Critical patent/WO2000064098A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present invention relates to a method for distribution of cryptographic keys by using public-key handling.
  • the method is used in a cryptographic method for data communication in a communication network, which comprises nodes in the form of administrators and final operators.
  • the method gives the possibility of authentication and certification.
  • the secret key x is usually called the signing key.
  • X can sign an arbitrary digital data quantity M (document, image, program, anything).
  • M can send M+sign(M,x) (i.e. M + the digital signature) to a receiver, Y.
  • M the verification key which is public and thus known by Y
  • Y can verify that M really comes from X, that M is genuine etc, but under the very important condition that there is an absolutely secure method of associating an public-key & with the correct identity X. If an enemy operator Z who is capable of creating the pair of keys z, z can slip in the false information that z is to be associated with X, this means that Z can disguise himself and give himself out as X.
  • the method which is available in respect of securely associating an public key with the correct identity is essentially the same as the one used in daily life, we confirm each other's credentials, (credit verification, ID document, certificate) and combine these in a chain of trust.
  • the term certificate is used for such a message that should, inter alia, associate a key with an identity.
  • An acknowledged standard for contents and appearance in certificates is X.509, see [1].
  • V can function as a common “certification authority” (CA).
  • CA Certification authority
  • V can meet X (preferably face to face to be positive that it is really X) and hand over to X the certificate certX which essentially runs "I V ensure that on yymmdd I met X who then presented to me , +plusX.509+".
  • V also hands over sign(certX, ⁇ ) where sign(certX, ) stands for V's digital signature and +plusX.509+ stands for the additional information that according to X.509 is to be found in the certificate, such as information about the period of validity of the certificate.
  • certY When after that X and Y meet, they can exchange certificates and the associated signatures and both can verify that they are authentic. Thus they will have a reliable association of the counterparty's identity with his public key. This is based on the fact that they both rely on V, a common CA (cf. also regarding radio networks below).
  • CA Xl Y must be able to present to X a chain of certificates where CA X certifies CAL who certifies CA 2 , who certifies, ... , who certifies CA Y who certifies Y. X must present to Y a chain in the other direction. If it is not conditioned that different CA have a special relation to each other (the PGP model, see [1]), it will, at least in systems involving many operators, be difficult to form the chains. It is necessary to find common "friends of friends" who can associate subchains and form a continuous chain X-Y. Moreover, the resulting chains can be long, which significantly decreases credit in them.
  • A is a common ancestor of X and Y.
  • a 2 connects the chains A2-A22-A223-X and A2-A23-Y.
  • the validity of a certificate is based on the fact that the issuer's signing key has not been revealed. This occurs sooner or later (or perhaps someone finds reason to suspect that a key has been revealed, thus decreasing credit in the certificate). Then new certificates must be created (problem 1 above) and all operators in the network must be informed that the certificate is invalid. Everybody must keep a valid black list with certificates that are not allowed to be included in chains of certificates. In large networks it is very difficult to ensure that everybody has a valid black list. The message "add certZ to the black list" is in itself a very sensitive message which must be checked particularly carefully.
  • [2] suggests an public-key method according to Diffie-Hellman in which X and Y and no one else can form a common secret k xy which they then use for mutual authentication.
  • the binding of public key to correct identity is assumed to take place by the pairs of keys x, & being created in a common key charging centre, NLC.
  • NLC common friend V.
  • a hierarchical tree starts from a root, in the Figure called A.
  • the root can be considered the main administrator of the entire system (tree).
  • the invention is based on the fact that the root selects, and keeps secret, a basic secret which satisfies specified conditions.
  • the main administrator A selects one or more new operators which are considered by A to satisfy the requirements that are placed to allow them to serve as sub- administrators.
  • A creates, starting from his basic secret, new subsecrets according to an inventive, carefully specified algorithm. Each subadministrator is allocated, and must then keep secret, such a subsecret. Each subadministrator selects his subadministrators according to the same principles. In a recursive method, the hierarchical tree is composed.
  • the invention is based on the fact that the algorithm is conditioned by different requirements that must be satisfied so that an administrator cannot work out a secret that belongs to somebody else, apart from those available in that branch of the tree that starts from the administrator himself. If an administrator is disclosed, merely this branch of the tree will thus be disclosed. Moreover there are conditions that must be satisfied so that a group of administrators in co-operation should not be able to work out somebody else's secret.
  • subsecrets mentioned are created by means of a public prime number which unambiguously is associated with the administrator's place in the tree. This prime number can be considered an address or an identity.
  • a subsecret can be used in three ways:
  • the DH method (according to Diffie-Hellman) for two parties of creating a mutual secret is not new. However, it is new to base the calculations on a basic secret, which gives a new method of authenticating group membership. It is also new to let identities be included in the calculations in a way that means implicit certification.
  • the method involves a new way of using the DH method to form secrets for use as cryptographic keys.
  • the DH method is described in US Patent 4,200,770, which is herewith incorporated by reference [3].
  • the two above-mentioned functions, exponentiating and multiplication on an elliptic curve, can both be used.
  • the product is intended to prevent calculation of inverse, cf. sections I and IV below.
  • g is an even number and has a factor shared with n. Otherwise, two children will have the possibility of calculating, in co-operation, their father's secret, cf. IV. n is made known to everybody, whereas p, q and g are kept secret.
  • the administrators in the tree are each allocated a prime number as identity
  • A thus is a first prime number, A 2 the next prime number, A 3 the next etc.
  • the making of this allocation is arbitrary. For example, it is possible to use b m prime numbers for level m in the tree, where b is the maximum number of children per parent. This results in "holes” in the form of unused prime numbers. If instead one wants to "save” prime numbers, it is possible to use b prime numbers per level in the tree. Prime numbers will then be "reused” in several positions in the tree and the risk increases that administrators in co-operation can calculate somebody else's secret (see below).
  • the main feature of the allocation of identities is that it is carried out in such manner that everybody unambiguously knows which prime number belongs to a certain position in the tree. If, in some application, implicit certification is not needed, this requirement is omitted.
  • the greatest prime number reserved for addresses is designated L.
  • the administrators in the tree can calculate all secrets in their entire subordinated branch of the tree.
  • identities being prime numbers
  • an administrator cannot by himself calculate a secret in some other branch. If, besides, it is required that two or more administrators should not jointly be able to work out a secret, it is a requirement that it should not be possible to write an identity as the sum of two or more other identities. Otherwise a secret can be formed by multiplication of two others. This places demands on the prime numbers that will not be analysed here. For example, it is suitable to use the prime numbers "backwards", i.e. that the prime numbers on level 1 are greater than on level 2 etc.
  • the final operators, X, Y etc, are assigned a pair of keys by their administrator, for example Y by A 23 in the Figure.
  • the private key y should be >L for Y not to be able to disguise himself as administrator.
  • the administrator calculates the public key y
  • the two operators X and Y form, when necessary, a mutual secret kx y .
  • This is cal- culated by the operator taking his counterparty's public key and exponentiating it modulo n with the product of his own private key and the identities of all his superior administrators.
  • Correspondence is valid (see, however, section VI below) only if the same basic secret g has been used in the calculations. This is a criterion for authentication of group membership. Merely X and Y and their closest super- ordinated administrators can calculate k accessibilityy.
  • a certificate (to be named c*), designed, for example, according to the standard X.509, is assigned to the final operators (e.g. X) by their respective administrators.
  • the certificate it is stated, inter alia, that the public-key & belongs to the operator having the identity X and that it has been created by the administrator having the identity A 223 .
  • the certificate , and the digital signature s x are assigned to X.
  • Another operator e.g. Y
  • Y Another operator can verify that a certificate is genuine and that it must have been signed by an administrator in a certain position in the tree. Thus there will be no need for forming chains of certificates where the administrators between X and Y confirm each other's authenticity. The verification occurs as follows.
  • Y has received from X a certificate c and a signature s.
  • the reverse is used - if a and n have a common factor, no inverse a exists.
  • the root in section I is "easy" to calculate without factorising n starting from two expressions calculated by using the same modulus.
  • i and j must be relatively prime as well as g and n relatively prime.
  • g is assumed to be publicly known. In the present invention, the fact is used that g can be kept secret (see sections I and IV above), which results in a new method of authenticating group membership.
  • n has to be a prime number.
  • n p q, which also functions well (a foundation stone for
  • the ith root is not reliably unambiguous.

Abstract

L'invention concerne un procédé de distribution de clés cryptographiques faisant appel à un traitement à clé publique dans un procédé cryptographique de communications de données dans un réseau de communications hiérarchique, qui comprend des noeuds sous la forme d'administrateurs et d'opérateurs finals. Une identité, sous la forme d'un nombre premier unique connu de tous les administrateurs et opérateurs finals, est associée à chaque administrateur dans l'arbre. L'administrateur principal de l'arbre choisit au moins un administrateur directement subordonné. Il choisit également un secret de base qu'il garde secret. L'administrateur principal crée un sous secret pour chaque administrateur directement subordonné sur la base de son propre secret et l'identité de chaque administrateur directement subordonné. Le sous secret est attribué à l'administrateur subordonné associé qui le garde secret. Selon un procédé récurrent, les administrateurs subordonnés choisissent à leur tour d'une manière correspondante des administrateurs subordonnés et créent pour eux des sous secrets. Les opérateurs finals reçoivent de leurs administrateurs respectifs une paire de clés, soit une clé privée, choisie de la même manière dont l'identité des administrateurs subordonnés est choisie, et une clé publique créée de la même manière dont le sous secret d'un administrateur subordonné est choisi ou vice et versa.
PCT/SE2000/000721 1999-04-16 2000-04-14 Procede de distribution de cles cryptographiques dans un reseau de communications WO2000064098A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE9901358A SE515778C2 (sv) 1999-04-16 1999-04-16 Metod för nyckeldistribution med inbyggd möjlighet till autenticering och certifiering i ett hierarktiskt träd
SE9901358-3 1999-04-16

Publications (1)

Publication Number Publication Date
WO2000064098A1 true WO2000064098A1 (fr) 2000-10-26

Family

ID=20415233

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2000/000721 WO2000064098A1 (fr) 1999-04-16 2000-04-14 Procede de distribution de cles cryptographiques dans un reseau de communications

Country Status (2)

Country Link
SE (1) SE515778C2 (fr)
WO (1) WO2000064098A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002017557A1 (fr) * 2000-08-22 2002-02-28 Smarttrust Systems Oy Chaine d'identite securisee

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4200770A (en) * 1977-09-06 1980-04-29 Stanford University Cryptographic apparatus and method
US5651066A (en) * 1994-04-28 1997-07-22 Nippon Telegraph And Telephone Corporation Cipher key distribution system effectively preventing illegitimate use and charging of enciphered information
EP0793367A2 (fr) * 1996-02-29 1997-09-03 Oki Electric Industry Co., Ltd. Procédé et système de distribution de clé
US5745574A (en) * 1995-12-15 1998-04-28 Entegrity Solutions Corporation Security infrastructure for electronic transactions
WO1998049805A1 (fr) * 1997-04-25 1998-11-05 Koninklijke Kpn N.V. Systeme de distribution de cles

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4200770A (en) * 1977-09-06 1980-04-29 Stanford University Cryptographic apparatus and method
US5651066A (en) * 1994-04-28 1997-07-22 Nippon Telegraph And Telephone Corporation Cipher key distribution system effectively preventing illegitimate use and charging of enciphered information
US5745574A (en) * 1995-12-15 1998-04-28 Entegrity Solutions Corporation Security infrastructure for electronic transactions
EP0793367A2 (fr) * 1996-02-29 1997-09-03 Oki Electric Industry Co., Ltd. Procédé et système de distribution de clé
WO1998049805A1 (fr) * 1997-04-25 1998-11-05 Koninklijke Kpn N.V. Systeme de distribution de cles

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SANTOSH CHOKHANI: "Toward a national public key infrastructure", IEEE COMMUNICATIONS MAGAZINE, vol. 32, no. 9, September 1994 (1994-09-01), pages 70 - 74 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002017557A1 (fr) * 2000-08-22 2002-02-28 Smarttrust Systems Oy Chaine d'identite securisee

Also Published As

Publication number Publication date
SE9901358L (sv) 2000-10-17
SE9901358D0 (sv) 1999-04-16
SE515778C2 (sv) 2001-10-08

Similar Documents

Publication Publication Date Title
Karati et al. A pairing-free and provably secure certificateless signature scheme
Wang et al. Security analysis of some proxy signatures
Shao Proxy signature schemes based on factoring
Brickell et al. Enhanced privacy ID from bilinear pairing
EP2148465A1 (fr) Procédé pour l'application de schémas de signature implicites
WO2004104797A1 (fr) Utilisation de secrets certifies en communication
GB2321834A (en) Cryptographic signature verification using two private keys.
JPH08328472A (ja) 認証交換方法、復元型電子署名方法、付加型電子署名方法、鍵交換方法、復元型公衆電子署名方法、付加型公衆電子署名方法およびブラインド電子署名方法
KR0144086B1 (ko) 인증교환과 전자서명 방법
JP2002534701A (ja) 寄託されない署名専用キーを用いた自動回復可能な自動可能暗号システム
JP2004208263A (ja) バイリニアペアリングを用いた個人識別情報に基づくブラインド署名装置及び方法
WO2019110399A1 (fr) Dispositif et procédé de signature bipartite
Anada et al. RSA public keys with inside structure: Proofs of key generation and identities for web-of-trust
CN112989436B (zh) 一种基于区块链平台的多重签名方法
Susilo et al. Tripartite concurrent signatures
Hsu et al. Self-certified threshold proxy signature schemes with message recovery, nonrepudiation, and traceability
Seo et al. A mediated proxy signature scheme with fast revocation for electronic transactions
JPH09298537A (ja) ディジタル署名方式およびそれを用いた情報通信システム
Chen A DAA scheme using batch proof and verification
WO2000064098A1 (fr) Procede de distribution de cles cryptographiques dans un reseau de communications
Ismail et al. A new signature scheme based on multiple hard number theoretic problems
Shao Digital signature schemes based on factoring and discrete logarithms
Kaliski Jr On hash function firewalls in signature schemes
Wu et al. Self-certified multi-proxy signature schemes with message recovery
JPH1084341A (ja) メッセージ付加形デジタル署名方法及びそれに対した検証方法

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): JP US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP