WO2000064098A1 - Method for distribution of cryptographic keys in a communication network - Google Patents

Method for distribution of cryptographic keys in a communication network Download PDF

Info

Publication number
WO2000064098A1
WO2000064098A1 PCT/SE2000/000721 SE0000721W WO0064098A1 WO 2000064098 A1 WO2000064098 A1 WO 2000064098A1 SE 0000721 W SE0000721 W SE 0000721W WO 0064098 A1 WO0064098 A1 WO 0064098A1
Authority
WO
WIPO (PCT)
Prior art keywords
administrator
administrators
subordinated
operators
identities
Prior art date
Application number
PCT/SE2000/000721
Other languages
French (fr)
Inventor
Alf Bengtsson
Original Assignee
Försvarets Forskningsanstalt
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Försvarets Forskningsanstalt filed Critical Försvarets Forskningsanstalt
Publication of WO2000064098A1 publication Critical patent/WO2000064098A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present invention relates to a method for distribution of cryptographic keys by using public-key handling.
  • the method is used in a cryptographic method for data communication in a communication network, which comprises nodes in the form of administrators and final operators.
  • the method gives the possibility of authentication and certification.
  • the secret key x is usually called the signing key.
  • X can sign an arbitrary digital data quantity M (document, image, program, anything).
  • M can send M+sign(M,x) (i.e. M + the digital signature) to a receiver, Y.
  • M the verification key which is public and thus known by Y
  • Y can verify that M really comes from X, that M is genuine etc, but under the very important condition that there is an absolutely secure method of associating an public-key & with the correct identity X. If an enemy operator Z who is capable of creating the pair of keys z, z can slip in the false information that z is to be associated with X, this means that Z can disguise himself and give himself out as X.
  • the method which is available in respect of securely associating an public key with the correct identity is essentially the same as the one used in daily life, we confirm each other's credentials, (credit verification, ID document, certificate) and combine these in a chain of trust.
  • the term certificate is used for such a message that should, inter alia, associate a key with an identity.
  • An acknowledged standard for contents and appearance in certificates is X.509, see [1].
  • V can function as a common “certification authority” (CA).
  • CA Certification authority
  • V can meet X (preferably face to face to be positive that it is really X) and hand over to X the certificate certX which essentially runs "I V ensure that on yymmdd I met X who then presented to me , +plusX.509+".
  • V also hands over sign(certX, ⁇ ) where sign(certX, ) stands for V's digital signature and +plusX.509+ stands for the additional information that according to X.509 is to be found in the certificate, such as information about the period of validity of the certificate.
  • certY When after that X and Y meet, they can exchange certificates and the associated signatures and both can verify that they are authentic. Thus they will have a reliable association of the counterparty's identity with his public key. This is based on the fact that they both rely on V, a common CA (cf. also regarding radio networks below).
  • CA Xl Y must be able to present to X a chain of certificates where CA X certifies CAL who certifies CA 2 , who certifies, ... , who certifies CA Y who certifies Y. X must present to Y a chain in the other direction. If it is not conditioned that different CA have a special relation to each other (the PGP model, see [1]), it will, at least in systems involving many operators, be difficult to form the chains. It is necessary to find common "friends of friends" who can associate subchains and form a continuous chain X-Y. Moreover, the resulting chains can be long, which significantly decreases credit in them.
  • A is a common ancestor of X and Y.
  • a 2 connects the chains A2-A22-A223-X and A2-A23-Y.
  • the validity of a certificate is based on the fact that the issuer's signing key has not been revealed. This occurs sooner or later (or perhaps someone finds reason to suspect that a key has been revealed, thus decreasing credit in the certificate). Then new certificates must be created (problem 1 above) and all operators in the network must be informed that the certificate is invalid. Everybody must keep a valid black list with certificates that are not allowed to be included in chains of certificates. In large networks it is very difficult to ensure that everybody has a valid black list. The message "add certZ to the black list" is in itself a very sensitive message which must be checked particularly carefully.
  • [2] suggests an public-key method according to Diffie-Hellman in which X and Y and no one else can form a common secret k xy which they then use for mutual authentication.
  • the binding of public key to correct identity is assumed to take place by the pairs of keys x, & being created in a common key charging centre, NLC.
  • NLC common friend V.
  • a hierarchical tree starts from a root, in the Figure called A.
  • the root can be considered the main administrator of the entire system (tree).
  • the invention is based on the fact that the root selects, and keeps secret, a basic secret which satisfies specified conditions.
  • the main administrator A selects one or more new operators which are considered by A to satisfy the requirements that are placed to allow them to serve as sub- administrators.
  • A creates, starting from his basic secret, new subsecrets according to an inventive, carefully specified algorithm. Each subadministrator is allocated, and must then keep secret, such a subsecret. Each subadministrator selects his subadministrators according to the same principles. In a recursive method, the hierarchical tree is composed.
  • the invention is based on the fact that the algorithm is conditioned by different requirements that must be satisfied so that an administrator cannot work out a secret that belongs to somebody else, apart from those available in that branch of the tree that starts from the administrator himself. If an administrator is disclosed, merely this branch of the tree will thus be disclosed. Moreover there are conditions that must be satisfied so that a group of administrators in co-operation should not be able to work out somebody else's secret.
  • subsecrets mentioned are created by means of a public prime number which unambiguously is associated with the administrator's place in the tree. This prime number can be considered an address or an identity.
  • a subsecret can be used in three ways:
  • the DH method (according to Diffie-Hellman) for two parties of creating a mutual secret is not new. However, it is new to base the calculations on a basic secret, which gives a new method of authenticating group membership. It is also new to let identities be included in the calculations in a way that means implicit certification.
  • the method involves a new way of using the DH method to form secrets for use as cryptographic keys.
  • the DH method is described in US Patent 4,200,770, which is herewith incorporated by reference [3].
  • the two above-mentioned functions, exponentiating and multiplication on an elliptic curve, can both be used.
  • the product is intended to prevent calculation of inverse, cf. sections I and IV below.
  • g is an even number and has a factor shared with n. Otherwise, two children will have the possibility of calculating, in co-operation, their father's secret, cf. IV. n is made known to everybody, whereas p, q and g are kept secret.
  • the administrators in the tree are each allocated a prime number as identity
  • A thus is a first prime number, A 2 the next prime number, A 3 the next etc.
  • the making of this allocation is arbitrary. For example, it is possible to use b m prime numbers for level m in the tree, where b is the maximum number of children per parent. This results in "holes” in the form of unused prime numbers. If instead one wants to "save” prime numbers, it is possible to use b prime numbers per level in the tree. Prime numbers will then be "reused” in several positions in the tree and the risk increases that administrators in co-operation can calculate somebody else's secret (see below).
  • the main feature of the allocation of identities is that it is carried out in such manner that everybody unambiguously knows which prime number belongs to a certain position in the tree. If, in some application, implicit certification is not needed, this requirement is omitted.
  • the greatest prime number reserved for addresses is designated L.
  • the administrators in the tree can calculate all secrets in their entire subordinated branch of the tree.
  • identities being prime numbers
  • an administrator cannot by himself calculate a secret in some other branch. If, besides, it is required that two or more administrators should not jointly be able to work out a secret, it is a requirement that it should not be possible to write an identity as the sum of two or more other identities. Otherwise a secret can be formed by multiplication of two others. This places demands on the prime numbers that will not be analysed here. For example, it is suitable to use the prime numbers "backwards", i.e. that the prime numbers on level 1 are greater than on level 2 etc.
  • the final operators, X, Y etc, are assigned a pair of keys by their administrator, for example Y by A 23 in the Figure.
  • the private key y should be >L for Y not to be able to disguise himself as administrator.
  • the administrator calculates the public key y
  • the two operators X and Y form, when necessary, a mutual secret kx y .
  • This is cal- culated by the operator taking his counterparty's public key and exponentiating it modulo n with the product of his own private key and the identities of all his superior administrators.
  • Correspondence is valid (see, however, section VI below) only if the same basic secret g has been used in the calculations. This is a criterion for authentication of group membership. Merely X and Y and their closest super- ordinated administrators can calculate k accessibilityy.
  • a certificate (to be named c*), designed, for example, according to the standard X.509, is assigned to the final operators (e.g. X) by their respective administrators.
  • the certificate it is stated, inter alia, that the public-key & belongs to the operator having the identity X and that it has been created by the administrator having the identity A 223 .
  • the certificate , and the digital signature s x are assigned to X.
  • Another operator e.g. Y
  • Y Another operator can verify that a certificate is genuine and that it must have been signed by an administrator in a certain position in the tree. Thus there will be no need for forming chains of certificates where the administrators between X and Y confirm each other's authenticity. The verification occurs as follows.
  • Y has received from X a certificate c and a signature s.
  • the reverse is used - if a and n have a common factor, no inverse a exists.
  • the root in section I is "easy" to calculate without factorising n starting from two expressions calculated by using the same modulus.
  • i and j must be relatively prime as well as g and n relatively prime.
  • g is assumed to be publicly known. In the present invention, the fact is used that g can be kept secret (see sections I and IV above), which results in a new method of authenticating group membership.
  • n has to be a prime number.
  • n p q, which also functions well (a foundation stone for
  • the ith root is not reliably unambiguous.

Abstract

The present invention relates to a method for distribution of cryptographic keys by using public-key handling in a cryptographic method for data communication in a hierarchical communication network, which comprises nodes in the form of administrators and final operators. An identity in the form of a unique prime number which is known to all administrators and final operators is associated with each administrator in the tree. The main administrator of the tree selects one or more directly subordinated administrators. He also selects a basic secret which he keeps secret. The main administrator creates a subsecret for each directly subordinated administrator based on his own secret and the identity of each directly subordinated administrator. The subsecret is allocated to the associated subordinated administrator and he keeps it secret. In a recursive method, subordinated administrators in turn select in a corresponding manner subordinated administrators and create subsecrets for them. The final operators are allocated a pair of keys by their respective administrators, consisting of a private key, selected in a manner similar to the manner in which the identity of subordinated administrators is selected and a public key created in a manner corresponding to the manner in which a subsecret for a subordinated administrator is selected or vice versa.

Description

Method for Distribution of Cryptographic Keys in a Communication Network
The present invention relates to a method for distribution of cryptographic keys by using public-key handling. The method is used in a cryptographic method for data communication in a communication network, which comprises nodes in the form of administrators and final operators. The method gives the possibility of authentication and certification.
In many cases, use is made of public-key systems, cryptographic systems where a pair of keys x, x., belongs to each operator (for example X), one key & being made public to all operators whereas x should be known by X only. These keys are dependent on each other in such manner that it is "impossible", or rather very difficult in some defined sense, to calculate x on the basis of knowledge of _. Provided that X "conducts himself (i.e. manages to keep x secret), it is therefore only X that knows x. Possibly, X is not capable of creating the pair x, x., but it is created by some superior operator which in that case also knows x. It must thus also be ensured that x is transferred to X in a secure, non-interceptable manner.
Ref. [1], Schneier, Bruce, "Applied Cryptography, Protocols, Algorithms and Source Code in C", second edition, John Wiley & Sons, New York, 1996, which is herewith incorporated by reference, describes a number of applications of different public- key systems, such as encryption.
An important application is digital signatures, in [1] different methods are described. The secret key x is usually called the signing key. By means of this, X can sign an arbitrary digital data quantity M (document, image, program, anything). X can send M+sign(M,x) (i.e. M + the digital signature) to a receiver, Y. By means of _, the verification key which is public and thus known by Y, Y can verify that M really comes from X, that M is genuine etc, but under the very important condition that there is an absolutely secure method of associating an public-key & with the correct identity X. If an enemy operator Z who is capable of creating the pair of keys z, z can slip in the false information that z is to be associated with X, this means that Z can disguise himself and give himself out as X.
The method which is available in respect of securely associating an public key with the correct identity is essentially the same as the one used in daily life, we confirm each other's credentials, (credit verification, ID document, certificate) and combine these in a chain of trust. In the digital world, the term certificate is used for such a message that should, inter alia, associate a key with an identity. An acknowledged standard for contents and appearance in certificates is X.509, see [1].
If the two parties X and Y have a common friend, V, on which both rely and whose public verification key . has come to their knowledge in a secure manner, V can function as a common "certification authority" (CA). V can meet X (preferably face to face to be positive that it is really X) and hand over to X the certificate certX which essentially runs "I V ensure that on yymmdd I met X who then presented to me , +plusX.509+". V also hands over sign(certX,γ) where sign(certX, ) stands for V's digital signature and +plusX.509+ stands for the additional information that according to X.509 is to be found in the certificate, such as information about the period of validity of the certificate. The same applies to certY. When after that X and Y meet, they can exchange certificates and the associated signatures and both can verify that they are authentic. Thus they will have a reliable association of the counterparty's identity with his public key. This is based on the fact that they both rely on V, a common CA (cf. also regarding radio networks below).
It will be more complicated if Y and X do not have the common friend V. It is then assumed that different CA issue certificates for each other, they certify each other's keys. If CA of X is called CAXl Y must be able to present to X a chain of certificates where CAX certifies CAL who certifies CA2, who certifies, ... , who certifies CAY who certifies Y. X must present to Y a chain in the other direction. If it is not conditioned that different CA have a special relation to each other (the PGP model, see [1]), it will, at least in systems involving many operators, be difficult to form the chains. It is necessary to find common "friends of friends" who can associate subchains and form a continuous chain X-Y. Moreover, the resulting chains can be long, which significantly decreases credit in them.
The situation will be somewhat easier if CA is available in a father-son relationship in a hierarchy according to the Figure. Many systems, especially military ones, are hierarchical. In the Figure, A is a common ancestor of X and Y. A2 connects the chains A2-A22-A223-X and A2-A23-Y.
In a hierarchical system, it is fundamentally sufficient that ail operators have in a secure way been informed of the ancestor's identity A and his verification key _. Then all operators can be connected by chains of certificates. However, the entire system is dependent on A's signing key a. If this is revealed, the entire tree collapses.
The method of securely connecting, by means of certificates and chains of certifi- cates, an identity with the correct public key has been known for a long time. Problems arising when systems of certificates are to be implemented in actual practice are also known.
1. Face to Face When two parties are to certify each other's identities, issue certificates for each other, they must in principle meet "face to face". This is not easy in a large network, especially if certain operators are not human beings but radio sets, computer programs etc.
2. Black List
The validity of a certificate is based on the fact that the issuer's signing key has not been revealed. This occurs sooner or later (or perhaps someone finds reason to suspect that a key has been revealed, thus decreasing credit in the certificate). Then new certificates must be created (problem 1 above) and all operators in the network must be informed that the certificate is invalid. Everybody must keep a valid black list with certificates that are not allowed to be included in chains of certificates. In large networks it is very difficult to ensure that everybody has a valid black list. The message "add certZ to the black list" is in itself a very sensitive message which must be checked particularly carefully.
3. Large Networks
Problem 2 is emphasised when the two parties, X and Y, are far away from each other in the tree, in completely different branches. When X and Y meet for the first time, the credit in each other's chains of certificates is relatively low. A conceivable method of increasing the credit is that X asks his "closest friends" if they have chains of certificates that correspond with the one presented by Y. However, this is an ad hoc assumption which is difficult to quantify and which can cause an exchange of many messages. The basic problem is that in large networks it may be difficult to build chains of certificates with a sufficient degree of credit.
A specific public-key application is described in ref. [2] Bengtsson, Alf, "Autentice- ring av mobila noder i paketradionat" (in English: "Authentication of mobile nodes in package radio networks"), FOA-R-97-00415-503-SE, January 1997, which is herewith incorporated by reference. This reference discusses methods for two radio nodes, X and Y, in a package radio network to authenticate each other. The node X must be absolutely sure that Y is really Y and that data packages with the stated sender Y really come from Y and vice versa. [2] suggests an public-key method according to Diffie-Hellman in which X and Y and no one else can form a common secret kxy which they then use for mutual authentication. The binding of public key to correct identity is assumed to take place by the pairs of keys x, & being created in a common key charging centre, NLC. The simplest situation above is obtained with NLC as the common friend V.
[2] mentions as an unsolved issue what to do when X and Y do not have the same NLC, i.e. they do not have a common CA. The conventional solution is to build chains of certificates. However, a number of known problems are mentioned above and it may be questioned whether it is suitable to implement automatic handling of chains of certificates in nodes of the type radiosets.
These problems have resulted in the present invention which means that X and Y can form a common secret and that identities in a CA hierarchy can replace the chains of certificates and cause an implicit certification of public keys. This occurs by the invention having the design which is evident from the independent claim. Suitable embodiments of the invention are defined in the remaining claims.
The invention will now be described in more detail with reference to the accompany- ing drawing, in which the Figure shows a hierarchical tree with administrators and final operators which can use the invention.
A hierarchical tree starts from a root, in the Figure called A. The root can be considered the main administrator of the entire system (tree). The invention is based on the fact that the root selects, and keeps secret, a basic secret which satisfies specified conditions.
The main administrator A selects one or more new operators which are considered by A to satisfy the requirements that are placed to allow them to serve as sub- administrators. A creates, starting from his basic secret, new subsecrets according to an inventive, carefully specified algorithm. Each subadministrator is allocated, and must then keep secret, such a subsecret. Each subadministrator selects his subadministrators according to the same principles. In a recursive method, the hierarchical tree is composed.
The invention is based on the fact that the algorithm is conditioned by different requirements that must be satisfied so that an administrator cannot work out a secret that belongs to somebody else, apart from those available in that branch of the tree that starts from the administrator himself. If an administrator is disclosed, merely this branch of the tree will thus be disclosed. Moreover there are conditions that must be satisfied so that a group of administrators in co-operation should not be able to work out somebody else's secret.
The subsecrets mentioned are created by means of a public prime number which unambiguously is associated with the administrator's place in the tree. This prime number can be considered an address or an identity. A subsecret can be used in three ways:
1. For creating new subsecrets in said recursive method.
2. For signing a message. By the address being included in the signing, other operators can be sure that the message has been signed by the correct instance (built-in certification). 3. For creating a pair of keys for a public-key system according to Diffie-
Hellman, which means that a pair of operators can create a mutual secret. Since all secrets in the tree are based on the same basic secret, the pairs of operators can verify that the counterparty's public key is created by someone in the same tree, a method of "distinguishing a friend from an enemy" (built-in authentication of group membership).
The DH method (according to Diffie-Hellman) for two parties of creating a mutual secret is not new. However, it is new to base the calculations on a basic secret, which gives a new method of authenticating group membership. It is also new to let identities be included in the calculations in a way that means implicit certification.
For the continued description, the following denominations will be introduced:
Figure imgf000008_0001
The method involves a new way of using the DH method to form secrets for use as cryptographic keys. The DH method is described in US Patent 4,200,770, which is herewith incorporated by reference [3].
The DH method is based on there being one-way functions z = f(g, x), i.e. even knowing g and z it is practically impossible to calculate x (however, the one knowing g and x can calculate z). Moreover, the DH method requires that the function f be applicable in two steps with input data x and y, respectively, where the same result is obtained independently of the order of x and y. Thus, z = f(f(g, x), y) = f(f(g, y), x) which in this patent application is called sequence independence.
Two such functions that can be used in the DH method are the exponential function in finite integer arithmetics and multiplication on an elliptic curve. In these two cases, z = f(g, x) = gx modulo n, where n is an integer, and Z=f(G, x)=G x, respectively, where G (and Z) are points on an elliptic curve E and x is an integer modulo n, where n is the number of points on E. For a more detailed description, inter alia requirements placed on the numbers x and n, reference is made to [1] and [4], Menezes A, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 1993, which is hereby incorporated by reference.
The method suggested here is based on the fact that there are functions which are one-way functions in respect of both their variables. This means that under certain conditions, if one knows z where z = f(g, x), knowledge of g does not give the possibility of calculating x (as stated above), nor does knowledge of x give the possibility of calculating g. Then g constitutes a basic secret which the main administrator can select and which gives the possibility of authenticating group membership. The two above-mentioned functions, exponentiating and multiplication on an elliptic curve, can both be used.
Here follows, in connection with the Figure, an accurate description of an embodiment of the invention which uses the expontential function in finite integer arithme- tics.
The main administrator A selects prime numbers according to n = 2-p-q (A can per se select a product of several prime numbers). The product is intended to prevent calculation of inverse, cf. sections I and IV below.
g is an even number and has a factor shared with n. Otherwise, two children will have the possibility of calculating, in co-operation, their father's secret, cf. IV. n is made known to everybody, whereas p, q and g are kept secret.
The administrators in the tree are each allocated a prime number as identity
(address). A thus is a first prime number, A2 the next prime number, A3 the next etc. The making of this allocation is arbitrary. For example, it is possible to use bm prime numbers for level m in the tree, where b is the maximum number of children per parent. This results in "holes" in the form of unused prime numbers. If instead one wants to "save" prime numbers, it is possible to use b prime numbers per level in the tree. Prime numbers will then be "reused" in several positions in the tree and the risk increases that administrators in co-operation can calculate somebody else's secret (see below).
The main feature of the allocation of identities is that it is carried out in such manner that everybody unambiguously knows which prime number belongs to a certain position in the tree. If, in some application, implicit certification is not needed, this requirement is omitted. The greatest prime number reserved for addresses is designated L. A assigns to his closest subordinates Ai a secret h, each by exponentiating his own secret modulo n with the subordinate's identity, i.e. t = gAl mod n. The subordinated cannot work out g (cf. sections I and IV below).
This is repeated recursively. Ai assigns, for example, to his subordinates An secrets
h j = φA' ) ' mod n. The subordinates cannot work out gAl .
The administrators in the tree can calculate all secrets in their entire subordinated branch of the tree. By the identities being prime numbers, an administrator cannot by himself calculate a secret in some other branch. If, besides, it is required that two or more administrators should not jointly be able to work out a secret, it is a requirement that it should not be possible to write an identity as the sum of two or more other identities. Otherwise a secret can be formed by multiplication of two others. This places demands on the prime numbers that will not be analysed here. For example, it is suitable to use the prime numbers "backwards", i.e. that the prime numbers on level 1 are greater than on level 2 etc.
The final operators, X, Y etc, are assigned a pair of keys by their administrator, for example Y by A23 in the Figure. The private key y should be >L for Y not to be able to disguise himself as administrator. The administrator calculates the public key y
by exponentiating his secret with y modulo n, i.e. y = yg 2 23 }- mod n.
It is also possible to act inversely, let y be private and y public. Then the same structure will be obtained as for the administrators' secrets and identities. This reduces the liberty as to the choice of keys. On the other hand, it is possible to connect also the final operators to position in the tree, which means that the need for certificates disappears.
The two operators X and Y form, when necessary, a mutual secret kxy. This is cal- culated by the operator taking his counterparty's public key and exponentiating it modulo n with the product of his own private key and the identities of all his superior administrators. X and Y, respectively, thus calculate kxyi and k^, respectively, where k^ = ^ z ****"* mod n and kxy2 = (9*>*** *γ*A»y- mod n. Correspondence
Figure imgf000011_0001
is valid (see, however, section VI below) only if the same basic secret g has been used in the calculations. This is a criterion for authentication of group membership. Merely X and Y and their closest super- ordinated administrators can calculate k„y.
A certificate (to be named c*), designed, for example, according to the standard X.509, is assigned to the final operators (e.g. X) by their respective administrators. In the certificate it is stated, inter alia, that the public-key & belongs to the operator having the identity X and that it has been created by the administrator having the identity A223. The certificate is given as input data to a generally known hash function (e.g. MD5 or the unity function h(m)=m), output data becomes an integer tx. The administrator calculates a digital signature sx by modulo n exponentiating his own secret with tx, i.e. s = {g ^22*2 3 y mod n. The certificate , and the digital signature sx are assigned to X.
Another operator (e.g. Y) can verify that a certificate is genuine and that it must have been signed by an administrator in a certain position in the tree. Thus there will be no need for forming chains of certificates where the administrators between X and Y confirm each other's authenticity. The verification occurs as follows.
Y has received from X a certificate c and a signature s. The certificate should mention, inter alia, what administrator has calculated s. This is what Y wants to verify. He can then multiply the identities up to the position in the tree who claims to have signed the certificate, with denominations as stated above he forms B = A2A22A223. He forms the corresponding product for his own position D = A2A23. Moreover, he forms t = h(c) by means of the generally known hash function.
Starting from his own public key, Y can now form y = ψ -f = Bt) ~ , every¬
thing calculated modulo n. He can also, based on the received signature, form s - mod n. If he now obtains the same value, he can conclude (see section VI below) that the certificate has been signed by the identity A223 and that its content is reliable. A few features of the mathematics used in this embodiment of the invention will be defined below without any comments or derivations. Otherwise, reference is made to [1] and special literature.
I The ith root is "impossible" if n is not a prime number (e.g. n = p q), it is difficult to the same degree as determining the factors in n. That is even if I know n, b and i and know that b = g' mod n, it is not possible to calculate g if the factors in n are not known. This is used in RSA encryption, which means that it has been sufficiently studied what requirements are applicable for the ith root to be "impossible".
II The discrete logarithm is "impossible". Using the same denominations as in I above, it is not possible to calculate i even if n, b and g are known. Also this is used in RSA encryption.
III Iff (if and only if) a and n relatively prime (they have no common factors >1), an unambiguous inverse a exists, so that aa mod n = 1.
In the method, the reverse is used - if a and n have a common factor, no inverse a exists.
IV Under certain conditions, the root in section I is "easy" to calculate without factorising n starting from two expressions calculated by using the same modulus. The conditions are that n (but, thus, not p and q) as well as b, i, c, j are known, where b = g' mod n and c = g' mod n. Moreover, i and j must be relatively prime as well as g and n relatively prime.
This can be derived by means of Euler's fi function φ see [1] which is n-1 if n is a prime number. Otherwise φ is a product where the factors in n are included, for example φ = (p-1)(q-1) if n = p q. Iff the inverse of g exists (i.e. if g and n are relatively prime) it can be written by means of φ, g9 mod n = 1 , i.e. § = g 1.
If i and j are relatively prime (and >0), it is possible by means of the Euclidian algorithm [1] to determine the integer coefficients r and s in the equation r i + s j = 1. One of the coefficients (say r) must be negative. If g and n are relatively prime, it is known that there is inverse © for b (for c as well). Using the Euclidian algorithm it is possible to calculate fe. It is now possible to form b mod n = b(<p"1)(-r)cs mod n =
Figure imgf000013_0001
mod n = gg("0("r)gsj mod n = g("i)('r)gsi mod n = gri+sj mod n = g.
On the conditions above, g = fe"rcs mod n will thus be obtained without fac- torising.
The DH method, ref. [3].
Based on II above a method will be obtained for two parties, X and Y to construct a mutual secret which no one else can calculate. Both parties know the integers g and n. X forms a pair of keys x, x from . = * mod n. X must keep x secret whereas x. is publicly communicated to Y (who according to section II cannot calculate x). Analogous method for Y. Now X and Y, and only those two, can calculate kxy by taking the counterparty's public key and exponentiating it with his own private key, kxy = g mod n.
In [3] g is assumed to be publicly known. In the present invention, the fact is used that g can be kept secret (see sections I and IV above), which results in a new method of authenticating group membership.
In [3] it is stated that n has to be a prime number. In the present invention, use is made of n = p q, which also functions well (a foundation stone for
RSA encryption).
The ith root is not reliably unambiguous. The invention is based on the fact that a quantity k has been calculated in two ways via exponentiating with the same i, k = g1 mod n =h' mod n. However, from this it cannot be generally concluded that g = h. This is applicable only if i and φ (see IV) are relatively prime (e.g. 24 mod 5 = 34 mod 5 = 1). But unambiguity is not a condition for the method, but what is stated in section I could be rewritten: Even if n, b and i are known, but the factors in n are unknown, it should be "a sufficiently small probability" that it is possible to calculate a g which satisfies b = g1 mod n. As regards general cryptographic requirements it is published in, inter alia, [1] what moduli n are unsuitable. Moreover, care must be taken, for instance, not to choose factors, which make the sample space in exponentiations too small, which could make an extensive search realistic.

Claims

Claims:
1. A method, included in a cryptographic method for data communication in a communication network comprising administrators and final operators, and intended for distribution of cryptographic keys by using public-key handling, c h a r a c t e r i s e d in that the method gives the possibility of authentication and certification by the administrators and the final operators being included in a hierarchical structure comprising a main administrator, no, one or more hierarchical levels comprising subadministrators, each subadministrator being associated with a superior administrator and having no, one or more subordinated administrators, and said final operators, each final operator being associated with a superior administrator, the main administrator selecting and keeping a basic secret, the main administra- tors' own secret, the main administrator selecting one or more directly subordinated administrators, an identity in the form of a unique prime number which is known to all administrators and final operators being associated with each administrator, main administrator as well as subadministrator, the main administrator creating, by means of a function of two variables which are one way in respect of the two variables and sequence-independent in respect of one variable and the main administrator's own secret and the identity of each directly subordinated administrator being the variables, a subsecret for each directly subordinated administrator, which subsecret is allocated to the respec- tive subordinated administrator and which he keeps secret, subordinated administrators in turn selecting, in a corresponding manner in a recursive method, subordinated administrators and creating subsecrets for them starting from the latters' identities and the subsecret of the administrator which is superior in the respective case, and the final operators being allocated a pair of keys by their respective administrators, consisting of a private key, selected in a manner similar to the manner in which the identity is selected for subordinated administrators and an public key created in a manner corresponding to the manner in which a subsecret is created for a subordinated administrator or vice versa.
2. A method as claimed in claim 1, c h a r a c t e r i s e d in that, when necessary, two operators check each other's authenticity by combining the counterparty's public key with his own private key as well as a product of identities.
3. A method as claimed in claim 1 or 2, c h a r a c t e r i s e d in that no identities constitute the sum of other identities.
4. A method as claimed in any one of the preceding claims, c h a r a c t e r - i s e d in that the prime numbers which constitute the identities of the administra- tors are selected in such manner that the greatest prime number is to be found with the main administrator, and that the prime numbers gradually are lower and lower, level by level in the hierarchy.
5. A method as claimed in any one of the preceding claims, c h a r a c t e r - i s e d in that, in the case defined in claim 1 , where the private key of the final operators is selected in a manner similar to the manner in which the identity of subordinated administrators is selected, this private key, in the form of a prime number, is selected to be greater than the identities of each of the administrators.
6. A method as claimed in any one of claims 1-5, c h a r a c t e r i s e d in that subsecrets are created as functions of the class multiplication on an elliptic curve.
7. A method as claimed in any one of claims 1-5, c h a r a c t e r i s e d in that subsecrets are created as functions of the class exponential functions.
8. A method as claimed in claim 7, c h a r a c t e r i s e d in that an administrator allocates to his subordinated administrators A, a secret h, each by exponentiating his own secret g modulo n with the identity of the subordinate, i.e. h, = g mod n, where n is selected as the product of at least two prime numbers p and q, g is an even number with a factor common with n and A, are the identities of the subordinated administrators in the form of prime numbers and where n and A, are known to all whereas p, q and g are kept secret.
9. A method as claimed in claim 8, c h a r a c t e r i s e d in that, in the case defined in claim 1 , where the private key of the final operators is selected in a manner similar to the manner in which the identities of subordinated administrators are selected, two operators, when necessary, check each other's authenticity by exponentiating each other's public keys modulo n with the product of their private key and the identities of all their superior administrators, correspondence of the results indicating that both are authentic operators and that, in the "vice versa" case defined in claim 1 , where the public key of the final operators is selected in a manner similar to the manner in which the identities of subordinated administrators are selected, two operators, when necessary, check each other's authenticity by exponentiating their private key modulo n with the product of the counterparty's public key and the identities of all the counterparty's superior administrators, correspondence of the results indicating that both are authentic operators.
10. Method as claimed in claim 8, c h a r a c t e r i s e d in that, in the case defined in claim 1 , where the private key of the final operators is selected in a manner similar to the manner in which the identities of subordinated administrators are selected, an administrator issues a certificate indicating that a certain public key belongs to a certain operator, and that the certificate has been created by a certain administrator having a certain known identity, the administrator calculates also a digital signature by modulo n exponentiating his own secret with the certificate or the result of output data of some known hash function when input data is the certificate, whereupon the authenticity of the certificate can be verified by an administrator or operator by his exponentiating modulo n his public key with the product of the identities up to and including the one claiming that he has written the certificate and the certificate or the result of output data of some known hash function when input data is the certificate and comparing this result with the signature exponentiated modulo n with the product of his and his superiors' identities and his private key, correspondence of the results indicating that the certificate is authentic and signed by the one who has claimed to have done so.
PCT/SE2000/000721 1999-04-16 2000-04-14 Method for distribution of cryptographic keys in a communication network WO2000064098A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE9901358-3 1999-04-16
SE9901358A SE515778C2 (en) 1999-04-16 1999-04-16 Method of key distribution with built-in possibility for authentication and certification in a hierarchical tree

Publications (1)

Publication Number Publication Date
WO2000064098A1 true WO2000064098A1 (en) 2000-10-26

Family

ID=20415233

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2000/000721 WO2000064098A1 (en) 1999-04-16 2000-04-14 Method for distribution of cryptographic keys in a communication network

Country Status (2)

Country Link
SE (1) SE515778C2 (en)
WO (1) WO2000064098A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002017557A1 (en) * 2000-08-22 2002-02-28 Smarttrust Systems Oy Secured identity chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4200770A (en) * 1977-09-06 1980-04-29 Stanford University Cryptographic apparatus and method
US5651066A (en) * 1994-04-28 1997-07-22 Nippon Telegraph And Telephone Corporation Cipher key distribution system effectively preventing illegitimate use and charging of enciphered information
EP0793367A2 (en) * 1996-02-29 1997-09-03 Oki Electric Industry Co., Ltd. Key distribution system and method
US5745574A (en) * 1995-12-15 1998-04-28 Entegrity Solutions Corporation Security infrastructure for electronic transactions
WO1998049805A1 (en) * 1997-04-25 1998-11-05 Koninklijke Kpn N.V. Key distribution system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4200770A (en) * 1977-09-06 1980-04-29 Stanford University Cryptographic apparatus and method
US5651066A (en) * 1994-04-28 1997-07-22 Nippon Telegraph And Telephone Corporation Cipher key distribution system effectively preventing illegitimate use and charging of enciphered information
US5745574A (en) * 1995-12-15 1998-04-28 Entegrity Solutions Corporation Security infrastructure for electronic transactions
EP0793367A2 (en) * 1996-02-29 1997-09-03 Oki Electric Industry Co., Ltd. Key distribution system and method
WO1998049805A1 (en) * 1997-04-25 1998-11-05 Koninklijke Kpn N.V. Key distribution system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SANTOSH CHOKHANI: "Toward a national public key infrastructure", IEEE COMMUNICATIONS MAGAZINE, vol. 32, no. 9, September 1994 (1994-09-01), pages 70 - 74 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002017557A1 (en) * 2000-08-22 2002-02-28 Smarttrust Systems Oy Secured identity chain

Also Published As

Publication number Publication date
SE9901358L (en) 2000-10-17
SE9901358D0 (en) 1999-04-16
SE515778C2 (en) 2001-10-08

Similar Documents

Publication Publication Date Title
Karati et al. A pairing-free and provably secure certificateless signature scheme
Wang et al. Security analysis of some proxy signatures
Shao Proxy signature schemes based on factoring
Brickell et al. Enhanced privacy ID from bilinear pairing
EP2148465A1 (en) A method for the application of implicit signature schemes
EP1625470A1 (en) Use of certified secrets in communication
GB2321834A (en) Cryptographic signature verification using two private keys.
JPH08328472A (en) Authentication exchange method, restoration-type electronic signature method, addition-type electronic signature method,key exchange method, restoration-type public electronic signature method, addition-type public electronic signature method and blind electronic signature method
KR0144086B1 (en) Electronic signature mathod
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
JP2004208263A (en) Apparatus and method of blind signature based on individual identification information employing bilinear pairing
WO2019110399A1 (en) Two-party signature device and method
Anada et al. RSA public keys with inside structure: Proofs of key generation and identities for web-of-trust
CN112989436B (en) Multi-signature method based on block chain platform
Susilo et al. Tripartite concurrent signatures
Hsu et al. Self-certified threshold proxy signature schemes with message recovery, nonrepudiation, and traceability
Seo et al. A mediated proxy signature scheme with fast revocation for electronic transactions
JPH09298537A (en) Digital signature system and information communication system using it
WO2000064098A1 (en) Method for distribution of cryptographic keys in a communication network
Ismail et al. A new signature scheme based on multiple hard number theoretic problems
Shao Digital signature schemes based on factoring and discrete logarithms
Kaliski Jr On hash function firewalls in signature schemes
Wu et al. Self-certified multi-proxy signature schemes with message recovery
JPH1084341A (en) Message added system digital signature method and verification method therefor
KR100194638B1 (en) Additional Digital Signature Method Using Personally Identifiable Information

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): JP US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP