A comparison between traditional PKI and IBI
Guided By: Dr. D.C.Jinwala Presented By: Riddhi Mankad P10CO952 Secure Communication- Need for Encryption In today’s world, ensuring secure communication has become the basic need for an organization.
There are various options for encrypting user’s data:
SKC
PKC
IBC
Traditional Cryptographic techniques
Symmetric Key Cryptography (SKC) Public key Cryptography (PKC) SKC
Random seed=Shared secret key
Limitations- Key Sharing becomes burdensome as number of users increases. For n user, total number of key exchange will be n(n-1)/2
Reproduced from [3] PKC
Ke= Public key Kd= Private key
Reproduced from [3] Newly developed Cryptographic technique
Identity Based Cryptography IBC
Ke- public key Kd- private key
Reproduced from [3] PKI Basics
PKI is an environment to deploy PKC based algorithms.
It deals with Key management issues and trust relationship.
There are different types of PKI based infrastructure Certificate Based PKI PGP (Web of Trust) Kerberos Certificate Less PKI [5]
Types of PKI
Certificate Based PKI It is a set of hardware, software, people, policies to create, distribute, store and revoke certificates. Certificate binds user’s public key with user.
Certificate Less PKI In CL-PKI, implicit certificate is used as follows: the key generation center issues a partial private key to the user having a unique identity in the system. The user himself generates the other half using his public id and some secret information.
IBI Basics
IBI provides framework for deploying IBC based algorithms.
Private key Generator (PKG) replaces CA.
Public key is some publicly known information like email –id.
No certificates are issued.
Motivation: Why PKI Vs IBI?
PKI IBI Advantages Advantages Certificate provides No certificates authentication Flexible key management Ensures non-repudiation Suitable for encryption Deployed for Digital signature Drawbacks
Private key is known to Drawbacks PKG- key escrow problem Key management become [4]. burdensome as the number of user grows Storage and revocation or certificates
Components of Certificate based PKI
Certificate Authority (CA) Subordinate CAs Registration Authority (RA) Certificate Storage Server Policies
Working of PKI Root CA Step 3: Defines Policies for Step 1: CA signs the storage and Subordinates certificate revocation RA Certificate Subordinate CA Storage Step 4: Stores the certificate Step 5: Issue in the certificate Ca to Step2: User A repository User A and User B requests for Step 5: Issue certificate. certificate Cb to User B
User A User B Step 6: User A sends Ca Step 7: B to B Checks the validity of Ca Working of IBI Root PKG
Step 3: PKG Certificate issues private Storage key to B
Step2: User B requests for No need to corresponding look up for private key. B’s certificate
User A User B Step 1: User Encrypt data with B’s email id PKI Vs IBI: Comparison Criteria
Key Management Trust Models Authentication Encryption Signature Revocation Comparison Table Criteria PKI IBI Public key Bound with certificate Email id (CA) SSN Private key Generated at the same Generated only when time with public key needed (PKG) Trust Models [7] Single PKG Hierarchical Identity based Infrastructure [8] Authentication Certificate proves the Dynamic Authentication genuineness of the user Encryption Encryption in PKI Encryption in IBI
Signature Signature in PKI Signature in IBI
Revocation Revocation Trust Models in PKI
Hierarchical Single CA Mesh Model Model
Hybrid Model Bridge CA model
Comparison Table Root PKG ID0
PKG PKG Id: ID0 || ID1 PKG Id: ID0 || ID3 ID1 ID2 ID3
User User User User User ID4 ID5 ID6 ID7 ID8
ID0 || ID1 || ID4 ID0 || ID1 || ID5 ……………………… ID0 || ID3 || ID8 Hierarchical Identity based Infrastructure
Comparison Table CA Stores the certificates
Ca Step 1: A and B request Cb Certificate for their respective Storage certificates and CA issues Ca Cb Ca and Cb respectively
Step 3: A ensure the Step 2: A request validity of Cb for Cb from B to obtain B‘s Public key Sender Receiver A B Step 4: A encrypt the message with B’s Step 5: B can Public key decrypt using Encryption in PKI his private key
Comparison Table Encryption in IBI Root PKG
Step 3: PKG Certificate issues private Storage key to B
Step2: User B requests for No need to corresponding look up for private key. B’s certificate
User A User B Step 4: User B Step 1: User can decrypt Encrypt data using his private with B’s key email id Comparison Table Stores the CA certificate
Certificate Storage Ca Cb
Ca Step 1: A and B request Cb for their respective Step 4: B certificates and CA issues ensure the Ca and Cb respectively validity of Ca and obtains A’s Public key
Step 3: B request for Ca from A Sender Receiver A B Step 2: A sign the message with his Step 5: B’s private key verifies A’s Signature in PKI signature
Comparison Table Signature in IBI Root PKG
Step 2: PKG Certificate issues private Storage key to B
Step1: User B requests for Step 4 :No corresponding need to look private key. up for B’s certificate
User A User B Step 5: A can Step 3: User verify B’s B Signs with signature using its private B’s email id key Comparison Table Revocation
PKI IBI
CRL- Certificate Renew keys Periodically Revocation List Using a mediator – the CRS- Certificate part of private key is Revocation Status issued by the mediator CRT- Certificate In [13] Using binary tree Revocation Tree data structure was Windowed Certificate proposed based on Fuzzy Revocation IBE [14]. Recent Work
Unified PKI supporting both PKC based and ID based PKC
In [15], a conjunction of both PKI and IBI is proposed.
PKGCA replaces CA and PKG
As an example consider an email id [email protected].
Certificate is issued to SVNIT not to end user.
In order to verify the organization i.e. SVNIT, PKI is deployed and to issue private key to the user within an organization, i.e. to mtech952, IBI is implemented.
Contd..
Autonomous Decentralized PKI (ADS)
It ensure reliability and scalability
There in no CA controlling the interaction
There are 3 components: Number of subsystems ( entities in PKI) Data Field ( Data to be shared) Communication content code ( unique ID)
Uniqueness Verifying PKI (UV-PKI) based on ADS was proposed in [16] as shown in the figure. UV-PKI Model Conclusion
PKI cannot replace IBI or vice versa They both are complementary to each other.
PKI can be used globally to prove the authentication of an organization. IBI can be deployed locally to encrypt the messages within an organization.
PKI is suitable for applications like e-commerce, on line banking. IBI can be deployed in applications that are for personal use like email service and social networking sites. Summary References Contd…