Authenticated Public Key Distribution Scheme Without Trusted Third Party

Authenticated Public Key Distribution Scheme Without Trusted Third Party

Authenticated Public Key Distribution Scheme Without Trusted Third Party Jae Hyung Koo, Bum Han Kim, and Dong Hoon Lee Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {ideao, anewholic}@cist.korea.ac.kr [email protected] Abstract. Public key authentication is necessary to prevent a valid public key of a user from being compromised by a malicious user. Namely, if it is not provided, an adversary can read all encrypted messages be- tween a sender and a receiver by substituting the public key of the re- ceiver with her public key. In general, a certificate issued from and dig- itally signed by a publicly trusted certificate authority (CA) guarantees public key authentication under the assumption that all users can get the public key of the CA to verify the validity of certificates, i.e.,the signatures of the CA. The assumption is practical and widely used in the real world. However, if the CA is down by a system faults or destroyed by a terror or a war, the assumption can not be preserved. In this paper, we propose a simple and practical scheme for public key authentication without any trusted third party. The scheme basically uses a message authentication code (MAC) taking a short random value as a key to au- thenticate the exchanged public keys. Our scheme also can be adopted in the environments such as ad-hoc or ubiquitous in which it is hard to settle a publicly trusted authority. Keywords: Key Management and Authentication, Public-key Cryp- tography, Public Key Infrastructure (PKI). 1 Introduction Public key authentication is a method to confirm whether the received public key really belongs to the communication partner or not. If it is not provided, all public key algorithms become vulnerable to a key substitution attack. For example, an adversary who tries to eavesdrop the communication from Alice to Bob can easily obtain all messages by substituting the Bob’s public key with her public key. Public key infrastructure (PKI) [19] is very popular technique to authenticate all the public keys of registered users. In PKI, there exists a publicly trusted third party, called certificate authority (CA) which guarantees This work was supported (in part) by the Ministry of Information&Communications, Korea, under the Information Technology Research Center (ITRC) Support Pro- gram. T. Enokido et al. (Eds.): EUC Workshops 2005, LNCS 3823, pp. 926–935, 2005. c IFIP International Federation for Information Processing 2005 Authenticated Public Key Distribution Scheme 927 the validity of users’ public keys. As a method, it issues a digital certificate for each user which contains user’s information (e.g., name, e-mail address and so on), user’s public key and CA’s signature guaranteeing the correctness of them. So, each user can easily check that the public key included in the certificate is the actual public key of whom he/she wants to communicate with by verifying the CA’s signature. In fact, a method for the authentication of the CA’s public key (i.e., verification key for the signatures) should be provided. Otherwise, an adversary may impersonate the CA and issue certificates of users as though she is the CA. Therefore, every users must verify the public key of the CA whenever they try to start a communication with each other and it is obviously costly. Moreover, if users keep certificates issued from different CAs (there are lots of CAs in the world to serve huge numbers of people), there should be a mechanism to verify the certificates from different CAs. In general, CAs exchange the certificates of their public keys to prove the validity of their public keys and issue new certificates for other CAs to enable their registered users to verify the certificates made by the CAs. As we explained, the role of CAs in PKI is very important. That means, if they are shut down or destroyed by disaster such as an earthquake, a terror or a war, public key authentication is no longer guaranteed. To overcome the problems es- pecially caused by the disabled CAs, several mechanisms such as password based schemes(PBS)[4,5,14,20,21,24,25]andIDbasedschemes(IBS)[3,13,16]have been studied. However, they also assume the existence of trusted authorities such as a server in PBS and a private key generator (PKG) in IBS. PBS basically considers a client-server environment. So, users register their passwords into a server and the server keeps the passwords in a secure database. The users and the server use the passwords to authenticate each other. If the server is not a trusted entity, all of the users’ passwords registered in it can be re- vealed. There are variants of PBS [10, 9] in which users with different passwords establish a session key by the help of a server. Namely, users authenticate them- selves to a server by proving the knowledge of their passwords. The server gives a method to the users so that they can exchange messages to build a session key with authentication. In this case, if the server is down, then they can not share a key. Several schemes considered an authenticated key exchange in the ad-hoc environments [1, 17, 23] where there is no trusted authority. However, they have several security breaches because of the weak password. For example, the scheme in [1] uses a password as a key for a symmetric encryption algorithm so it might be exposed while users are communicating with each other (the password may be revealed before they start a communication by eavesdropping when they share a password). With the exposed password, an adversary can impersonate a user. In IBS, a PKG plays a role of a trusted key distribution center. So, it gener- ates users’ private keys for their public keys which they select. The public keys can be their e-mail addresses or other public but short information. Basically, whenever Alice wants to send a secret information to Bob, she can use public key encryption with taking his e-mail address as his public key. Since, Alice uses Bob’s e-mail address as his public key, public key authentication can be easily 928 J.H. Koo, B.H. Kim, and D.H. Lee guaranteed (it is not so hard to confirm the correctness of the Bob’s e-mail ad- dress). However, the PKG always knows all the secret keys of users. Moreover, if the PKG is down, then it is impossible for uses to obtain new private keys when they update their public information. As we mentioned, currently researched public key authentication mechanisms have a potential security breaches for the disabled trusted third party. Therefore, we should consider the authenticated public key exchange without any assistance of the trusted third party. Our contributions are two folds: - We first consider a one-time password keyed message authentication code (OPK-MAC) to provide the public key authentication without any help of a publicly trusted authority. Since the one-time password is only used to build a temporary MAC key, we do not need to consider the off-line password guessing attack which frequently occurs in password based key exchange schemes [4, 20]. - Our idea is a generic scheme so it can be adopted in any public key based key exchange scheme. In addition, by using our scheme, we can remove the costly certificate (i.e., digital signature) based public key authentication. The structure of this paper is as follows : in Section 2 we take a look at several related works and in Section 3 we explain the notions concerned with our scheme. Section 4 describes our scheme and we conclude in Section 5. Because of the lack of pages, we omit the security proof and applications which our scheme can be adopted. However, they will be provide in the final (full) paper. 2 Related Works Public key cryptography is widely used in the real world. However, it relies on infrastructure, called public key infrastructure (PKI) with online and publicly trusted certificate authority (CA) [19]. For example, in secure socket layer (SSL) [27] which is well-known security technique on web (i.e., internet), the correct- ness of the public keys of users are guaranteed by certificates issued from CA(s). Therefore, the entire security of PKI depends on the security of CA. If CA is destroyed, then it is impossible to preserve the security of PKI, e.g.,there is no way to authenticate public keys. There exist methods which can be used when PKI is not available. We review several schemes on password authenticated key exchange (PAKE) and ID based cryptography. So far, lots of papers have been presented where a shared password among users is used to authenticate each other [4, 20, 5, 9, 10, 14, 15, 8, 24, 1]. We can cat- egorize the schemes into three cases according to the communication topologies; communications from i) a user to a server,ii)ausertoauserviaaserverand iii) a user to a user. Almost all of PAKE schemes have focused on the first case [4, 20, 5, 14, 15, 8, 24]. Each user registers his/her password on a server. When- ever the user and the server communicates, they can build a shared key with Authenticated Public Key Distribution Scheme 929 authenticating each other with the password. So, the user needs not to check any complex public information such as a public key. In the second case, users share passwords with a server can communicate by the help of the server [9, 10]. The entire architecture of this case is similar to the well-known Kerberos [22].

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us