ProtectingPublic Keys SignatureKeys...comesthis weakness. The other known public-key cryptosystems can be ... Shamir's signature-only knapsack scheme,9 McEliece's error-correcting

Public-key cryptography offers certain 3advantages, providing the keys can beadequately protected. For every securitythreat there must be an appropriatecountermeasure.

Protecting Public Keysand Signature KeysDorothy E. Denning, Purdue University

With conventional one-key cryptography, the senderand receiver of a message share a secret encryption/decryption key that allows both parties to encipher (en-crypt) and decipher (decrypt) secret messages transmittedbetween them. By separating the encryption and decryp-tion keys, public-key (two-key) cryptography has two at-tractive properties that conventional cryptography lacks:the ability to transmit messages in secrecy without any

prior exchange of a secret key, and the ability to imple-ment digital signatures that are legally binding. Public-key encryption alone, however, does not guarantee eithermessage secrecy or signatures. Unless the keys are ade-quately protected, a penetrator may be able to read en-

crypted messages or forge signatures.This article discusses the problem of protecting keys in

a nationwide network using public-key cryptography forsecrecy and digital signatures. Particular attention isgiven to detecting and recovering from key compromises,especially when a high level of security is required.

Public-key cryptosystems

The concept of public-key cryptography was intro-duced by Diffie and Hellman in 1976.1 The basic idea isthat each user A has a public key EA, which is registeredin a public directory, and a private key DA, which isknown only to the user. EA is the key to a public en-

ciphering transformation, which is also written as EA.DA is the key to a private deciphering transformationDA, which is related to EA but cannot be computational-ly determined from EA. We assume the public-keysystem is unbreakable; in particular, a cryptanalyst can-

not determine a secret key from intercepted ciphertexteven when the corresponding plaintext is known to or

chosen by the cryptanalyst.

Consider an application environment in which eachuser has an intelligent terminal or personal workstationwhere his private key is stored and all cryptographicoperations are performed. This terminal is connected toa nationwide network through a shared host, as shown inFigure 1. The public-key directory is managed by a net-work key server. Users communicate with each other or

Figure 1. Network with key server.

0018-9162/83/02O0-0027SO1.00 1983 IEEE

j

February 1983 27

Authorized licensed use limited to: Naval Postgraduate School. Downloaded on May 8, 2009 at 14:15 from IEEE Xplore. Restrictions apply.

with the server through electronic mail. When a user Aneeds the public key for another user B, A sends amessage to the server requesting EB. A can then keep arecord of EB for future use.We assume the key server is trustworthy and returns

correct and current public keys. We do not, however,make any assumptions about the security of the networkor the hosts on the network. The system may be vulner-able to wiretapping along the communication channels,or possible subversion of operating system or networksoftware on some host (e.g., through "Trojan horse" at-tacks). Although little can be done to prevent wiretap-ping, much can be done to strengthen the security of thehosts.2 Many of the threats to be described will not affectproperly secured systems.The public-key system is used for sending secret

messages, signing plaintext (cleartext) messages, andsending signed secret messages.

Secret messages. To send a secret message M to a userB, user A obtains B's public key EB, encrypts theplaintext message M as C: = EB(M), and transmits theciphertext Cto B. (IfMexceeds the block size for EB, it isbroken into blocks and each block is encrypted separate-ly.) B's private transformation DB is the inverse ofEB, sothat B can decipher Cand obtainMby computing DB (C)= M(see Figure 2). If the cryptosystem is secure, secrecyis possible under the following two conditions:

(1) No other user knows DB.(2) There is enough uncertainty aboutM (i.e., Mhas

enough entropy). The encryption key EB is public, so ifonly a few likely candidates Ml, . . . M,, exist for M,thenMcan be found by enciphering these candidates un-

Figure 2. Using a public-key system for message secrecy.

Figure 3. Using a single-key system for message secrecy and a public-key system for key exchange.

til an ME is found that enciphers to the same C; that is,EB(M,)=C, wherefore M=Mi. (Simmons and Hold-ridge show how this might be done with voice encryp-cryption.3) One-key systems are not vulnerable to suchexhaustive searches forMbecause the encryption key issecret.

With encryption alone, B cannot be sure the receivedmessage is the one sent from A, because an activewiretapper could obtain EB and alter A's message. Hemight even impersonate A. To give B this assurance, themessage must be signed by A.

Signed messages. To send a signed message M to B,user A applies the private transformation DA to M. Ig-noring the issue of secrecy for the moment, A computesand transmits to B the digital signature X: = DA(M). A'spublic transformation EA is the inverse of DA, so that B(or a judge) can validate A's signature on an allegedmessage M by checking whether EA(X)= M. X serves asA's signature onM only if:

(1) No other user knows DA and hence cannot com-pute DA(M) for a messageM of the user's choice.

(2) Legitimate messages have enough redundant in-formation to be easily distinguished from forgeries by thereceiver and by the judge. This condition is necessary be-cause EA is public; thus, any user could claim an ar-bitrary Xto be the signature for a message M computedby M:= EA(X), since this implies X = DA(M). But amessage Mcomputed in this manner will be meaninglessand appear random. If legitimate messages are requiredto be meaningful English-language text or to have someother redundant information such as a time stamp, for-geries are easily detected.

(3) Given the signature X, the odds of finding anothermeaningful message M' with signature X, using avail-able computing resources, are negligible.

Note that secrecy is not achieved with a digital signaturealone, because any user can obtain EA and compute M.We will consider the problem of transmitting a signedmessage in secrecy shortly and at that time look at an im-proved method for signing messages.

Secrecy requires that an enciphering transformationEA operate on plaintext and that the correspondingdeciphering transformation DA invert EA. Signatures,on the other hand, require that a deciphering or digitalsignature transformation DA operate on plaintext andthat the enciphering transformation EA invert DA. Theonly known public-key cryptosystem meeting both ofthese requirements is the Rivest-Shamir-Adleman, orRSA, scheme,4 which is based on the difficulty of factor-ing. For user A, the public enciphering transformationEA is given by

EA(M) = MVA mod nA,

and the private deciphering transformation DA by

DA(C) = C!A mod nA,

where the modulus nA is the product of two large secretprimes PA and qA, and exponents eA and dA are mu-

COMPUTER28


tual multiplicative inverses modulo the product(PA - 1)(qA - 1). (This product is the Euler totient func-tion of nA.) The secret exponent dA cannot be obtainedfrom the public exponent eA without knowing the factorsPA and qA of nA. Recently, Davida5 has shown that theRSA scheme has a potential weakness that might allow acryptanalyst to obtain the plaintext corresponding to in-tercepted ciphertext or to obtain signatures on hiddenmessages. The protocol to be described shortly over-comes this weakness.The other known public-key cryptosystems can be

used for either secrecy or signatures, but not both. Theseinclude the Merkle-Hellman6 and Graham-Shamir7'8trapdoor knapsack schemes, Shamir's signature-onlyknapsack scheme,9 McEliece's error-correcting codescheme,10 and Janardan's matrix cover scheme.11 Re-cently, Shamir has published a polynomial time algo-rithm for breaking the Merkle-Hellman scheme, 12 raisingserious doubts about any knapsack-based or relatedscheme, including the matrix cover scheme. Moreover,since these systems are incapable of providing bothsecrecy and signatures,13 we will assume that the public-key system is the RSA system.We could use separate cryptosystems for secrecy and

signatures, in which case each user would have a pair oftransformations, one for receiving secret messages andone for sending signed messages. The procedures de-scribed in this article are easily modified to accommodatethis.We can also use a one-key system such as the Data En-

cryption Standard14 for message secrecy and reserve thepublic-key system for signatures and key exchange. Touse a one-key system for message secrecy, the sender Apicks a keyK to a pair of invertible transformations, EKfor enciphering and DK for deciphering. The key K isthen transmitted to the receiver B in secrecy by encrypt-ing it under B's public key; that is, A computes andtransmits EB(K) to B. A then enciphers Musing EK,and B deciphers the received ciphertext using DK (seeFigure 3). Similarly, B can encipher a reply using EK,which A can decipher using DK. The advantage of thisapproach over the public-key cryptosystem for messagesecrecy is primarily speed. The encryption/decryptionrate of the RSA scheme, for example, is several orders ofmagnitude slower than that of the DES. Note, however,that a one-key system cannot by itself provide signatures,because the receiver of a message, knowing the encryp-tion key, could forge the message. But it does providemessage authenticity in that the receiver can be sure themessage sent fromA has not been altered. In this sense, itprovides a greater level of protection than using a public-key system for message secrecy only.

Signed secret messages. There are two approaches tosending a signed secret messageM fromA to B. The firstcomposes the secrecy and signature transformations,while the second keeps the transformations separate.

Composed secrecy and signature functions. With thisapproach, A first encrypts M using B's public key andthen signs the result, getting Y := DA(EB(M)). Brecovers M by first applying A's public key EA to Y and

then applying DB to the result. This approach can also beemployed when a one-key system is used for messagesecrecy. Here, A encrypts Munder a keyK shared with Band then signs the result, getting Y := DA(EK(M)).(Note that if a dispute arises, B must reveal K to a judgeto prove that applying EA and then DK to Y yields thealleged message M.)With either type of cryptosystem, this approach is sim-

ple though somewhat inconvenient; B must remove thesignature transformation to access M. If the signaturemust be retained by B over an extended period to settlepossible disputes, B can speed up processing by also stor-ing the unsigned message EB(M) (or just Mif encryptionis not needed for secure storage). This approximatelydoubles the storage requirements for the message,however.

Separate secrecy and signature functions. This ap-proach keeps the secrecy and signature transformationsseparate and uses another strategy that conceals themessage M in the signature but has minimal storage re-quirements, namely one block of output from DA.Davies and Price15 show how this can be done by com-puting a "digest" or "checksum" of M, which we de-note by M. A picks a random initialization seed I andfirst computes the digest M :=h(M,I), where h is apublicly available hashing function, described shortly. Athen signs the digest M together with I as X:=DA (M,I), and transmits the signature X to B. (If the pair(M,I) is shorter than the block size used by DA, it isreplicated as many times as necessary to fill the block; theextra bits are discarded by B after computing EA (X). )In addition, A computes and transmits to B the encryp-ted message C:=EB (M) (or EK(M) if a one-key systemis used for secrecy). After recovering M, B (or a judge)validates A's signatureXby computing EA (X) = (M,l)and checking that thisM is the same as that obtained bycomputing h (M,I) using the alleged message M.

Figure 4 illustrates the procedure for sending a signedsecret message using the public-key system for messagesecrecy. If a single-key system is used for secrecy, thenthe secrecy channel would be that shown in Figure 3. Ifsecrecy is not needed or is undesirable, the secrecy chan-nel can be omitted entirely andMcan be transmitted inthe clear.

Figure 4. Sending a signed secret message from A to B.

February 1983

l

29


The hashing function. The hashing function h mustsatisfy two properties. First, to ensure the secrecy of M,h must be a one-way function of M. Otherwise, the con-tents ofM could be determined by an eavesdropper, whocould obtairn EA, compute EA (X) = (M,I), and finallycompute h- i (M,I) =M. Second, to prevent forgeries, itmust not be possible to find another message with thesame digest M for the same seed I.

Finding such a function h that satisfies both propertiesis tricky because of the need to make h public. Davies andPrice show that many techniques that are secure when his secret are vulnerable to attack when h is public. Theysuggest a possible hashing function h that uses the DES(or some other block encryption algorithm) as follows:First, a random 64-bit seed I is picked; next,M is blocked into 56-bit blocks M1, . . . Mt; finally,h (M, I) is computed using each message block as a keyto the DES:

M= h (M, I) = EMt o . . . ° EM1 o EMt o o. . ° EM1 (I)

where EM, denotes the DES keyed to message block Mi,and "o" denotes functional composition. (The messageis used twice to prevent a "meet-in-the-middle" forgery;this can also be achieved with a one-pass scheme.16)

This method of signing a message M has four ad-vantages over the standard technique of computingDA (EB(M) ) (or just DA (M) if secrecy is not needed).

(1) It separates the signature transformation from thesecrecy transformation, allowing secrecy to be imple-mented with a one-key system or to be skipped. 15 At thesame time, it conceals messages so that signatures can bepublicly disclosed without revealing their correspondingmessages. This will be important later in the discussion ofwhy signatures should be recorded in a public log.

(2) It reduces the need for adding redundancy tomessages to prevent forgeries, because it is difficult tofind even a random message that hashes to any givendigest M starting with the same seed I.

(3) It reduces the storage requirements for signaturesto a single block; thus, retaining signatures in a public logneed not require much space.

(4) It seems to overcome the potential weaknessDavida discovered in the RSA system,16 because thehashing function is one-way and destroys the multiplica-tive structure of messages.

Security threats and countermeasures

The preceding schemes for secrecy and signatures can-not guarantee security if public keys can be faked orprivate keys compromised. This is true regardless ofwhether the keys are used for secrecy or signatures.

Fake public keys. Suppose that a user B requests A'spublic key from the key server but a penetrator Z in-tercepts and modifies the server's response to contain Ezinstead of EA. This might be done by active wiretappingor by penetrating B's host. If EA is requested to transmita secret message M to A, then B will inadvertently form

the ciphertext Ez(M) and transmit this to A; Z then in-tercepts the ciphertext and deciphers the message. If Areceives an indecipherable message, A will detect thatsomething is wrong and notify B; even so, Z may havealready acquired valuable information from B. To pro-tect against this threat, A and B could agree on a hand-shake procedure'7 whereby the key is tested beforevaluable information is transmitted. This can introducelong delays into the protocol, however, ifA is not loggedin when B sends the request for a handshake.Now, if EA is requested to validate A's signature on a

message M received from A, then B will unwittingly ac-cept Z's signature instead. Even though the signaturewould not be legally binding, B may feel satisfied that itbelongs to A and accept the message.

In both the secrecy and signature cases, Z has acquiredsome of A's capabilities. In the former case, thesecapabilities allow Z to receive secret messages intendedfor A; in the latter case, they allow Z to create documentsthat appear to have been signed by A. If the system is suf-ficiently insecure that Z can prevent messages fromreaching A and create messages appearing to have orig-inated with A, then Z may be able to masquerade as A.This scenario is not as farfetched as it might seem. If B'shost is insecure, it may be simple to modify the headersof messages to reroute them or to change their source.There are two techniques for protecting against fake

public keys: mass distribution and certificates. Massdistribution simply recognizes that because the keys arepublic, the complete directory can be regularly distrib-uted (e.g., weekly or monthly) as hard copy through apublic newsletter or a widely distributed newspaper suchas the New York Times. Updates to the public-key direc-tory could be distributed on a cumulative basis.

Public-key certificates. This technique, suggested byKohnfelder,18 is for the key server to distribute publickeys inside signed certificates. The public-key certificatefor user A contains a time stamp T, A 's unique identifier(which for simplicity can be written as A), and A's publickey EA, all signed with the server's private key DS:

P:= DS(TA,LEA).

The receiver of certificate P applies the server's publickey Es to P, obtaining T,A, and EA. Note that the serverdoes not hash the message (T,A,EA) before signing. Thisraises some question about whether a penetrator mightbe able to forge the server's signature using the methoddiscovered by Davida. This seems very unlikely, how-ever, if the only messages signed by the server are time-stamped certificates that it has constructed.The time stamp Tis used for validating the currency of

the certificate. Without the time stamp, a user might ac-cept the replay of an old certificate containing the publickey EA for a private key DA that has been compro-mised. 19 If the user then enciphers secret messages underEA, the compromiser could read those messages. (Kohn-felder's proposal did not include time stamps.) Note thatoff-line publication of public keys in a newspaper auto-matically time stamps all keys.

COM PUTER30


Whereas mass distribution of public keys allows off-line validation of keys, public-key certificates allow on-line validation. Both techniques can be used for addedsecurity. Even if certificates alone are used for user keys,the server's public key Es should be publicly broadcast toall users and retained at the users' workstations. Other-wise, if an intruder Z can trick a user into accepting Ezas the server's key, then Z can send fake public-key cer-tificates to the user.

Compromise of users' private keys. Suppose that apenetrator Z has acquired A's private key DA. Themethod by which DA may have been acquired-bybreaking into A's terminal, by sloppy handling proced-ures for keys, or by cryptanalysis, for instance-does notconcern us here. Even if this is unlikely, any practicalsystem must be capable of recovering from such com-promises.Now, if the corresponding public key EA is used by

others to send secret messages to A, then through passivewiretapping Z can intercept and decipher these messageswithout detection. IfDA is used byA to sign messages, Zcan forge A's signature on other messages. Once again Zhas acquired some of A's capabilities; in the first casethey allow Z to receive secret messages intended for A,and in the second case they allow Z to create documentsallegedly signed by A.Note the parallel between this problem and the prob-

lem of fake public keys. If Z can fake EA or compromiseDA, then Z may be able to read secret messages intendedforA or create documents allegedly signed byA. There isan additional problem with private keys that does notarise with public keys: IfA can deliberately compromiseDA, then A has a case for disavowing previously signedmessages.20To protect against compromises (including deliberate

disclosures) of private keys, compromises must be re-ported to the key server and new public keys registered.If this is done, public-key certificates and mass distribu-tion of public keys protect messages encrypted for secre-cy; any user obtaining a public key EA is assured that thecorresponding key DA is still valid, and therefore a secretmessage M encrypted under EA will not be disclosed.They do not, however, protect signatures.To protect signatures we need a mechanism whereby a

signature can be validated even after the signature keyhas been compromised. This requires binding the signa-ture to the public key that was valid at the time themessage was signed. This can be done with a signaturecertificate, which is like a public-key certificate with asignature inside.

Signature certificates. Let X = DA (,I) be thesignature computed by user A for message M, where M= h (M,I) is the digest of M as described earlier andshown in Figure 4. The signature certificate for Xis givenby

G:= DS(T,A,EA,X) .

The receiver of the certificate G obtains T, A, EA, andXby computing ES(G) and checks that the time stamp iscurrent.

The time stamp in the signature certificate is essentialto determine whether a message was signed before thesignature key was compromised. This time stamp mustbe affixed by the key server. IfA affixed the time stamp,A could intentionally affix an incorrect time. Moreover,if A's key is compromised, someone else could forge amessage and affix a time when the key was valid. Instead,the key server affixes the time stamp to the signedmessage and signs the result,21 thereby playing the role ofa "notary public."22The key server is not given access to A's private keyDA

or any of the secret messages signed by A, and as notedearlier, the hashing function is one-way so that Mcannotbe determined from the digest M. Thus, the server can-not disclose secret information or forge A's signature ona message but simply appends T, A, and EA to whateverinformation is sent byA. The receiver of the certificate isresponsible for validating A's signature. Note also thatthe signature certificate must be retained to resolve anydisputes that may arise later.

Sending a signed secret message with certificates.Figure 5 gives a high-level protocol using public-key andsignature certificates whereby user A can send a signedsecret message to user B. The protocol is illustrated inFigure 6.

Compromise of server's private key. There is a poten-tially serious security problem with certificates if theserver's signature key DS is ever compromised. The com-promiser, say Z, can then forge public-key certificates.The problem becomes extremely serious if Z knows apast (or present) signature keyDA belonging to some userA, because Z can then forge signature certificates as well.In particular, Z can take any message M, use DA to com-pute the signature X, and then use Ds to create a valid

Figure 5. Protocol for sending a signed secret message M from A to B.

February 1983 31


signature certificate with time T when DA was valid. Inshort, if Z has compromised both Ds and DA for someuser A, then Z can create messages that are legally bind-ing to A. Moreover, Z can continue to do this even afterthe server's key has been changed.Even if the probability of compromise is small, the

consequences are so severe that if digital signatures are tobe used at all, some mechanism for detecting andrecovering from compromises should be installed.

An on-line certificate log

One method for protecting against forgeries and com-promises of all keys, including the server's, is for the keyserver to keep a log or audit trail of the following events:

(1) Registration of public key, noted by entry ofpublic-key certificate in the log.

(2) Registration of signature, noted by entry ofsignature certificate in the log. (Signatures are notlegally binding unless they are logged.)

(3) Notification of key compromise.

The log is stored sequentially on a write-once devicesuch as an optical disk so that records in the log cannot bealtered and new records cannot be inserted in the middle.Extra copies of the log can be kept in physically separatelocations to protect against destruction or loss. All infor-mation placed in the log is time-stamped by the server,and entries are in ascending order by time.

Only the server should be capable of writing into thelog. This will be achieved if the server is physicallyisolated so that no process on the network can access thelog without going through the server. It might also beachieved if the server and log are logically isolated in aseparate virtual machine on a secure host.None of the information in the log is secret, and any-

one should be allowed to read it. The log is not en-crypted. This prevents loss of the log in case the server'skey is destroyed, allows a third party to audit the serveror settle a dispute, and provides a recovery mechanism incase the server is subverted.

Recording events in the log. Every event in the log canbe recorded both with and without the server's signature,with the unsigned portion to be used for retrieval ofpublic keys and signatures.

Figure 6. Sending a signed secret message with certificates.

COMPUTER32


Public-kev registration. At any given time, each userhas at most one valid public key, used for both secrecvand signatures; the procedure is easily modified to allowfor separate key pairs. To change keys, the user simpiNregisters a newv public key. (If the reason for the keychange is compromise of the previous key, this event isrecorded first.) The same procedure is followed with thekey server. The correct public key of a user A is thusgiEen by the most recent public-key certificate P =D( T,A,E1 ) in the log (as long as this record is not fol-lowed bv a "compromise" message for E-). The log isinitialized with a record containing the server's publickev.When A registers E4, a copy of the public-key cer-

tificate P containing E., is returned to A. A can check thevaliditv of P using the ser- er's public key. If another userB wishes E-, then B can obtain P directlx from A. Alter-natively, B can request a current certificate from theserver, in which case the server sends B a certificate forE'. with the current time. This certificate is not logged.

Signature registration. Signature certificates are auto-matically appended to the log when they are requested.In particular, when the server computes a signature cer-tificate G . = DS ( T,A,E4,X) for a signature X of A (asin step 2 of the protocol in Figure 5), the server appendsG to the log.

ANotification ofkey compromise. If A 's private key D.,is compromised. A signs the message M= "compro-mise" in the usual way (i.e., by' hashing Mand then ap-

Table 1.Sample log.

EVENTREGISTER KEY FOR S

REGISTER KEY FOR A

REGISTER KEY FOR B

REGISTER SIGNA-TURE FOR A

REGISTER COMPRO-MISE FOR A

REGISTER KEY FOR A

CERTIFICATE LOGGED(82:10:20:19:37:26. S. ES)

DS(8210f21 14-25(05 A, EA)

DS(82 10:21:15:36:52 B. EB)

DS(82: 1115:17:02:41. A. EA. X1)

DS(82 11:16:10:19:20. A. EA. XCOMP)

DS(1822 11:16: 10:20:47. A. E4 )

plying D). With XCOMP denoting the signature, Mand XCOMP are transmitted to the server, which ap-pends the record Ds( T,A,E.4,XCOMP) to the log. Thepurpose of this record is to limit A's liability on messagessigned with D., just before its compromise was detectedand a new public key established. If a dispute arises overa signature X with certificate Ds( T1,A,E1,,X), and thelog contains a subsequent "compromise" record for EAwith time stamp T. falling within some specified time in-terval dT from T1, then A wins the case.

If the server's key is compromised, this event is alsorecorded in the log. Although this may not present falseinformation from being appended to the log between thetime of compromise and the time of detection (if thecompromiser can obtain access to the log, which may notbe possible), it limits the time stamps that can be placedin those entries to that time period. In particular, it willnot be possible to forge a signature certificate for apreviously compromised key D,-, with a time stamp Twhen DA was salid.

Table I shows a sample log recording keys for S, A,and B; sipnatures for A; and compromise of A's key. Forclarity, time stamps are written in the form year:month:day:hour:minute:second. Note that compromise of A'skey was reported the dav after the signature X wasregistered. If dTexceeds one day, then A has a case fordisavowing X.

Authentication. Registration of public keys andsignatures raises an important security question: Howcan the server be sure of anv user's identity? If the users'hosts are secure and securelN linked to the server, thenthe server can relv on information provided by the hosts(as long as users are reliably authenticated by the hosts).But if the hosts are insecure, the serser cannot rely on anyinformation they transmit. Although information trans-mitted from a user's terminal can be encrvpted with theserver's key, authenticating the identity of the user atthat terminal is difficult, especiallv if keys (or passwords)have been compromised. How-ever, masqueraders can bedetected if public keys and signatures placed in the logare publiclN broadcast.

Key compromises. The log does not eliminate theproblems that arise from key compromises, but it doesconfine them substantially. More important, it allows fortheir detection. The following discussion of cases inwhich a penetrator compromises a user's key, theserver's key, or both is summarized in Table 2.

Table 2.What a penetrator can do with successful compromise of private keys.

PRIVATE KEYS COMPROMISED

NONE A KEY SERVER S KEYSEND FAKE READ As MAIL N/APUBLIC KEYS FORGE A SIGNATURE

FORGE PUBLIC-KEY CERTIFICATE

FORGE A'S SIGNATURE& SIGNATURE CERTIFICATE

February 1983

COUNTER-MEASURENOTH ING

CERTIF ICATESWITHOUT LOG

CERTI F CABES2VITH LOG

READ A S MAIL

BOTH KEYSN/A

READ A'S MAIL

33


User's key only. Suppose that Z has compromised A'scurrent private key DA but A has not yet detected thecompromise. Then Z can forge A's signature on anymessage M. For such a signature to be legally binding,however, Z must get a signature certificate from the keyserver. As long as Z can successfully masquerade as A tothe server, the signature certificate will be recorded in thelog. If the server notifies users when records are loggedon their behalf (as mail programs notify users of incom-ing mail), or if the server publicly broadcasts new entriesin the log, then A can detect the misuse ofDA, report thecompromise, and register a new key. Of course, Z couldalso report the compromise ofDA and attempt to install anew key for A that would be unknown to A, but this isdetectable as well.

Server's key. Suppose that Z has compromised theserver's private key Ds but the server has not yet detectedthe compromise. Then Z can create fake public-key cer-tificates. But unless Z can write into the log, the publickeys in these certificates will not be properly registered.In the unlikely event that Z is able to write into the log,the server can detect the fake certificates by comparingthe last record in the log with the last one it has written.The server can then enter a "compromise" record intothe log, install and broadcast a new public key, andnotify the users identified in the certificates.

Server's and user's keys. If Z has also compromisedthe private key DA of a user A, then Z can forge A'ssignature on arbitrary messages and subsequently forgethe server's signature on a signature certificate. Again,however, for such a certificate to be valid, it must bewritten into the log, which makes the compromise detec-table. Note also that once A changes DA and EA, Z can-not forge DA on a message even by time-stamping the

message with a time Twhen both DA and Ds were valid,because Z would have to insert the certificate into the login its proper time sequence, which is physically impossible.We might imagine a worst-case scenario in which a

penetrator subverts the key server. Even then the possibledamage is confined because the penetrator will not beable to create legally binding certificates with past timestamps.

Conclusions

It would be unwise to use a public-key cryptosystemfor secrecy and legally binding signatures without install-ing mechanisms for detecting and recovering from keycompromises. An on-line log provides such a mechan-ism. Although the log does not prevent forgeries ofmessages or certificates, it does permit their detectionand confine the damage. Security can be further en-hanced by off-line publication of public keys andsignatures.

Keeping the log of signature certificates has other ad-vantages as well. If a user loses a signature certificate, itcan be recovered from the log. The log also provides aconvenient mechanism for handling contracts signed bymore than one user. If a contract Mrequires n signaturesfrom users Al, . . ., A,, the contract becomes legallybinding only after all n users have registered signatureson Min the log. To prevent some user from withholdinga signature for an indefinite period after the others havesigned, we can require that all signature certificates in thelog have time stamps falling within a predetermined in-terval. (Contracts can also be signed without recourse toa key server.23,24)The key server is a potential bottleneck in the network

if there are many requests for public keys or the creationof new certificates. This problem can be partially miti-gated by regularly downloading all or part of the public-key directory to the users' workstations (or host systems,if secure).25 The problem can also be alleviated bydistributing the server over the network so that all re-quests are not addressed to the same site. Each servercomponent might keep a complete list of all public keysbut not necessarily a complete log of all certificates. En-cryption can be used to securely connect the componentsof the server. Distributing the server has the additionalbenefit of providing redundancy in case of failure.

Keeping a log or audit trail should be an importantpart of any security program. Many systems already keepa log to detect unauthorized activity on the system, andits existence alone can be a powerful deterrent to awould-be penetrator. High-capacity write-once devicessuch as optical disks are ideally suited for securitylogs because the information they contain cannot bealtered. O

Acknowledgments

I am grateful to Peter Denning for helpful discussionsand comments, and to the referees for helpful sugges-tions. This research was supported in part by NSF grantMCS80-1 5484.

COMPUTER34


References

1. W. Diffie and M. Hellman, "New Directions in Crypto-graphy," IEEE Trans. Information Theory, Vol. IT-22,No. 6, Nov. 1976, pp. 644-654.

2. D. E. Denning, Cryptography and Data Security, Addi-son-Wesley, Reading, Mass., 1982.

3. G. J. Simmons and D. A. Holdridge, "Forward Search asa Cryptanalytic Tool Against a Public Key Privacy Chan-nel, " Proc. 1982 IEEE Symp. Security and Privacy, Apr.1982.

4. R. L. Rivest, A. Shamir, and L. Adleman, "A Method forObtaining Digital Signatures and Public-Key Crypto-systems," Comm. ACM, Vol. 21, No. 2, Feb. 1978, pp.120-126.

5. G. E. Davida, "Chosen Signature Cryptanalysis of theRSA (MIT) Public Key Cryptosystem," TR-CS-82-2,Department of Electrical Engineering and ComputerScience, University of Wisconsin, Milwaukee, Oct. 1982.

6. R. C. Merkle and M. E. Hellman, "Hiding Informationand Signatures in Trapdoor Knapsacks," IEEE Trans. In-formation Theory, Vol. IT-24, No. 5, Sept. 1978, pp.525-530.

7. A. Shamir and R. E. Zippel, "On the Security of theMerkle-Hellman Cryptographic Scheme," IEEE Trans.Information Theory, Vol. IT-26, No. 3, May 1980, pp.339-340.

8. A. Lempel, "Cryptology in Transition," ComputingSurveys, Vol. 11, No. 4, Dec. 1979, pp. 285-303.

9. A. Shamir, "A Fast Signature Scheme," MIT/LCS/TM-107, Massachusetts Institute of Technology Labora-tory for Computer Science, Cambridge, Mass., July 1978.

10. R. McEliece, "A Public-Key Cryptosystem Based onAlgebraic Coding Theory," DSN progress report 42-44,Jet Propulsion Laboratory, California Institute ofTechnology, Pasadena, Jan.-Feb. 1978.

11. R. Janardan, "A Public-Key Cryptosystem Based on theMatrix Cover Problem," Advances in Cryptography,Proc. Crypto 82.

12. A. Shamir, "A Polynomial Time Algorithm for Breakingthe Basic Merkle-Hellman Cryptosystem," Proc. 23rdAnn. Symp. Foundations of Computer Science, Nov.1982, pp. 145-152.

13. A. Shamir, "On the Cryptocomplexity of Knapsack Sys-tems," Proc. l1th Ann. ACM Symp. Theory of Com-puting, May 1979, pp. 118-129.

14. "Data Encryption Standard," FIPS Pub. 46, NationalBureau of Standards, Washington, D.C., Jan. 1977.

15. D. W. Davies and W. L. Price, "The Application ofDigital Signatures Based on Public Key Cryptosystems,"NPL report DNACS 39/80, National Physical Labora-tory, Teddington, Middlesex, England, Dec. 1980.

16. D. E. Denning, "Signature Protocols for RSA and OtherPublic-Key Cryptosystems," Computer Sciences Depart-ment, Purdue University, Nov. 1982.

17. R. M. Needham and M. Schroeder, "Using Encryptionfor Authentication in Large Networks of Computers,"Comm. ACM, Vol. 21, No. 12, Dec. 1978, pp. 993-999.

18. L. M. Kohnfelder, "A Method for Certification,"Massachusetts Institute of Technology Laboratory forComputer Science, Cambridge, Mass., May 1978.

19. D. E. Denning and G. M. Sacco, "Timestamps in KeyDistribution Protocols," Comm. ACM, Vol. 24, No. 8,Aug. 1981, pp. 533-536.

20. J. Saltzer, "On Digital Signatures," Operating SystemsReview, Vol. 12, No. 2, Apr. 1978, pp. 12-14.

21. R. C. Merkle, "Protocols for Public Key Cryptosystems,"Proc. 1980 IEEE Symp. Security and Privacy, Apr. 1980,pp. 122-133.

Sponsored by IEEE Computer Societyl'and IEEE Circuits and Systems SocietyTechnical Committees on * Large Scale Systems * Computer-AidedNetwork Design * VLSI * Computer Architecture * Computer ElementsComputer Packaging * Mini and Micro Computers * Design Automation

CONFERENCEThel temteinal Cont on Co,puter Dssign VLSI in Comput-ts will coyer the VLSI spects.fintemection btw n fbricatons and systems digne,. in ha,dwe,e, sot-w, and rdeiability in con,potemr Sucha*pectsa. they relate to VLSI, are con,puter arnhitrcture and systenm design. niconprooesons, logic and,ne,nory chip deaign. packaging design and testing, design antontation.

InformationSubmht toilN e,nion ot paper tort eas. S0wond abst,nt. including titl., address. office end horne telephonenumbohesa soon es possible hot not later then Aprl 3t1983, to Dr Haomid W. Caner. 24 Long Stret Lane. Wnght-Fsttrson AFB, Ohio 45433, Teepho 513-255-3576/513-2534l42. Notifioation of acceptance date May 6.1983aperp doe date JMly 3.19S3

TE INSIITUTE Lr ELECTRICAL AND ELECTRONiCS ENGINEES. INC.

22. G. J. Popek and C. S. Kline, "Encryption and SecureComputer Networks," Computing Surveys, Vol. 11, No.4, Dec. 1979, pp. 331-356.

23. M. Blum, "How to Exchange (Secret) Keys," UCB/ERLM81/90, Department of Electrical Engineering and Com-puter Science, University of California, Berkeley, Mar.1982.

24. M. 0. Rabin, "Transaction Protocols by Beacons,"Department of Mathematics, The Hebrew University ofJerusalem, 1981.

25. B. P. Schanning, S. A. Powers, and J. Kowalchuk,"Memo: Privacy and Authentication for the AutomatedOffice," Proc. Fifth Conf. Local Computer Networks,Oct. 1980, pp. 21-30.

Dorothy E. Denning is an associate pro-fessor of computer sciences at PurdueUniversity. Her primary research area is

_ cryptography and data security. She hasbeen an assistant research mathematicianat the University of Michigan Radio As-tronomy Observatory and a systems pro-grammer and instructor at the Universityof Rochester. Denning is chairman of theACM Special Interest Group on Operating

Systems. She is on the editorial board of ACM Transactions onComputer Systems and the advisory board of Computer Securi-ty Journal. She has served as an IEEE distinguished visitor andis the author of Cryptography and Data Security, Addison-Wesley, 1982.Denning received the BA and MA degrees in mathematics

from the University of Michigan and the PhD in computerscience from Purdue University.

February 1983 35

c.&0\0'


Documents

ProtectingPublic Keys SignatureKeys...comesthis weakness. The other known public-key cryptosystems can be ... Shamir's signature-only knapsack scheme,9 McEliece's error-correcting