![]() |
|
|||
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
|
![]() |
[an error occurred while processing this directive]
8.4.3 Key Agreement Using Self-certifying KeysIn this section, we describe a method of key agreement, due to Girault, that does not require certificates. The value of a public key and the identity of its owner implicitly authenticate each other. The Girault Scheme combines features of RSA and discrete logarithms. Suppose n = pq, where p = 2p1 + 1, q = 2q1 + 1, and p, q, p1, and q1 are all large primes. The multiplicative group In the Girault Scheme, the factorization of n is known only to the TA. The values n and α are public, but p, q, p1, and q1 are all secret. The TA chooses a public RSA encryption exponent, which we will denote by e. The corresponding decryption exponent, d, is secret (recall that d = e1 mod ø (n)). Each user U has an ID string ID(U), as in previous schemes. A user U obtains a self-certifying public key, pU, from the TA as indicated in Figure 8.8. Observe that U needs the help of the TA to produce pU. Note also that can be computed from pU and ID(U) using publicly available information. The Girault Key Agreement Protocol is presented in Figure 8.9. The information transmitted during the protocol is depicted as follows:
At the end of the protocol, U and V each have computed the key Here is an example of key exchange using the Girault Scheme. Example 8.4 Suppose p = 839 and q = 863. Then n = 724057 and ø(n) = 722356. The element α = 5 has order 2p1q1 = ø(n)/2. Suppose the TA chooses d = 125777 as the RSA decryption exponent; then e = 84453. Suppose U has ID(U) = 500021 and aU = 111899. Then bU = 488889 and pU = 650704. Suppose also that V has ID(V) = 500022 and aV = 123456. Then bV = 111692 and pV = 683556. Now, U and V want to exchange a key. Suppose U chooses rU = 56381, which means that sU = 171007. Further, suppose V chooses rV = 356935, which means that sV = 320688. Then both U and V will compute the same key K = 42869. Lets consider how the self-certifying keys guard against one specific type of attack. Since the values bU, pU, and ID(U) are not signed by the TA, there is no way for anyone else to verify their authenticity directly. Suppose this information is forged by W (i.e., it is not produced in cooperation with the TA), who wants to masquerade as U. If W starts with ID(U) and a fake value
The situation is similar if W acts as an intruder-in-the-middle. W will be able to prevent U and V from computing a common key, but W is unable to duplicate the computations of either U or V. Thus the scheme provides implicit key authentication, as did the MTI protocol. An attentive reader might wonder why U is required to supply the value aU to the TA. Indeed, the TA can compute pU directly from bU, without knowing aU. Actually, the important thing here is that the TA should be convinced that U knows the value of aU before the TA computes pU for U. We illustrate this point by showing how the scheme can be attacked if the TA indiscriminately issues public keys pU to users without first checking that they possess the value aU corresponding to their bU. Suppose W chooses a fake value Here is how he can determine the corresponding public key W will compute and then given to W. Using the fact that it is immediate that Now, at some later time, suppose U and V execute the protocol, and W substitutes information as follows: Now V will compute the key whereas U will compute the key W can compute K′ as Thus W and V share a key, but V thinks he is sharing a key with U. So W will be able to decrypt messages sent by V to U. 8.5 Notes and ReferencesBlom presented his key predistribution scheme in [BL85]. Generalizations can be found in Blundo et al. [BDSHKVY93] and Beimel and Chor [BC94]. Diffie and Hellman presented their key exchange algorithm in [DH76]. The idea of key exchange was discovered independently by Merkle [ME78]. The material on authenticated key exchange is taken from Diffie, van Oorschot, and Wiener [DVW92]. Version V of Kerberos is described in [KN93]. For a recent descriptive article on Kerberos, see Schiller [SC94]. The protocols of Matsumoto, Takashima, and Imai can be found in [MTI86]. Self-certifying key distribution was introduced by Girault [GIR91]. The scheme he presented was actually a key predistribution scheme; the modification to a key agreement scheme is based on [RV94].
Copyright © CRC Press LLC
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |