used to construct cryptosystems where your public key is your name [287]. Recall that in RSA and Diffie-Hellmann, the user chose his private key and then computed a corresponding public key. In a so-called identity-based cryptosystem, you choose your identity then go to a central authority that issues you with a private key corresponding to that identity. There is a global public key, with which anyone can encrypt a message to your identity; you can decrypt this using your private key. Earlier, Adi Shamir had discovered identity-based signature schemes that allow you to sign messages using a private key so that anyone can verify the signature against your name [1707]. In both cases, your private key is computed by the central authority using a system-wide private key known only to itself. Identity-based primitives have been used in a few specialist systems: in Zcash for the payment privacy mechanisms, and in a UK government key-management protocol called Mikey-Sakke. Computing people's private keys from their email addresses or other identifiers may seem a neat hack, but it can be expensive when government departments are reorganised or renamed [116]. Most organisations and applications use ordinary public-key systems with certification of public keys, which I'll discuss next.
5.7.4 Certification authorities
Now that we can do public-key encryption and digital signature, we need some mechanism to bind users to keys. The approach proposed by Diffie and Hellman when they invented digital signatures was to have a directory of the public keys of a system's authorised users, like a phone book. A more common solution, due to Loren Kohnfelder, is for a certification authority (CA) to sign the users’ public encryption keys or their signature verification keys giving certificates that contain a user's name, one or more of their public keys, and attributes such as authorisations. The CA might be run by the local system administrator; but it is most commonly a third party service such as Verisign whose business is to sign public keys after doing some due diligence about whether they are controlled by the principals named in them.
A certificate might be described symbolically as
(5.1)
where
Certification is hard, for a whole lot of reasons. Naming is hard, for starters; we discuss this in Chapter 7 on Distributed Systems. But often names aren't really what the protocol has to establish, as in the real world it's often about authorisation rather than authentication. Government systems are often about establishing not just a user's name or role but their security clearance level. In banking systems, it's about your balance, your available credit and your authority to spend it. In commercial systems, it's often about linking remote users to role-based access control. In user-facing systems, there is a tendency to dump on the customer as many of the compliance costs as possible [524]. There are many other things that can go wrong with certification at the level of systems engineering. At the level of politics, there are hundreds of certification authorities in a typical browser, they are all more or less equally trusted, and many nation states can coerce at least one of them10. The revocation of bad certificates is usually flaky, if it works at all. There will be much more on these topics later. With these warnings, it's time to look at the most commonly used public key protocol, TLS.
5.7.5 TLS
I remarked above that a server could publish a public key http requests and responses can be protected against both eavesdropping and manipulation. It's the protocol that's activated when you see the padlock on your browser toolbar.
Here is a simplified description of the basic version of the protocol in TLS v1:
1 the client sends the server a client hello message that contains its name , a transaction serial number , and a random nonce ;
2 the server replies with a server hello message that contains its name , a transaction serial number , a random nonce , and a certificate containing its public key . The client now checks the certificate , and if need be checks the key that signed it in another certificate, and so on back to a root certificate issued by a company such as Verisign and stored in the browser;
3 the client sends a key exchange message containing a pre-master-secret key, , encrypted under the server public key . It also sends a finished message with a message authentication code (MAC) computed on all the messages to date. The key for this MAC is the master-secret, . This key is computed by hashing the pre-master-secret key with the nonces sent by the client and server: . From this point onward, all the traffic is encrypted; we'll write this as in the client-server direction and from the server to the client. These keys are generated in turn by hashing the nonces with .
4 The server also sends a finished message with a MAC computed on all the messages to date. It then finally starts sending the data.
|
|
|
|
|
|
|
|
|
|
|
|
