EP1882330A1 - Verfahren zum erstellen und übertragen eines schlüsselpaars zwischen einer zertifizierungsautorität und einem empfänger - Google Patents
Verfahren zum erstellen und übertragen eines schlüsselpaars zwischen einer zertifizierungsautorität und einem empfängerInfo
- Publication number
- EP1882330A1 EP1882330A1 EP05746288A EP05746288A EP1882330A1 EP 1882330 A1 EP1882330 A1 EP 1882330A1 EP 05746288 A EP05746288 A EP 05746288A EP 05746288 A EP05746288 A EP 05746288A EP 1882330 A1 EP1882330 A1 EP 1882330A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- key
- key pair
- cred
- receiver
- certification authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Definitions
- the invention relates to a method of creating and transmitting a key pair from a certification authority to a recipient, wherein authentication of the key pair occurs without any interaction between the certification authority and the recipient.
- the invention further relates to a cryptographic system having a receiver and a certification authority.
- NZKP non-interactive zero-knowledge proofs
- NICPs are used to prove certain data, such as identity data, that is present to both the sender and the recipient, with the identity data being matched over an unsecured data channel.
- identity data data that is present to both the sender and the recipient
- Digital signatures are based on an asymmetric cryptosystem and are therefore very computationally intensive.
- digital signatures which are used in the context of a so-called "Public Key Infrastructure” (PKI)
- PKI Public Key Infrastructure
- digital certificates must be sent with a signed signature to verify the authenticity of the sender
- the size of these digital certificates plus the signature requires a minimum amount of memory, which means that the performance is low, especially for small messages, ie messages with low storage volumes, and this has an impact on the scalability of the network.
- the modulus N is composed of a multiplication of two prime numbers p and q, where N the public and private key part of the
- the key-pair generated by the Fig-Fiat-Shamir method consists of k different concurrent public (vO and private (Sj) key entries that satisfy the following equation:
- the object of the present invention is therefore to provide a suitable method and a cryptographic system, with which the above-mentioned goal can be achieved.
- a date is transmitted from the recipient to the certification authority.
- the key pair is formed from a first key part and a second key part and transmitted to the recipient.
- the date is a key part of another key pair of the recipient, and the transmission of the key pair from the certification authority to the recipient is encrypted, whereby the encryption is made on the basis of the date by the certification authority.
- the key pair also referred to as a credential, is used by the recipient to sign messages that it exchanges with other recipients.
- the other key pair stored in the recipient was created based on a unique identification of the recipient from another certification authority using the Feige-Fiat-Shamir method. This makes it possible, on the one hand, to provide the recipient with anonymized credentials assigned.
- the invention makes it possible to make the transmission to the receiver on an unsecured transmission channel due to the encryption of the key pair generated by the certification authority, whereby the distribution of the credentials in practice is considerably simplified.
- the key pair is provided to encrypt only a part of the key pair with the date.
- the date is the public key of the other key pair. This results in the possibility for the recipient to decrypt the particular encrypted first key part with the private key of the other key pair.
- a particularly high level of security with regard to a cryptanalysis of the key pair generated by the certification authority results when the key pair is formed using a Fibernate Fiat Shamir (FFS) irreversible one-way function.
- FFS Fibernate Fiat Shamir
- the first and the second key part of the key pair generated by the certification authority have an identical number k of key entries (Sj, Vj).
- module N a luminary is used in which p and q are congruent to 3 (mod4), which basically allow four quadratic residues modulo N, one of which represents the so-called main square root.
- the key entries Sj of the first key part are main square roots modulo N (QW mod N). This means that each key entry Sj is a quadratic residue modulo N (QR mod N). Only those certification authorities in possession of p and q can encrypt the key entries of the first key part of the key pair to be transmitted, and at the same time enable the recipient of the key pair to authenticate the key data without additional signatures or certificates.
- the prerequisite is therefore that there is already a valid key pair, the other key pair, where the public key (date) of the certification authority is known.
- the date or the public key could for example be stored on a chip card, which receives the receiver.
- the certification authority can encrypt the new private key part and send the key pair to the receiver on a non-secure transmission channel. Due to the nature of the encryption, only the rightful recipient is able to decrypt the key pair, ie the new private key part, by using the private key of the other key pair.
- the key entries V 1 of the second key part are generated with a hash function (Hx) using a key date and a number of parameter values Wj corresponding to the number k of key entries, so that after application of the one-way function the key entries S
- Hx hash function
- Wj parameter values corresponding to the number k of key entries
- the module N can generate his own key pair if he first generates the key entries Sj of the first key part, and calculates therefrom the key entries Vj of the second key part. In this way, those key entries Vj which are quadratic residues modulo N (QR mod N) automatically result. To prevent this, a public key certificate would be necessary. To avoid this expense, the key data is used, guaranteeing that the key pair has only been generated by a trusted third party, the certification authority.
- the key date may consist of several parts, including, for example, information about the type of key, the unique number and identity of the originating institution.
- Key entries Vj of the second key part are quadratic residues modulo N (QR mod N) or not. This ensures that no unauthorized third party can generate valid key pairs.
- the second key part is thus made up of the key date and the parameters W 0 , W 1 , ... W k together.
- the second key part is substantially smaller than when using the actual key entries Vj and an additional certificate.
- this second key part is sent with signed messages, the respective recipient can check whether the signature is valid.
- the advantage is that it is not possible for third parties to generate valid, related key data and parameter values Wj, which ensures both the authenticity of the keys and those of the messages containing the generated key pair.
- the hash function H (x) is known to the receiver, and as the second key part of the key pair, the key data and the parameter values Wj are transmitted to the receiver.
- the receiver decrypts the first key part from the key pair received from the certification authority with the private key (date) of the other key pair.
- a further embodiment provides that the receiver calculates from the key pair received from the certification authority the key entries Sj of the first key part and checks whether the key pair originates from an authorized certification authority. Furthermore, it is provided that the receiver checks whether the key pair transmitted by the certification authority is valid.
- the receiver determines the key entries Vj of the second key part from the key pair received from the certification authority, determines the key parts Sj of the first key part of the key pair from the key parts Vj of the second key part, and checks whether the key pair is valid .
- the other key pair is generated by the Feige-Fiat-Shamir method.
- the inventive cryptographic system has the same advantages as described above in connection with the method according to the invention.
- the cryptographic system comprises a receiver and a certification authority, wherein the certification authority is adapted to determine a message containing a date from the recipient, the date representing a public key of another key pair of the recipient, and assigning a key pair using an irreversible one-way function form at least one key part of the key pair with the date to encrypt and send to the recipient.
- the recipient of the cryptographic system is set up to determine the key pair sent by the certification authority and to decrypt the encrypted key part of the key pair with a private key of the other key pair stored in the receiver.
- Fig. 1 is a schematic representation of a kyrptographic system according to the invention.
- FIG. 2 shows the schematic structure of a key pair generated by a certification authority.
- a key pair Cred comprises a first key part privKey and a second key part pubKey ( Figure 2), wherein the first key part forms a private key and the second key part forms a public key of the key pair Cred.
- PKI public key infrastructure
- Certificate validation requires online access to a PKI and requires a relatively high amount of computation and therefore also a great deal of time.
- the invention uses a non-interactive application of a zero knowledge proof
- the basic structure under which each zero-knowledge proof expires is interactive.
- the best-known zero-knowledge proof of identity derives from U. Feige, A. Fiat, and U. Shamir, and is referred to as the Feige-Fiat-Shamir (FS) method.
- FFS Feige-Fiat-Shamir
- the safety is based on the problem of rooting modulo N 1 and therefore it takes less computationally intensive steps than, for example, in the method according to RSA.
- the module N forms the discrete value set for the generation of the asymmetric key pair.
- the length of module N moves in a similar range to RSA.
- key lengths SL greater than 768 bits are recognized as safe, but values above this lower limit are used.
- Each of the key parts privKey and pubKey comprises k different congruent public (Vj) and private (SO key entries, which are each used for a signature calculation.
- each simulated interaction is parallelized with a selection determined by the hash value from the k key entries.
- the key pairs Cred are transmitted in encrypted form. This makes it impossible for third parties to intercept the key entries, in particular the private key entries, of the key pairs Cred.
- the private key entries s, QR mod N must be. Due to the property of the module N as a luminary, the QR mod N not only have exactly four QW mod N, but a QW mod N is again a QR mod N, the main square root. Therefore, the private key entries Sj will be assigned the value of a QW mod N, which is a QR mod N.
- the certification authority CA For the encryption of the key pair Cred one uses a date P of the recipient E. At this time the receiver E is in possession of a valid other key pair, the certification authority CA receives the public key of this key pair as the date P, with which the receiver E at the certification authority CA registered. Encryption is intended solely for the private key entries of the key pair Cred when it sends the certification authority CA to the recipient E. Since the recipient E has previously authenticated himself with the public key P of the other key pair known only to him with the certification authority CA, he knows with what date she has to encrypt the key data. Out For security and privacy reasons, the certification authority CA does not associate the public key P of the other key pair with the message it has generated, so that no other key pair and credential can be assigned by third parties.
- the key generation In order for only key pairs Cred to be accepted by recipients who come from a suitably authorized certification authority CA, the key generation must create an insurmountable and irreversible connection to the issuing certification authority CA and thereby circumvent the overhead of certificates. For this reason, in accordance with the FFS method, the invention reverts to key identities from which the public key derives, via a system-wide one-way function, hereafter a hash function H (x), the hash values with a bit length of
- HL bit supplies.
- HL bit supplies.
- the goal of the key generation by the certification authority CA is a unique assignment of a key date keylD by means of a
- the length of the public key entries is exactly HL bits due to the hash function H (x). For the bit length of the individual parameters Wj comes from empirical experiments and is preferably 16 bits.
- the certification authority CA calculates the square roots modulo N (QW mod N) to the individual key entries V 1 . Due to the peculiarity of modulo N (Blum Integer; p and q congruent to 3 (mod 4)) each QR mod N has exactly four QW mod N.
- the complete private key consists of k entries:
- the generation of the key pair Cred is now completed and the recipient E receives the private key part (privKey) and the public key part (pubKey).
- the individual key entries v, the receiver E generates itself by means of the hash function H (x). Only after the context
- the certification authority CA thus generates the key date keylD for the key pair Cred to be generated and determines the parameters Wi for the public key entries.
- the certification authority CA calculates the QW mod N from the public key entries Vj and assigns the main square root to the private key entries Sj of the key pair Cred. Only when using the main square root encryption of the private key parts s, - ensure.
- V cred [(V cred ) ", (V cred ⁇ , ..., ⁇ V cred ⁇ _ ⁇ ] (9)
- m cred ⁇ ubKey cred , e, s 0 * , j * , ..., ⁇ 1 ⁇ (17)
- the receiver E stores the key pair Cred in the internal secure memory.
- the necessary public key entries Vi of the credential are calculated by the receiver E from the public key entries pubKey cred using equation (2).
- the receiver E additionally checks the togetherness of the respective equivalent key entries and thus detects transmission errors or wanton manipulation of the key entries.
- the step (19) checks whether the key entries Cred originate from an authorized certification authority CA. For only this can calculate the QW mod N [s QW ) of the private key entries ⁇ s cred ) i of the key pair Cred with the knowledge of the prime factor decomposition of the module N.
Abstract
Description
Claims
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2005/005504 WO2006122575A1 (de) | 2005-05-20 | 2005-05-20 | Verfahren zum erstellen und übertragen eines schlüsselpaars zwischen einer zertifizierungsautorität und einem empfänger |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1882330A1 true EP1882330A1 (de) | 2008-01-30 |
Family
ID=35520674
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05746288A Ceased EP1882330A1 (de) | 2005-05-20 | 2005-05-20 | Verfahren zum erstellen und übertragen eines schlüsselpaars zwischen einer zertifizierungsautorität und einem empfänger |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP1882330A1 (de) |
WO (1) | WO2006122575A1 (de) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1995004417A1 (en) * | 1993-08-02 | 1995-02-09 | Stefanus Alfonsus Brands | Restricted blind signatures |
EP0926637A2 (de) * | 1997-12-26 | 1999-06-30 | Nippon Telegraph and Telephone Corporation | Verfahren zur Implementierung von elektronischem Geld, eine Benutzerunterschrift verwendende Vorrichtung und Speicherelement, das ein Programm für das Verfahren speichert |
US20020103999A1 (en) * | 2000-11-03 | 2002-08-01 | International Business Machines Corporation | Non-transferable anonymous credential system with optional anonymity revocation |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5606617A (en) * | 1994-10-14 | 1997-02-25 | Brands; Stefanus A. | Secret-key certificates |
US20020129261A1 (en) * | 2001-03-08 | 2002-09-12 | Cromer Daryl Carvis | Apparatus and method for encrypting and decrypting data recorded on portable cryptographic tokens |
-
2005
- 2005-05-20 WO PCT/EP2005/005504 patent/WO2006122575A1/de not_active Application Discontinuation
- 2005-05-20 EP EP05746288A patent/EP1882330A1/de not_active Ceased
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1995004417A1 (en) * | 1993-08-02 | 1995-02-09 | Stefanus Alfonsus Brands | Restricted blind signatures |
EP0926637A2 (de) * | 1997-12-26 | 1999-06-30 | Nippon Telegraph and Telephone Corporation | Verfahren zur Implementierung von elektronischem Geld, eine Benutzerunterschrift verwendende Vorrichtung und Speicherelement, das ein Programm für das Verfahren speichert |
US20020103999A1 (en) * | 2000-11-03 | 2002-08-01 | International Business Machines Corporation | Non-transferable anonymous credential system with optional anonymity revocation |
Non-Patent Citations (3)
Title |
---|
DÖTZER FLORIAN: "Security Concepts for Robust and Highly Mobile Ad-hoc Networks", INTERNET CITATION, 19 September 2007 (2007-09-19), pages 212pp, XP007909582 * |
FLORIAN DÖTZER ED - GEORGE DANEZIS ET AL: "Privacy Issues in Vehicular Ad Hoc Networks", 1 January 2006, PRIVACY ENHANCING TECHNOLOGIES LECTURE NOTES IN COMPUTER SCIENCE;;LNCS, SPRINGER, BERLIN, DE, PAGE(S) 197 - 209, ISBN: 978-3-540-34745-3, XP019034474 * |
See also references of WO2006122575A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2006122575A1 (de) | 2006-11-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69725659T2 (de) | Verfahren und Einrichtung zur Ablage eines in einem RSA-Kryptosystem benutzten Geheimschlüssels | |
DE60006147T2 (de) | Schlüsselzustimmungsprotokoll mit getrennten Schlüsseln | |
EP0472714B1 (de) | Verfahren zur authentifizierung eines eine datenstation benutzenden anwenders | |
DE69918818T2 (de) | Verfahren zur Erzeugung eines öffentlichen Schlüssels in einem sicheren digitalen Kommunikationssystem und implizites Zertifikat | |
DE102016224537B4 (de) | Masterblockchain | |
EP1793525B1 (de) | Verfahren zum Ändern eines Gruppenschlüssels in einer Gruppe von Netzelementen in einem Netz | |
EP1125395B1 (de) | Verfahren und anordnung zur authentifikation von einer ersten instanz und einer zweiten instanz | |
EP0820670A1 (de) | Verfahren zum rechnergestützten austausch kryptographischer schlüssel zwischen einer benutzercomputereinheit u und einer netzcomputereinheit n | |
DE102011011652A1 (de) | Verfahren zum Verwenden eines Ecdsa mit Winternitzeinmalsignatur | |
DE102010002241A1 (de) | Vorrichtung und Verfahren zur effizienten einseitigen Authentifizierung | |
WO1996037064A1 (de) | Verfahren zum rechnergestützten austausch kryptographischer schlüssel zwischen einer ersten computereinheit und einer zweiten computereinheit | |
EP1368929B1 (de) | Verfahren zur authentikation | |
DE10136608B4 (de) | Verfahren und System zur Echtzeitaufzeichnung mit Sicherheitsmodul | |
EP1080557A2 (de) | Verfahren und anordnung zum rechnergestützten austausch kryptographischer schlüssel zwischen einer ersten computereinheit und einer zweiten computereinheit | |
DE112012000971B4 (de) | Datenverschlüsselung | |
DE102020003739A1 (de) | Verfahren zur Verteilung und Aushandlung von Schlüsselmaterial | |
AT504634B1 (de) | Verfahren zum transferieren von verschlüsselten nachrichten | |
EP2730050B1 (de) | Verfahren zur erstellung und überprüfung einer elektronischen pseudonymen signatur | |
WO2021249761A1 (de) | Vorbereiten einer steuervorrichtung zur sicheren kommunikation | |
EP4099611B1 (de) | Erzeugung quantensicherer schlüssel in einem netzwerk | |
WO2006122575A1 (de) | Verfahren zum erstellen und übertragen eines schlüsselpaars zwischen einer zertifizierungsautorität und einem empfänger | |
EP1286494B1 (de) | Verfahren zur Erzeugung eines asymmetrischen kryptografischen Gruppenschlüsselpaares | |
DE19518546C1 (de) | Verfahren zum rechnergestützten Austausch kryptographischer Schlüssel zwischen einer Benutzercomputereinheit U und einer Netzcomputereinheit N | |
DE19518544C1 (de) | Verfahren zum rechnergestützten Austausch kryptographischer Schlüssel zwischen einer Benutzercomputereinheit und einer Netzcomputereinheit | |
WO2013189909A1 (de) | Verfahren zur zumindest einseitig authentisierten, sicheren kommunikation zwischen zwei kommunikationspartnern |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20071018 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): DE FR GB |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: PRAMATEFTAKIS, MICHAEL Inventor name: WIMMER, RICHARD Inventor name: DOETZER, FLORIAN |
|
17Q | First examination report despatched |
Effective date: 20080429 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): DE FR GB |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20090714 |