Digital Signatures and the Public Key Infrastructure faculteit...The Internet appears at the horizon...

Digital Signatures and the PublicKey Infrastructure

S.M. van den Broek

Departmentof EconometricsFacultyof Economics

ErasmusUniversityRotterdam

Digital signatures and the PublicKey infrastructure

S.M. van den Broek

Departmentof EconometricsFacultyof Economics

ErasmusUniversityRotterdam

Rotterdam,11thApril 1999

scriptie begeleider

dr. ir. J. van den Berg

This thesiswastypesetby theauthorwith theLATEX 2� DocumentationSystem

Acknowledgments

I amvery gratefulfor theadviceandsupportof my advisor, JanvandenBerg, forhis sharpnessof mind andhis dedicationto detail. FurthermoreI would like to thankDeloitte& ToucheEnterpriseRiskServices,especiallyXanderStox,for giving metheopportunityto explore oneof the most interestingissuesthat arecurrentlychangingtheconductof business.I wouldalsolike to thankWilco vanGinkel andRemcoKroesfor reviewing my thesisandproviding mewith goodfeedbackandSanneBakker forherunderstandingandsupportduringthewriting of this thesis.

StefanvandenBroekRotterdam,11thApril 1999

Contents

List of figures vi

1 Intr oduction 11.1 Informationtransfer. . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Featuresof informationtransferacrossanetwork . . . . . . . . . . . 2

1.2.1 Controllingnetwork security . . . . . . . . . . . . . . . . . . 21.2.2 Increaseusageof networksfor doingbusiness. . . . . . . . . 3

1.3 Definition of theproblem . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Intentof thesis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.5 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.6 Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Network security 72.1 Quality aspectsof secureinformationtransfer . . . . . . . . . . . . . 72.2 TheOSIReferenceModel . . . . . . . . . . . . . . . . . . . . . . . 82.3 Securitythreatsof networks . . . . . . . . . . . . . . . . . . . . . . 10

2.3.1 How couldanetwork besecured. . . . . . . . . . . . . . . . 112.4 Theworkingof encryption . . . . . . . . . . . . . . . . . . . . . . . 112.5 Encryptionmodel . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.6 Symmetricencryption. . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.6.1 Drawbacksof symmetricencryption. . . . . . . . . . . . . . 132.7 Publickey cryptography . . . . . . . . . . . . . . . . . . . . . . . . 14

2.7.1 (Trap-door-)one-way functions. . . . . . . . . . . . . . . . . 152.8 Digital signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.9 Publickey encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.9.1 Authenticationandsafeusage . . . . . . . . . . . . . . . . . 172.9.2 Non-repudiationof delivery . . . . . . . . . . . . . . . . . . 172.9.3 Non-repudiationof receipt . . . . . . . . . . . . . . . . . . . 182.9.4 Contentintegrity . . . . . . . . . . . . . . . . . . . . . . . . 182.9.5 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . 182.9.6 Drawbackof PublicKey cryptography. . . . . . . . . . . . . 182.9.7 Digital envelop . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

ii

3 Public Key Infrastructur e 203.1 Managementof public keys . . . . . . . . . . . . . . . . . . . . . . . 21

3.1.1 Contentscertificate . . . . . . . . . . . . . . . . . . . . . . . 223.2 PrettyGoodPrivacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2.1 Certificationwith PGP . . . . . . . . . . . . . . . . . . . . . 223.2.2 Trustworthinessof public-key certificate. . . . . . . . . . . . 23

3.3 Trustinfrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.3.1 TrustedThird Party . . . . . . . . . . . . . . . . . . . . . . . 243.3.2 Actorswithin aTTP-model . . . . . . . . . . . . . . . . . . 253.3.3 Servicesof a trustinfrastructure . . . . . . . . . . . . . . . . 25

3.3.3.1 Issuingcertificates. . . . . . . . . . . . . . . . . . 253.3.3.2 Distributing certificates . . . . . . . . . . . . . . . 263.3.3.3 Validatingcertificates . . . . . . . . . . . . . . . . 263.3.3.4 Revoking acertificate . . . . . . . . . . . . . . . . 26

3.4 Typesof TTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.5 PublicKey Infrastructure(PKI) Models . . . . . . . . . . . . . . . . 29

3.5.1 OpenPKI Model . . . . . . . . . . . . . . . . . . . . . . . . 293.5.2 ClosedPKI Model . . . . . . . . . . . . . . . . . . . . . . . 29

3.6 Certificationpracticestatement. . . . . . . . . . . . . . . . . . . . . 303.6.1 Policy Authority . . . . . . . . . . . . . . . . . . . . . . . . 30

3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 Legislation 344.1 Legislationfor digital signatures . . . . . . . . . . . . . . . . . . . . 354.2 DutchnationalTTPproject . . . . . . . . . . . . . . . . . . . . . . . 36

4.2.1 TTP services . . . . . . . . . . . . . . . . . . . . . . . . . . 374.2.2 Requirementsof TTP . . . . . . . . . . . . . . . . . . . . . . 38

4.2.2.1 Legalstatusof digital signatures . . . . . . . . . . 384.2.2.2 Reliability of theTTPorganization . . . . . . . . . 384.2.2.3 Reliability of theTTPservice . . . . . . . . . . . . 40

4.3 Germanlegislation . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.3.1 Criticism of GermanLaw . . . . . . . . . . . . . . . . . . . 41

4.4 Utahdigital signatureact . . . . . . . . . . . . . . . . . . . . . . . . 424.4.1 Legalstatusof digital signature . . . . . . . . . . . . . . . . 434.4.2 Overview of regulation . . . . . . . . . . . . . . . . . . . . . 44

4.5 Cryptoregulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444.5.1 A brief survey of cryptoregulation. . . . . . . . . . . . . . . 45

4.5.1.1 ExportControl . . . . . . . . . . . . . . . . . . . . 464.5.1.2 Key-escrow . . . . . . . . . . . . . . . . . . . . . 464.5.1.3 TheClipperinitiative . . . . . . . . . . . . . . . . 47

4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5 Specificaspects 505.1 Aspectsof keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.1.1 Key generation . . . . . . . . . . . . . . . . . . . . . . . . . 515.1.1.1 Decipheringakey . . . . . . . . . . . . . . . . . . 515.1.1.2 Findingrandomsources. . . . . . . . . . . . . . . 52

iii

5.1.2 Key storage. . . . . . . . . . . . . . . . . . . . . . . . . . . 535.2 Aspectsof certificates. . . . . . . . . . . . . . . . . . . . . . . . . . 54

5.2.1 History X-509 . . . . . . . . . . . . . . . . . . . . . . . . . 545.2.2 Usageof theX-509 . . . . . . . . . . . . . . . . . . . . . . . 555.2.3 Informationin aX-509certificate . . . . . . . . . . . . . . . 565.2.4 AttributeCertificates . . . . . . . . . . . . . . . . . . . . . . 57

5.3 Publickey encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 575.3.1 Algorithm basedon integerfactoring . . . . . . . . . . . . . 575.3.2 Algorithm basedondiscretelogarithmproblem . . . . . . . . 595.3.3 Algorithm basedonelliptic curves . . . . . . . . . . . . . . . 59

5.4 One-way functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 615.5 Complianceto qualityaspects . . . . . . . . . . . . . . . . . . . . . 635.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6 Curr ent implementations 656.1 Internetbrowsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.1.1 Certificateauthoritieson theweb . . . . . . . . . . . . . . . 666.1.1.1 Certificatecreationwith browser . . . . . . . . . . 67

6.1.2 Shortcomingsin themethod . . . . . . . . . . . . . . . . . . 686.2 A specializedimplementation. . . . . . . . . . . . . . . . . . . . . . 686.3 Compliancewith qualityaspects . . . . . . . . . . . . . . . . . . . . 69

6.3.1 Compliancewith technicalaspects. . . . . . . . . . . . . . . 706.3.2 Compliancewith organizationalaspects. . . . . . . . . . . . 706.3.3 Complianceof currentimplementationsto legislation . . . . . 70

6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

7 Conclusion 727.1 Technicalaspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727.2 Organizationalaspects . . . . . . . . . . . . . . . . . . . . . . . . . 737.3 Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747.5 Future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757.6 Afterthought. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757.7 Futureresearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

A History encryption IA.1 SubstitutionCiphers. . . . . . . . . . . . . . . . . . . . . . . . . . . I

A.1.1 Breakingasubstitutioncipher . . . . . . . . . . . . . . . . . IIA.2 TranspositionCiphers. . . . . . . . . . . . . . . . . . . . . . . . . . II

A.2.1 Breakinga transpositionciphers . . . . . . . . . . . . . . . . IIIA.3 One-Time Pads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IIIA.4 Two FundamentalCryptographicPrinciples . . . . . . . . . . . . . . IV

B The RSA-system VB.1 Key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VB.2 Publickey encryptionanddecryption . . . . . . . . . . . . . . . . . VB.3 Exampleof RSAencryption . . . . . . . . . . . . . . . . . . . . . . VI

iv

B.3.0.1 Key generation. . . . . . . . . . . . . . . . . . . . VIB.3.0.2 Encryptinganddecryptingamessage. . . . . . . . VI

Bibliography VII

Index XI

v

List of Figures

1.1 Communicationmedia . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Informationtransferfrom A to B . . . . . . . . . . . . . . . . . . . . 31.3 Differenttypesof aspectsfor apublic key infrastructure. . . . . . . . 4

2.1 Quality aspectsof informationtransfer[RvdB98]. . . . . . . . . . . . 82.2 ThehybridTCP/IP– OSI referencemodel . . . . . . . . . . . . . . . 92.3 Intruderinterceptingmessage. . . . . . . . . . . . . . . . . . . . . . 102.4 Theencryptionmodel[Tan96] . . . . . . . . . . . . . . . . . . . . . 122.5 Digital signatureattachedto plaintext . . . . . . . . . . . . . . . . . 172.6 Digital envelope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1 Certificateserver connectedto network . . . . . . . . . . . . . . . . . 213.2 Generatingtrustwith aTrustedThird Party . . . . . . . . . . . . . . 243.3 Trustinfrastructure[AF98] . . . . . . . . . . . . . . . . . . . . . . . 273.4 Differenttypesof TTP’s . . . . . . . . . . . . . . . . . . . . . . . . 293.5 HierarchicalTrustModel [Poh97] . . . . . . . . . . . . . . . . . . . 313.6 Optionsfor a trustinfrastructure . . . . . . . . . . . . . . . . . . . . 33

4.1 Balancebetweensecuretransferandcryptoregulation . . . . . . . . 45

5.1 Geometricdescriptionof the addition of two-distinct elliptic curvepoints:P+Q=R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

5.2 Copying thedigital signaturefor anothermessage. . . . . . . . . . . 61

6.1 CA certificateincorporatedin NetscapeCommunicator . . . . . . . . 666.2 Certificatefrom CA andcertificatefrom entity signedby CA . . . . . 676.3 Dox goingsenderto NetDox . . . . . . . . . . . . . . . . . . . . . . 69

A.1 Caesarcipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IA.2 Transpositionencryption . . . . . . . . . . . . . . . . . . . . . . . . IIA.3 Basicelementsof productciphers . . . . . . . . . . . . . . . . . . . IV

vi

Chapter 1Introduction

1.1 Inf ormation transfer

Historicallycommunicationhasbeenbetweenpeopletalkingdirectlywith oneanotherin person.As peoplebecameableto exchangeideasor informationin writing, com-municationbecamepossibleover a greaterdistance.Letterscouldbewritten andsentby post. As technologyevolved it becamepossibleto exchangeinformationverballywith thehelpof adirectcableconnectionor atelephone.Thesestepscanbevisualizedwith thehelpof figure1.1.

Figure1.1: Communicationmedia

More andmorecommunicationbecamepossiblewith methodsthathave lessandlessfeaturesto identify with whom one is actually communicating. Until recentlyit was possibleto recognizethe senderof the information by handwritingand thesignatureat the bottomof a letter or by speechrecognition. New technologieshavemadeit possibleto exchangeinformationwith thehelpof computers.This information

1

Chapter1. Introduction 1.2.Featuresof informationtransferacrossa network

canbesentacrossa network1. Theproblemnow arisesthat the informationreceivedover a network doesnot have any featuresthat make it unique. Another problemconcernsthesendernot knowing thereceiver andvice versa.Somekind of methodisnecessaryto establishtrust in oneanother.

1.2 Featuresof information transfer acrossa network

Basicallythe issueconsistsof transferringinformationfrom A to B asshown in fig-ure 1.2.

Whatdowe expectfrom this informationtransfer?

1. A network shouldbe available in orderto make any communicationpossible.At thesametime theusageof a systemshouldberestrictedto thoseusersthatareauthorized;

2. If B receivesinformationthenhe2 shouldbeabletodeterminewhosentit. At thesametime thesendershouldbeableto determinewhoreceivestheinformation.Authenticationof the senderandthe receiveris essentialin orderto judgethevalueof informationexchanged;

3. If A sendsa messageto B thenB shouldnot be ableto later deny having re-ceived this information. A shouldalso not be able to deny having sent theinformation. If A or B could somehow disputeever having taken part in thecommunicationthen this cannotlead to a trustworthy communicationmedia.ThusNon-repudiationof deliveryandreceiptis essential;

4. It shouldnot bepossibleto changethecontentsof theinformationor in caseofthishappeningthenany changeshouldbemadevisible. Thuseveryonereceivinga messageshouldbe assuredit is genuine. Another word for this is contentintegrity;

5. If private information is transferredthenboth A andB shouldbe assuredthiscannotbereadby anyonebut A andB. This is calledconfidentiality.

In this thesissecuritywill imply adheringto thesefeatures.

1.2.1 Controlling network security

“As long as networksare operated within the organizationbound-aries,theorganizationhastheresponsibilityaswell astheopportunitytooperatethenetworksin conformancewith thequalitativeandquantitativedemandsandrequirementsthatapplyto theorganization” [RvdB98].

1With the termnetworkis meantan interconnectedcollectionof autonomouscomputers.Two com-putersaresaidto beinterconnectedif they areableto exchangeinformation[Tan96].

2Whenever theword heis saidthis couldalsoimply a she.

2

Chapter1. Introduction 1.2.Featuresof informationtransferacrossa network

Figure1.2: Informationtransferfrom A to B

In thepastorganizationsoperatingwithin a smallprivatecommunityusedprivatenetworks to transporttheir information. Thesecommunitiestrustedeachother andsolvedtheirprobleminternally, basedon thelong relationshipsbuilt over theyears.

Thereis a shift in focus however from private networks to more opennetworkcommunication.Scaling-up,outsourcing,internationalization et ceterademanda col-lective infrastructure[dBC98]. The Internetappearsat thehorizonasa cheapmediathatcanmake easyandfastcommunicationpossibleacrossthe‘world’.

Connectingto theInternethastheproblemthatthequalityof theprocesses,infor-mationsystemsandnetworkscannotbedirectlyassessedfrom within theorganization.This givesrise to thequestionwhetherinformationretrieved from the Internetis au-thenticandinteger.

1.2.2 Incr easeusageof networks for doing business

In 1992thenumberof hostsconnectedto the Internetreachedone-million. By now,this numberhasincreaseddramatically. With somany usersit is impossibleto knoweveryonein person. The Internet,however, is being usedto transfera tremendousamountof information.Thecontentof theinformationtransferredacrosstheInternetcanbe very different. While someinformationmay be publicly distributed withoutany trouble,otherinformationcancontainclassifiedinformation.

“Before using the Internet and integrating it into the businesspro-cesses,the risks involvedwill haveto be adequatelyassessedand con-trolled. Thereisabroadspectrumof qualityaspectsthathastobeguaran-teedwill theInternetbeusefulfor businessspecificprocesses”[RvdB98].

Besidesthequality aspectsof informationtransfer, anotheraspectis alsoof greatimportance.This concernsthe legal validity or legal usageof informationexchangedacrossanetwork. While, for example,apaperbasedletterhaslegalvalue,nonecanbesaidof ane-mailmessage.After all, adigital documentcanbeduplicated,changedordeletedwithoutanyonefindingout,andbecausetheInternetconsistsof ahugeamountof differentnetworks,securingeachnetwork from tamperingis animpossibletask.

Oneof theaspectslackingane-mailmessageis authentication.“We useauthen-tication throughoutour everydaylife, for instancewhenwe sign our nameto somedocument.As wemove to aworld whereourdecisionsandagreementsarecommuni-catedelectronically, we needto replicatetheseprocedures”[RSA96].

3

Chapter1. Introduction 1.3.Definitionof theproblem

1.3 Definition of the problem

This thesiswill deal with the issuesas portrayedabove. The centralthemeof thisthesisconcernsthequestion:

Whatmeasureshaveto be taken to insure an opendigital network3

can be usedto transferinformationthat complieswith the feature of in-formationtransfer, asstatedin section1.2, andcanbeusedasevidencein caseof a legal dispute.

In this thesisa distinctionwill be madebetweenthreeareasof research.Theseconcernthe technical,organizationalandjudicial aspects.Becauseof theoverall ap-proachto thesequestions,thescopeof this thesishasto benarrowed. Thusthis thesiswill only dealwith thoseissuesthat arenecessaryto understandthe working of thepublic key infrastructure.This will includethetechnicalconcept,thatmakessuchaninfrastructurepossible,the infrastructureitself andthe legislation, that setsa frame-work underwhichconditionstheinformationsentcanbeusedasevidence.

Figure1.3: Differenttypesof aspectsfor apublic key infrastructure

1.4 Intent of thesis

This thesishastheintentof,

1. providing requirementsfor secure informationtransferacrosstheInternet,thathassuch propertiesthat theinformationsenthaslegally bindingpropertiesand;

2. testingcurrent implementationsagainsttheserequirements.

This thesisis aimedat readerswith a backgroundin computerscienceor withaffinity in computerscienceandissuesinvolving theInternetandsecurity. Most issuesin this thesisarehowever readablefor abroadpublic.

3With theterm“opendigital network” is implied an“interconnectedcollectionof autonomouscom-puters”[Tan96]. This thesiswill furtherspeakof the“Internet” insteadof anopendigital network, butwhatappliesfor theInternetalsoappliesfor anopennetwork.

4

Chapter1. Introduction 1.5.Methodology

This thesiswill not give a completedescriptionof all the facetsof thepublic keyinfrastructure.Only thoseissuesthatareimportantfor a goodnotionof theworkingandthesecurityof thepublic key infrastructurewill bedealtwith in this thesis.Manyissues,suchastheuseof this mediawithin anorganization,will not bementionedornot fully explained.Thereadermayhowever expectto know whatconstitutesa gooddigital signaturethathaslegally bindingpropertiesandwhatthepublickey infrastruc-tureconstitutes.

1.5 Methodology

As part of my internshipat Deloitte & Touche, I conductedresearchinto differentstandardsandlegislationconcerningthepublic key infrastructure.

Usageof standardsunderconstructionby thePKIX workinggroupof the InternetEngineeringTaskForce(IETF) [AF98] andtheIEEE- P1363workinggroup[IEE98],hasbeenusedto develop insight into the currentand ongoingdevelopmentof thepublic key encryptioninfrastructure4.

Extensive usageof the Germanlaw, [FMoET97] and[Sig97], hasbeenusedbe-causethis is a very rigid law thatextensively discussesthe technicalrequirementsinseveralattachments,[Age97] and[Sch98]. Differentlegislationhasfurtherbeenused[Uta96], [N.V98] andthehelpof severalbookshasimprovedmy insightof thesedif-ferentlegislation[Dut98], [Koo97] and[Koo98].

To developinsightinto theworkingof severaltechniquesextensiveusagehasbeenmadeof theRSA-laboratorythatprovidesmany information[RSA96].

Differentarticleshavebeenusedto provideextrainformationinto thoseissuesthatwherenot clearto me.

The differentrequirementsarethentestedagainstquality aspectsthat have beenformulated.

1.6 Contents

Thecontentof thechaptersis asfollows.

Chapter2 will first explain whatrisks-aspectsareinvolved duringan informationtransfer, with thehelpof arisk-model.Thechapterwill thenexplainhow cryptographycaninsurenetwork security. Thefocusof thischapterwill beonpublickey encryptionandtheworkingof digital signatures.

Chapter3 explainstheorganizationalaspectsconcerningmanagementof crypto-graphickeys. Thiswill giveanoverview of all theactorsinvolvedandthefunctionalitythat is requiredfor suchan infrastructure.This will constitutethe organizationalas-pectsthathave to beimplemented.

Chapter4 explainsdifferentlegislationconcerningtheusageof digital signatures.This will constitutethe judicial requirementsthat are necessaryto obtain a digitalsignaturethat haslegally binding properties.The usageof digital signaturesis still

4Thesubscriptionto themailing list of thesegroupshasgivenmeextra insightinto currentquestionsandnew developments.

5

Chapter1. Introduction 1.6.Contents

in its infancy. Legislatorswill still have to reachconsensuson the issuesinvolved.Evenmoredifficult is reachinginternationalconsensus.An overview will begivenofdifferenttrendsin legislationanddifferentlegislationthathasbeenimplemented.

Chapter5 will focuson specificaspectsthat have beenmentioned,but not fullyexplainedin thefirst chapters.Many of the issuesin thechapterhave a limited life-cycle,but they giveanoverview of currentsecuritythreatsandfuturethreatsthatloomat thehorizon.Thesewill beexplainedin moredetail.

Chapter6 will give ancasestudyof threecurrentimplementations.This chapterwill explainhow thedifferentaspectshave beenimplementedby theseapplications.

Chapter7 theconclusionis a logicalextensionof thepreviouschaptersThischap-ter will give a conclusionon thecurrentstatusof digital signatures,the implementa-tions,thesecurityaspectsandgive recommendations.

6

Chapter 2Network securityusingcryptography

2.1 Quality aspectsof secure information transfer

“For thefirst few decadesof their existence, computernetworkswereprimarily usedby university researchers for sendinge-mail,andby cor-porate employeesfor sharingprinters. Under theseconditions,securitydid not get a lot of attention. But now, as millions of ordinary citizensare using networksfor banking, shopping, and filling their tax returns,networksecurityis loomingon thehorizonasa potentiallymassiveprob-lem” [Tan96].

In theintroduction,section1.2of chapter1,severalfeaturesof informationtransferwere introduced. Thesefeaturesconstitutethe quality aspectsof information sentacrossadigital network. Thesefeaturesform thecoreof this thesisbecauseif they canbeassuredthentheir is abasisfor secureinformationtransfer.

A businessprocessdependingon information,received from aninformationsys-tem, mustbe able to rely on this informationwith a greatamountof assurance.Ifthis informationis received with thehelpof a network thena few aspectshave to beassured.

Theseaspectsform thequality aspectsof secure informationtransferandmustbeadheredto will it bepossibleto securelytransportinformationacrosstheInternet.

Thedefinitionsof theseaspectsare:� Authenticationof senderandreceiver, theorigin andthereceiver of datashouldbeirrefutablydetermined;� Non-repudiationof deliveryand receipt,the senderor receiver of datashouldnotbeableto deny having sendor receivedamessage;� Contentintegrity, thecontentof thedatasendmaynot besusceptibleto changeor at leastany changeshouldbeidentifiable;� Confidentiality, thecontentof datasendshouldbeillegible to third parties;� Availability, theserviceshouldbeavailableto authorizedusers;

7

Chapter2. Network security 2.2.TheOSI ReferenceModel

� SafeUsage, theserviceshouldonly be availableto thoseusersthat areautho-rizedto useit.

Theseitemscanbeseenin figure2.1. In thisfigureacompany processdependsonan informationsystem.This informationsystemis connectedto anotherinformationsystemwith thehelpof theInternet.

Figure2.1: Quality aspectsof informationtransfer[RvdB98].

Theitem availability will fall outsidethescopeof this thesis.Making theInternetavailableto a usercanprove to bea rathercomplex. This thesiswill however assumeauserhasaccessto theInternet.

If theseaspectscanbeguaranteedwith greatamountof confidencethenanopensystemnetwork suchastheInternetcouldbeusedto securelyconductbusiness.

To get a betterinsight into the possiblesecuritymeasuresat the different levelsbetweentheapplicationsystemandthenetwork, thelevelsbetweenanapplicationandthenetwork asshown in figure2.1will beexplained.

2.2 The OSI ReferenceModel

Thehybrid TCP/IP- OSI referencemodel,asshown in figure2.2, is a refinedmodelbasedon a proposaldevelopedby theInternationalStandardsOrganization(ISO) asafirst steptowardinternationalstandardizationof theprotocolsusedin thevariousnet-work layers[DZ83]. Themodelis calledthe ISOOSI(OpenSystemInterconnection)ReferenceModelbecauseit dealswith connectionof opensystems– that is, systemsthatareopenfor communicationwith othersystems,becausethey usethesameframe-work.

TheOSI modelhasseven layers.Theprinciplesthatwereappliedto arrive at thesevenlayersareasfollows:

1. A layershouldbecreatedwhereadifferentlevel of abstractionis needed;

2. Eachlayershouldperformawell-definedfunction;

8

Chapter2. Network security 2.2.TheOSI ReferenceModel

3. Thefunctionof eachlayershouldbechosenwith aneye towarddefininginter-nationallystandardizedprotocols;

4. Thelayerboundariesshouldbechosento minimizetheinformationflow acrosstheinterfaces;

5. Thenumberof layersshouldbelargeenoughthatdistinctfunctionsneednotbethrown togetherin the samelayer out of necessity, andsmall enoughthat thearchitecturedoesnotbecomeunwieldy.

Figure2.2: ThehybridTCP/IP– OSI referencemodel

At eachlayerof theOSI-model,asecurityfeaturecanbeimplemented.

Securityin thephysicallayer canbe achieved by enclosingtransmissionlines insealedtubescontainingargon gasat high pressure.Any attemptto drill into a tubewill releasesomegas,reducingthe pressureandtriggeringan alarm. Somemilitarysystemsusethis technique[Tan96].

In thedatalink layer, packetsonapoint-to-pointline canbeencodedasthey leaveonemachineanddecodedasthey enteranother. All thedetailscanbehandledin thedatalink layer, with higherlayersoblivious to what is goingon. This solutionbrakesdown whenpacketshaveto traversemultiplerouters,however, becausepacketshavetobedecryptedat eachrouter, leaving themvulnerableto attacksfrom within therouter.Also, not all sessionshave to be protected,e.g. sessionsinvolving on-linepurchasesby credit cardshouldbe protected,while retrieving public informationof a Web-sitedoesnot. Nevertheless,link encryption,asthis methodis called,canbeaddedto anynetwork easilyandis often useful. In thenetwork layer, firewalls canbe installedtokeeppacketsin or out.

9

Chapter2. Network security 2.3.Securitythreatsof networks

Although thesesolutionshelp with secrecy issuesandmany peopleareworkinghardto improve them,noneof themsolve theauthenticationor non-repudiationprob-lem in asufficiently generalway. To tacklethisproblems,thesolutionsmustbein theapplicationlayer.

Thischapterwill first explainthesecuritythreatsof anetwork andthentheworkingof encryptionincluding symmetricandpublic key encryptionand the working of adigital signature.

2.3 Security thr eatsof networks

At the startof this chapter, in section2.1, a formal definition wasgiven for qualityaspectsof secureinformationtransfer. Theproblemconcernsthesituationasdepictedin figure 2.3. PersonA and B communicatewith one anotherthrougha network.Becausethe network is so large it is virtually impossibleto insurenobodycan“tapinto” thenetwork.

Why cantheabove notbeassuredin anopennetwork communication?� someonestandingin betweena communicationline can copy the signal thatpasses,thustheconfidentialityis notmet;� someonecansenda messagesaying: “I amA andthis messageis for B”, thustheauthenticationis notmet;� someonecantake a message,alter the contentsandsendit along,thusthe in-tegrity is notmet;� becauseof theabove bothA andB canclaimnothaving sentamessageandthenon-repudiationis notmet.

Why is theabovepossible?Becauseinformationsentacrossanetwork is sentdig-itally. Thismeansit is notpossibleto unambiguouslyrecognizeanalteredmessageasbeingaltered1. Dueto thelargescaleof networksit is furthermorevirtually impossibleto secureall network linesagainsttampering.

Figure2.3: Intruderinterceptingmessage

1This chapterwill show that a messagecan be manipulatedin sucha way that a messagecan beunambiguouslyrecognizedandany changeof themessageis noticed.

10

Chapter2. Network security 2.4.Theworking of encryption

2.3.1 How could a network be secured

Assuringthe network againstthe problems,asstatedin section2.3, requiresseveralmeasuresto insuretheseaspectsto beguaranteed.This sectionwill take an intuitiveapproachto a solution.This solutionwill begivena moresolid basisin thefollowingsections.

This thesiswill assumeuserscommunicatewith helpof theInternet.This impliestheselinescannotbesecuredphysically. Securityshouldthustake placein adifferentmanner. Becauseoneshouldassumeit is possibleto copy a messagesentacrossanetwork, the messageitself shouldbe madeillegible for unauthorizedpeople. Thiswould requirethemessageto beencodedin somesortof languageonly understoodbythesenderandthereceiver.

Becausethe identity of a senderof a messagecanbe “f aked”, the messagesentshouldsomehow be digitally signed. Due to easeof copying a message,it can beassumedthereshouldbea relationbetweenthemessageandthesignaturemakingitimpossibleto copy asignatureandattachit to anothermessage.

Thefollowing sectionswill explainhow theserequirementscanbeassured.

2.4 The working of encryption

Encryptionis the transformationof datainto someunreadableform. Thepurposeofencryptionis to ensureprivacy by keepingthe informationhiddenfrom anyone forwhomit is not intended,eventhosewho canseetheencrypteddata.Decryptionis thereverseof encryption;it is the transformationof encrypteddatabackinto someintel-ligible form. Encryptionanddecryptionrequirethe useof somesecretinformation,usuallyreferredto asa key. Dependingon theencryptionmechanismused,thesamekey might be usedfor both encryptionanddecryption,while for othermechanisms,thekeys usedfor encryptionanddecryptionmight bedifferent[RSA96].

2.5 Encryption model

To getabetterunderstandingof encryptionandtheactorsinvolved,first theencryptionmodelwill beintroduced,with thehelpof figure2.4[Tan96].

Themessagesto beencrypted,known astheplaintext, aretransformedby a func-tion that is parameterizedby a key. The outputof the encryptionprocess,known astheciphertext, is thentransmitted.We assumethat the intruder hearsandaccuratelycopiesdown the completeciphertext. Becausethe intruderdoesnot know what thedecryptionkey is, hecannotdecrypttheciphertext easily.

Sometimesthe intruder cannot only listen to the communicationchannel,a socalledpassiveintruder, but hecanalsorecordmessagesandplaythembacklater, injecthis own messages,or modify legitimatemessagesbeforethey get to thereceiver, a socalledactiveintruder. Theartof breakingciphersis calledcryptanalysis.

The art of devising ciphers,cryptography and breakingthem, cryptanalysis,iscollectively known ascryptology.

11

Chapter2. Network security 2.5.Encryptionmodel

A fundamentalrule of cryptographyis thatonemustassumethat thecryptanalystknows how theencryptionmethodworks. The amountof effort necessaryto invent,testandinstall anew methodevery time theold methodis compromisedor thoughttobecompromisedhasalwaysmadeit impracticalto keepthis secret,andthinking it issecretwhenit is notdoesmoreharmthangood.

This is wherethe key enters. The key consistsof a (relatively) short string thatselectsoneof many potentialencryptions.In contrastto the generalmethod,whichmay only be changedevery few years,the key canbe changedasoften asrequired.Thusourbasicmodelis astableandpublicly known generalmethodparameterizedbyasecretandeasilychangedkey.

Figure2.4: Theencryptionmodel[Tan96]

The real secrecy is in thekey, andits lengthis a major designissue.Considerasimplecombinationlock. The generalprinciple is that you enterdigits in sequence.Everyoneknows this,but thekey is secret.A key lengthof two digitsmeansthatthereare100possibilities.A key lengthof threedigits means1.000possibilities,anda keylengthof six digitsmeansamillion. Thelongerthekey, thehigherthework factor thecryptanalysthasto dealwith. Thework factorfor breakingthesystemby exhaustivesearchof thekey spaceis exponentialin thekey length.

Fromthecryptanalyst’s point of view, theproblemhasthreeprincipalvariations.

� ciphertext only, herethecryptoanalistonly hastheciphertext andno plaintext;� knownplaintext, herethecryptoanalisthasboththeplaintext andtheciphertext;� chosenplaintext, herethecryptoanalisthastheability to encryptpiecesof plain-text of his own choosing.

Basicallytwo distinctencryptionmethodsexist:� Symmetricencryptionand� Asymmetricencryption.

12

Chapter2. Network security 2.6.Symmetricencryption

2.6 Symmetric encryption

Symmetricencryptionusesanencryptionmethodwhich usesthesamekey to encryptinformationaswell asto decryptinformation.

Historicallyall cryptosystemswerebasedonasystemwerethedecryptionkey hasasimplemathematicalrelationshipwith theencryptionkey.

If we use��

to denotethat theencryptionof theplaintext�

usingkey�givestheciphertext

�andsimilarly,

�� representsthedecryptionof

�to gettheplaintext again,thenit follows that:

� �� (2.1)

With symmetricencryptionthekey,��

, to decrypttheciphertext,�

, is theinverseof theencryptionkey

��.

�� were

�� (2.2)

For a detaileddiscussionon symmetricencryptionthe readeris advisedto readappendixA.

A widely known encryptionalgorithmthatusesa productcipher2 is DES. DESisthe DataEncryptionStandard,an encryptionblock cipher3 definedandendorsedbytheU.S.governmentin 1977asanofficial standard.DEShasbeenextensively studiedsinceits publicationandis themostwell-known andwidely usedcryptosystemin theworld [RSA96].

Therequirementsfor symmetricencryptionare:� it shouldbeimpossibleto calculate�

from��

;� it shouldbeimpossibleto deduce��

by any means;� it shouldbepossibleto distribute��

safelybetweenthesenderandthereceiverof themessageinvolved.

2.6.1 Drawbacksof symmetric encryption

Becauseall keys in a secret-key cryptosystemmust remainsecret,secret-key cryp-tographyoften hasdifficulty providing securekey management,especiallyin opensystemswith a largenumberof users[RSA96].

A further drawback of symmetricencryptionis the one-on-onerelationshipbe-tweenthesenderandreceiver. If a sendercommunicateswith two peopleit will needtwo sharedkeys. If asendercommunicateswith threepeopleit will needthreesharedkeys. The total amountof keys in the infrastructurewill however be,with � numberof users:

2SeeAppendixA figureA.3 for aproductcipher.3“A blockciphertransformsafixed-lengthblockof plaintext datainto ablockof ciphertext dataof the

samelength.This transformationtakesplaceundertheactionof a user-providedsecretkey. Decryptionis performedby applyingthe reversetransformationto the ciphertext block usingthe samesecretkey.Thefixedlengthis calledtheblock size,andfor many block ciphers,theblock sizeis 64bits” [RSA96].

13

Chapter2. Network security 2.7.Publickey cryptography

�! #"� �$ $ $ �% &(')� *�+), -/.01 2 .3�+ �" % &!% &4'5� * * (2.3)

All thesekeys have to bestoredandtransportedin asafeandsecureway.

2.7 Public key cryptography

The key distribution problemhashistorically alwaysbeenthe weakest link in mostcryptosystems.No matterhow stronga cryptosystemwas,if an intrudercould stealthekey, thesystemwasworthless.

In 1976,two researchersat StanfordUniversityWhitfield Diffie andMartin Hell-manproposeda radicallynew kind of cryptosystem,onein which theencryptionanddecryptionkeys weredifferent,andthedecryptionkey couldnot bederivedfrom theencryptionkey andvicaversa[DH76].

In their concept,eachpersongetsa pair of keys. Thesekeys will be given thefollowing names:6 privatekey, this key will bekeptsecretandwill only beknown to theowner;6 public key, this key will bekeptin apublic file.

Theseprocedureshave thefollowing four properties:

1. Decipheringtheencipheredform of aplaintext P yieldsP. Formally,78% 9:% ;�* *�+�;(2.4)

2. Both9

and7

areeasyto compute.

3. By publicly revealing9

the userdoesnot reveal an easyway to compute7

.This meansthat in practiceonly hecandecryptmessagesencryptedwith

9, or

compute7

efficiently.

4. If aplaintext P is first decipheredandthenenciphered,P is theresult.Formally,9:% 78% ;�* *�+�;(2.5)

Theneedfor thesenderandreceiver to sharesecretinformationis eliminated;allcommunicationsinvolve only public keys, andno privatekey is ever transmittedorshared.No longeris it necessaryto trustsomecommunicationschannelto besecureagainsteavesdroppingor betrayal.

14

Chapter2. Network security 2.7.Publickey cryptography

2.7.1 One-wayand Trap-door-one-wayfunctions

An importantfactorfor theworkingof publickey cryptosystemsareone-wayfunctionsandtrap-door-one-wayfunctions.

“A one-wayfunction is a mathematicalfunction that is significantlyeasierto performin onedirection,the forward direction,thanin the op-positedirection,the inversedirection. It might bepossible,for example,to computethefunction in secondsbut to computeits inversecould takemonthsor years.”

“A trap-door-one-wayfunction is a one-way function wherethe in-versedirectionis easy, givenacertainpieceof information,thetrapdoor,but difficult otherwise”[RSA96].

The one-wayfunction is a mathematicalfunction that calculatesfrom arbitrarilylarge dataa uniquefingerprint the outcomeof which is called the message digest.More specific:

Givenanone-way function, < , thatproduceswith plaintext =�> a fin-gerprint ? it is virtually impossibleto find aplaintext =A@ thatproducesthesamefingerprint ? , or,

<#B =�> C�D�?�EGF HI=A@�JK<#B =A@ C�D�? (2.6)

Therequirementsfor aone-way-functionare:L theplaintext, M , shouldbeableto have aarbitrarily length;L theoutput,themessagedigest,shouldhave a fixedlength;L <5B =�C shouldbeeasilyto computefor anarbitrarily p;L <5B =�C shouldbe one-way, e.g. it shouldbe virtually impossibleto computepfrom <5B =�C ;L <5B =�C is collision-free, e.g. knowing =�> it shouldbevirtually impossibleto findamessage=A@ suchthat <5B =�> C�D)<5B =A@ C .

As anexamplefor a trap-door-one-wayfunctiononecanthink of exponentiation.Exponentiationcan be computedeasily by repeatedlymultiplying. The inverseofexponentiation,calculatingthe squareroot, is far moredifficult to compute.Oneofthemostwell known andusedpublic key systemsis theRSA-system.

For a moredetaileddiscussionon asymmetricencryptionthereaderis advisedtoreadsection5.3of chapter5 or appendixB.

As statedin the introduction,encryptionis morethenencryptinganddecrypting.Anotherfundamentalpartof our livesis authentication.Thenext sectionwill discusshow adigital signaturecanachieve this.

15

Chapter2. Network security 2.8.Digital signature

2.8 Digital signaturewith the useof the PKI-system

Devisingadigital signaturerequiresacombinationof informationconcerningthemes-sageitself andthat of the signer. Becausedigital informationcanbe cut copiedandpasted,thereshouldbealink betweenthemessageandthedigital signatureitself. Oth-erwise,therecipientcouldmodify themessagebeforeshowing themessage-signaturepair to a judge.Evenworse,hecouldattachthesignatureto any messagewhatsoever,sinceit is impossibleto detectelectronic‘cutting’ and‘pasting’.

Thefollowing desirablepropertiescanthereforebededucedfrom a digital signa-ture:N

Thesignatureis messagedependent;NOnly the originator of an electronicmessagecan computethe correctdigitalsignature;NAnyonewho receivesa messageanda digital signaturecanverify thesignatureandconsequentlybecertainof theorigin andintegrity of themessage.

Thisis weretheone-wayfunctionenters.Theone-wayfunctioncanmakeauniquefingerprintof a message.This uniquefingerprintis thenencryptedwith thetrap-door-one-way function. This is calledthedigital signature. Thesignatureis messagede-pendentbecauseof theuniquedigital fingerprintandit is uniquelyboundto theissuerbecauseof theencryptionwith theuniqueprivatekey.

For our scenarioswe supposethat A andB (alsoknown asAlice andBob) aretwo usersof a public-key cryptosystem.If we denoteO!P astheencryptionkey of Q ,thenwe will distinguishthe encryptionanddecryptionproceduresof A andB with:O�R�S T R�S O�U!S T�U .

If Alice wantsto sendasignedmessageto Bob,thenthedigital signature,asshownin fig 2.5,is computedasfollows:N

Of the plaintext a uniquefingerprint is calculatedwith the help of a one-wayfunction, V#W X�Y .NTheresultof thecalculationis then“signed”with herprivatekey T�R . Thusthedigital signaturenow consistof: T R!W ZIW X�Y Y .NAlice thensendstheplaintext, [ alongwith hersignature,T�R!W ZIW X�Y Y , to Bob.

Bobwill do thefollowing afterreceiving themessage:NOf theplaintext hewill calculatetheuniquefingerprintwith thehelpof thesameone-way function, ZIW X�Y .NHe will thendecryptthe uniquefingerprintwith the help of the public key ofAlice, O�R , which is availablein thepublic file, O�R�W T R!W ZIW X�Y Y Y .NBob will then comparethe value of his calculationwith the value calculatedby Alice. If the two matchthenthemessagehasbeensignedby Alice andthemessageis unaltered.

16

Chapter2. Network security 2.9.Publickey encryption

Figure2.5: Digital signatureattachedto plaintext

Alice cannotlater deny having sendmessage,\ , becauseonly shecould havesignedthe message.Furthermore,she,or anyone else,cannot modify plaintext \becausea message\�] wouldproduceadifferentsignature.

Bobon theotherhandcannotusethesignaturefor any othermessagebecauseit isunique.

2.9 Public key encryption canprovide securesolutions

Toprovethatpublickey encryptioncanprovideasolutionfor secureinformationtrans-fer thefollowing subsectionswill show how thequalityaspects,asstatedin section2.1,canbecompliedwith. This will only includethoseissuesthat involve the transferofinformationacrossanopennetwork. Issuesinvolving thesafeusagewill not bedealtwith at thispoint.

2.9.1 Authentication and safeusage

If it canbeassured,thattheprivatekey of apersononly stayswith onepersonandthispersonis the only having accessto this key, thenthe following occurs:becausethatpersonis theonly personin thepossessionof theprivatekey, only hecouldhavemadesucha message.Becausethe privatekey is uniquely linked with the correspondingpublic key, themessageis uniqueif they link by decryptingit with theaccompanyingpublic key. The messagemustthenalsohave beenwritten by this person.Thustheauthenticationis met.

2.9.2 Non-repudiation of delivery

Becausethe documenthaspropertiesthat make it authentic,the non-repudiationofdelivery is met. If someonecanproducea documentwhich is authenticthenthenon-repudiationof delivery is proofed.

17

Chapter2. Network security 2.9.Publickey encryption

2.9.3 Non-repudiation of receipt

Non-repudiationof receiptis a difficult aspect.Whenhasa messagebeenreceived?It canonly beproven if a confirmationis sentwhich statesthat themessagehasbeenreceived. Thusa confirmationshouldbesentthathasbeenencryptedwith theprivatekey of thereceiving party, or or in otherwordsasignedconfirmationshouldbesent.

2.9.4 Content integrity

Becausethemessageis encryptedit cannotbe readby otherpeoplebut thecontentscannotbe changedbecauseotherwisethe contentwill becomemeaningless.Thusifthemessageis readablethenthecontentsarealsointeger.

2.9.5 Confidentiality

If Alice wantsto sendaconfidentialmessageto Bob thenshewill do thefollowing:^ Retrieve thepublic key of Bob from thepublic file, _�` .^ Encrypttheplaintext, P: _�`�a b c .^ Sendtheencryptedmessageto Bob.

WhenBobreceivesthemessagehewill decipherthemessagebycomputingd�`�a _�`�a b�c c .By property3 of thepublic-key cryptosystem4 only hecandecipherthemessagebe-causeheis theonly personin thepossessionof theprivatekey. Hecanalsoencipheraprivateresponsewith _�e , thatis alsoavailablein thepublic file.

Thebeautyof thesystemis thatno prior contactis necessaryto establishprivatecommunication5.

2.9.6 Drawback of Public Keycryptography

An “RSA operation,” whetherfor encryptingor decrypting,signingor verifying, isessentiallya modularexponentiation,which canbeperformedby a seriesof modularmultiplications. Thesemultiplicationsrequirea considerableamountof time com-paredto symmetricencryptiontechniquessuchasDES.By comparison,DESis muchfasterthanRSA. In software,DES is generallyat least100 timesasfastasRSA. Inhardware,DESis between1,000and10,000timesasfast[RSA96].

Nevertheless,public-key cryptographycanbecombinedwith secret-key cryptog-raphyto getthebestof bothworlds.

2.9.7 Digital envelop

To increasethespeedof encryption,thebestsolutionis to combinepublic andsecretkey systemsin orderto getboththesecurityadvantagesof public-key systemsandthespeedadvantagesof secret-key systems.

Thiscanbeachievedin thefollowing way:

4By publicly revealing f theuserdoesnot revealaneasyway to computeg , seesection2.75A few questionsstill remainunanswered.For instanceoneof theproblemsremainingthatwill be

tackled,in chapter3, concernsthevalidity andauthenticityof thepublickey.

18

Chapter2. Network security 2.10.Summary

1. A symmetrickey is generated;

2. Thesymmetrickey is thenusedto encryptthebulk of afile or message;

3. Thesymmetrickey is thenencryptedwith thehelpof thepublic key system;

4. A digital signatureis thenmadeof boththeciphertext andthesymmetrickey;

5. The ciphertext, theencryptedsymmetrickey andthedigital signaturearethenput togetherin whatis known asa digital envelop.

Thiscanbeseenin figure2.6.

Figure2.6: Digital envelope

The advantagesarespeed.Symmetrickey encryptionis muchfasterthat publickey encryption. Becauseboth systemsareequally “strong” in termsof securitythesystemsis bothsecureandfast.

2.10 Summary

In this chapterit wasfirst statedwhat securityshouldinvolve. This wasbuilt up ofthe requirementsthat shouldbe met. Secondlya short introductioninto symmetrickey encryptionwasgivenandanintroductioninto publickey encryption.Third it wasshown how a digital signatureis made.finally it wasshown that the requirementsasstatedat thestartof thechapterwerefulfilled apartfrom thesafe-usage.

Technicallytherethusexistsa way to secureinformationsentacrosstheInternet.Issuesthatwill however have to beresolvedincludesafeusageof keys.

19

Chapter 3PublicKey Infrastructure

As shown in thepreviouschapter, therequirementsfor secureinformationtransfercanbeachievedwith thehelpof public key encryption.

Theserequirements,that have alreadybeenstatedin the previous chapter, arestatedbelow:

1. Authenticationof senderandreceiver

2. Non-repudiationof deliveryandreceipt

3. Contentintegrity

4. Confidentiality

Thebasisfor thesecureinformationtransferconsistsof theprivate/publickey-pair.Theprivatekey only known by theownerandthepublic key madeavailableto otheruserswhoneedto have thiskey.

At this point usersareexchangingtheir public keys somehow. They thensecurelyexchangea messageby encryptingthe messageswith help of the public key, theysomehow obtained.This leavesa few questionsunanswered.To guaranteea properworking of the public private key system,several requirementshave to be assured.Requirementsthathave to beassuredare:h A person/entityshouldbe able to securelyretrieve the public key of another

person/entityandbeassuredthatthepublic key heobtainedis thepublic key ofthatperson;h A person/entityshouldbeableto securelyassessthevalidity of thepublic keyof anotherperson/entity.

Thischapterwill explainhow theserequirementscanbemetandwhatproceduresarerequired.

20

Chapter3. PublicKey Infrastructure 3.1.Managementof publickeys

3.1 Managementof public keys

To avoid tamperingwith public keys the public keys areplacedin a file that is dig-itally signedby, what is known asa trustedparty1. The nameandpublic key of aperson/entitytogetherwith thedigital signatureof thetrustedpartyis calleda Certifi-cate.

“A certificateis a digital documentattestingto thebindingof a publickey to an individualor otherentity” [RSA96].

Oncesignedby a trustedperson,a certificateis securedagainsttamperingandcanbe distributedby disk, network or even written on a pieceof paper. A commonprocedureis to have a certificateserver connectedto a network. This canbe seeninfigure3.1. Thecertificatesarestoredon a server connectedto a network from whichthey canbeobtained.

Figure3.1: Certificateserverconnectedto network

If usersnow wishto communicateprivatelythenthey candosoby first exchangingtheir certificates.Becausethecertificatesaredigitally signed,by a trustedparty thatbothuserstrust,they canbefreelydistributedwithoutbeingtamperedwith unnoticed.Any changewill be madevisible with the help of the digital signaturethat hasbeenattached.

Verifying the certificatecanbe doneby anyonewho is in the possessionof thecertificateof the trustedparty. With the certificateof the trustedparty, a personcancheckthecertificateandthuscheckthedigital signaturefor correctness.

1A trustedpartyis a personor objectthathascertainpropertiesthatmake it ‘trusted’. This issuewillbecomemoreclearin thefollowing sections.

21

Chapter3. PublicKey Infrastructure 3.2.PrettyGoodPrivacy

3.1.1 Contentscertificate

Becausethecertificateis soimportantfor authentication,definingmeaningfulcontentsof acertificateis essential.As aminimal requirementof thecontentsof thecertificate,onecanthink of theitemslistedin table3.1.

Nameof thefield ContentsandfunctionsName Distinguishednameof the authenticatedsubjector

entityKey Subjector entity’s public key information: Algo-

rithm, parameter, key.Signature Overall signatureby thecertificationauthority. The

signatureof thecertificationauthoritybindsthepub-lic key to theentity’s name

Table3.1: Minimum contentsof acertificate

An essential,but difficult taskis to assignmeaningfulcontentto thename, or togive a distinguishedname. In practiceit proveshardto give meaningfulcontent. Anameshouldgivea uniquebindingto anentity2.

A well known systemthatusesthepublickey encryptiontechniqueandcertificatesis PrettyGoodPrivacyor PGP.

3.2 Pretty GoodPrivacy

PGPis a milestonein thehistory of cryptography, becausefor thefirst time it madecryptographyaccessibleto thewidemassof privacy hungryon-linepublic.

PGPwascreatedprimarily for encryptinge-mail messagesusingpublic or con-ventionalkey cryptography. The latter areusedmainly to encryptlocal files. Withpublic key cryptography, PGPfirst generatesa randomsymmetricsessionkey anden-cryptstheplaintext with this key. Thesessionkey alongwith theciphertext arethenencryptedusingtherecipientspublic key andthenforwardedto therecipient3.

Other featuresincludegeneratingmessagedigests,generatingdigital signatures,managementof personal“key rings4” anddistributablepublic key certificates. It isalsodesignedto work off-line to facilitatee-mailandfile encryption,ratherthanon-line transactions[AR96].

3.2.1 Certification with PGP

PGP’susesthe“webof trust” approachtogeneratesecurecertificates.In thisapproach,thereareno centralauthoritieswhich everybodytrusts,but instead,individualssigneachotherskey andprogressively form awebof individualpublickeys interconnectedby links formedby thesesignatures.

2This will befurtherclarifiedin chapter53This is alsocalleda digital envelopasexplainedin thepreviouschapter.4A key ring is a link of certificateof otherpersons.Beforecommunicatingwith otherpeoplethe

certificatesof thoseotherpeoplehave to beobtainedandstoredfor lateruse.This is calleda “key ring”.

22

Chapter3. PublicKey Infrastructure 3.2.PrettyGoodPrivacy

In this methodif Alice trustsBob andBob trustsCarol thenAlice will trustCarolbecauseshetrustsBob. More formally, if we usethenotation i�j k l�m to denoteAlicetrustsBob thenthefollowing occurs:

i�j k l�m/n:l�j k o�m�pKi�j k l�j k o�m m�pKi�j k o�m (3.1)

3.2.2 Trustworthinessof public-key certificate

Thecertificateswithin thePGPinfrastructurearefurtherrefinedby addingextra infor-mationconcerningthetrustworthinessof thecertificateandthetrustworthinessof thecertificateto introduceanothercertificate.

Thereareroughly threecategoriesof confidencein a certificatedefinedin PGP.Theseareasfollows [AR96]:

1. undefined, we cannotsaywhetherthis public key is valid or not;

2. marginal, thispublic key maybevalid but wecannotbetoosure;

3. complete, we canbewholly confidentthatthispublic key is valid.

Theconfidencein certificatesis furtherextendedbyaddinginformationconcerningthetrust in a certificateto introduceanothercertificate.More formally if Alice trustsBob thisdoesnotautomaticallymeanAlice will trustCarolbecauseBob doesor:

i�j k l�m/n:l�j k o�m�qpKi�j k o�m (3.2)

Thesetrustlevelshave beendividedinto four levels:

1. full, thispublic-key is fully trustedto introduceanotherpublic-key;

2. marginal, this public-key canbetrustedto introduceanotherpublic-key, but, itis uncertainwhetherit is fully competentto do that;

3. untrustworthy, this public-key shouldnot betrustedto introduceanother, there-fore any occurrenceof this key asa signatureon anotherpublic-key shouldbeignored;

4. don’t know, therearenoexpressionsof trustmadeaboutthispublic-key.

Introducingconceptssuchastrustworthinessandtrust asto whethera certificatecanintroduceanothercertificate,cannotovercometheproblemsassociatedwith find-ing outwhethera certificateis authenticandthecontentsis correct.This lack of fixedor formalcertificationpathsmeansthattheuncertainauthenticityof any PGPkey cer-tificatebecomesa rathersignificantmatter[AR96].

Thusthe useof PGPis limited to a small communityof usersthat ‘know’ eachother. For businesspracticesthis doesprovide a goodsolution. Furthermoreit doesnotprovide for asolidbasesin caseof a legal dispute.

23

Chapter3. PublicKey Infrastructure 3.3.Trustinfrastructure

3.3 Trust infrastructur e

Trust canbedefinedas:

“the confidencein a personor thing becauseof thequalitiesoneper-ceivesor seemsto perceivein himor it” [Lex].

CurrentlyPGPcommunicationpartnersareableto exchangekeys that allow fortrustedcommunicationwithin a smallcommunity. But they arenot in thepositiontoauthenticateunknown partners,especiallyin anopeninfrastructurewith communica-tion partnerspreviously unknown.

In anopenandlarge-scalenetwork, it is impracticalandunrealisticto expecteachuserto have previously establishedpersonalor physicalrelationshipswith all theex-pectedcommunicationpartners[Poh97].

To establisha trustedcommunicationpathin amoderncommunicationinfrastruc-ture,a senderof an object,a messageor a datafile, mustbe ableto identify andau-thenticatethereceiver, thebusinessor communicationpartner, reliablywithouthavingto meethim personallyin orderto trusthim.

3.3.1 Trusted Third Party

Thegenerallyacceptedway todayto authenticatea new communicationpartneror anew receiving entity is to authenticatehim by a third authorityor party. This conceptallows that two individuals implicitly trust eachotheralthoughthey have not previ-ouslyestablishedapersonalrelationship.This is shown in figure3.2. In thisscenario,theguaranteefor thecorrectidentity is providedby a third party thatassuresto eachof thecommunicationpartnersthattheotherpartneris authentic,or moreformally:

r�s t uwv/x�uAs t y�v�zKr�s t y�v(3.3)

Sucha party that hasto be trustedby all the other entitiesparticipatingin theinformation exchangeis called a TrustedThird Party (TTP). Becausea TTP issuescertificatesit is oftenreferredto asaCertificationAuthority or CA.

Figure3.2: Generatingtrustwith a TrustedThird Party

24


3.3.2 Actors within a TTP-model

For a clearunderstandingof the TTP model,all the actorsinvolved will first be ex-plained[AF98]:

{ End-Entity. This term is usedto refer to the entity namedin the subjectfieldof a certificate.It is importantto notethat theendentitiesherewill includenotonly humanusersof applications,but alsoapplicationsthemselves(e.g.,for IPsecurity);{ CA or CertificationAuthority. We usethetermCA to refer to theentity namedin the issuerfield of a certificate.Thecertificationauthority(CA) mayor maynot actuallybe a real “third party” from the endentity’s point of view. Quiteoften,theCA will actuallybelongto thesameorganizationastheendentitiesitsupports;{ RA or Registration Authority. In additionto end-entitiesandCA’s, many envi-ronmentscall for theexistenceof a RegistrationAuthority (RA) separatefromthe CertificationAuthority. The functionsthat the RegistrationAuthority maycarry out will vary from caseto casebut may include personalauthentica-tion, tokendistribution, revocationreporting,nameassignment,key generation,archival of key pairs,et cetera.

3.3.3 Servicesof a trust infrastructur e

As statedbefore,oneof the servicesof a TrustedThird Party will be to attestto theidentity of a user. This attestwill begivenin theform of issuinga certificatethathasbeensignedwith theprivatekey of theCA.

Otherservicesthat mustbe carriedout by the TTP includestoring,distributing,updating,revoking certificatesand,oneof themoreimportantservice,attestingto thevalidity of acertificate.Theseissueswill beexplainedin thenext sections.

3.3.3.1 Issuing certificates

A certificateauthorityissuescertificatesfor anentity. By issuinga certificate,theCAattestto thecertificateasbeingtrustworthy. Dependingon thepractices,carriedoutby theCA, to insurethecontentsof thecertificate,certainassumptionscanbemadeaboutthesecontents.

To improve thetrustworthinessof a certificateextra informationcanbeadded.Intable3.1.1theminimumcontentsfor acertificateweregiven.

Accordingto Germanlaw thecontentsof acertificateshouldinclude[FMoET97]:

{ nameof theownerof thesignaturekey to whichadditionalinformationmustbeappendedin theeventof possibleconfusion;{ public signaturekey assigned;{ namesof thealgorithmswith whichthepublickey of theownerof thesignaturekey andthepublic key of thecertificationauthoritycanbeused;

25


| serialnumberof thecertificate;| beginningandendof thevalidity periodof thecertificate;| nameof theCertificationAuthority and| anindicationasto whetheruseof thesignaturekey is restrictedin typeor scopeto specificapplications.

This first item alreadyposessomequestion. “The nameof the owner to whichadditionalinformationmustbeappendedin theeventof possibleconfusion”.A namecanhardly be unique. Thereforeextra informationshouldalmostcertainlybe given.This informationcould be given in the form of a socialsecuritynumber, credit cardnumber, or maybeevenaphotoimagein jpeg format,etcetera.Thisextra informationcould alsobe given in informationconcerningthe employment. This could concerncompany name,functionor evencreditworthiness.

3.3.3.2 Distributing certificates

Becausea certificatehasbeensignedby theTTP, any tamperingcanbe securelyas-sessed.Distribution canbeachievedby sendingit by ordinarye-mailor storingit in apublicly availablefile.

3.3.3.3 Validating certificates

An importantissueconcerningcertificatesis thevalidity of eachcertificate.Trustingacertificatewhile theownermighthave lost theprivatekey or thecontentshavebecomeobsoleteshouldbe prevented. A commonprocedureoften usedis the issuanceof aCertificationRevocationList or CRL.

A CRL is a list issuedby aCA thatcontainsall certificatesthathavebeenrevoked.If an entity wishesto checkthestatusof a certificatehe hasto retrieve theCRL andcheckwhetherit is on this list or not.

Oneof theproblemsconcerningtheCRL is thedifferencein timebetweenacertifi-catebeingrevoked andthenew CRL issued.This meanstherecanbea considerabletime betweena certificatebeing revoked anda personbeingable to verify this. Incasesof thetransferof highly sensitive informationthis canbeconsiderednot secureenough.Anotherproblemconcernsthesheersizeof theCRL list. This list cangrowsignificantlyastheamountof certificatesbeingrevokedincreases.

This hasgivenriseto anothermethodof checkingthestatusof thecertificate,theOnline CertificateStatusProtocolor OCSP. The OCSPgivesreal-timeinformationconcerningthestatusof a certificate.Thefollowing statuscanbegiven: notRevoked,revoked,onHoldandexpired.

3.3.3.4 Revoking a certificate

A userwhoseprivatekey hasbeencompromisedshouldrevoke his certificateto stopany misuse.Procedureshave to besetup underwhich conditionsa certificatecanbe

26


revoked,who hastheauthority, what furthermeasureshave to betakenor what legalconsequencesthiscanhave.

Thusthetime-gapbetweentherevocationrequestandtheactualmomentof revo-cationis very important.Thelongerthetime-spacethemoredamagecanbedone.ACRL andthetime betweenCRL-updatesthusbecomesvery important.

Thesefunctionsas explainedabove can be seenin figure 3.3. This figure hasbeendivided into PKI-users andPKI-managemententities, thusmakinga distinctionbetweenmanagementand end users. Theseitems have beennumberand have thefollowing functions[AF98]:

Figure3.3: Trustinfrastructure[AF98]

1. Out-of-bandpublication, theCA will have to make its certificatepublic. Withthis certificateend-entitiescansecurelysenda messageto a CA, for instancearequestto acertifcate5;

2. Out-of-bandloading. Theend-entitywill have to securelyobtainthecertificateof theCA. This will allow him to senda securemessageto theCA to requestacertificate;

5the out-of-bandpublicationrefersto the fact that thereis not one specialway to publish a CA-certificate.Publicationcanthusoccurby newspaper, diskettenetwork or thecertificatecanbe incorpo-ratedinto a web-browserasis veryoftenthecasewith NetscapeandInternetExplorer.

27

Chapter3. PublicKey Infrastructure 3.4.Typesof TTP

3. This stephasmultiple actions,theseinclude:

(a) Initial registration/certification. This is theprocesswherebyanendentityfirst makesitself known to aCA or RA, prior to theCA issuingacertificateor certificatesfor thatendentity. Theendresultof this process(whenit issuccessful)is thata CA issuesa certificatefor anendentity’s public key,andreturnsthatcertificateto theendentity and/orpoststhatcertificateina public repository. This processmay, andtypically will, involve multiple“steps”,possiblyincludinganinitialization of theendentity’s equipment.For example,theendentity’s equipmentmustbesecurelyinitialized withthe public key of a CA, to be usedin validating certificatepaths. Fur-thermore,an endentity typically needsto be initialized with its own keypair(s);

(b) Key pair update. Every key pair needsto be updatedregularly (i.e., re-placedwith anew key pair),anda new certificateneedsto beissued;

(c) Certificateupdate. As certificatesexpire they maybe“refreshed”if noth-ing relevant in theenvironmenthaschanged;

(d) CAkey pair update. As with endentities,CA key pairsneedto beupdatedregularly; however, differentmechanismsarerequired;

4. Publicationof the certificates. Having goneto the troubleof producinga cer-tificate,somemeansfor publishingit is needed.This couldincludea certificateserver thatis attachedto anetwork;

5. Certainfunctionsof theCA canbeconductedby theRA. Theseincludethoseasstatedin item3;

6. Publicationof thecertificates. This is thesameasstatedpreviously;

7. CRL-publication. If a certificatesomehow becomescompromisedthat this willhaveto madeknown. Thiswill bedonewith theCRL-publicationthatis updatedperiodically;

8. Cross-certificationandCross-certification-update. If a userswishesto commu-nicatewith anotherpersonthat hasa certificateissuedby a anotherCA, CA } ,thena crosscertificatecanbe madethat will allow an end-entityto verify thecertificatesissuedby CA } .

All theservicesandoperationsasstatedabove arepartof thekey management.

3.4 Typesof TTP

A distinctioncanbemadebetweenthreetypesof TTP’s,asshown in figure3.4:

1. Off-line TTP. An off-line TTP doesnot interactwith theuserentitiesduringtheprocessof thegivensecurityservice.Insteadtheinteractionto provide,or regis-ter, security-relatedinformationis carriedout off-line asa separateinteraction.Theresultsof suchaninteractionmaybecachedandreusedto avoid having tocommunicatewith theserver eachtimecommunicationis initiated;

28

Chapter3. PublicKey Infrastructure 3.5.PublicKey Infrastructure(PKI) Models

Figure3.4: Differenttypesof TTP’s

2. On-line TTP. An on-line TTP is requestedby oneor both entitiesin real-timeto provide, or register, security-relatedinformation. Sucha TTP is not in thecommunicationspathbetweenthetwo entities;

3. In-line TTP. An in-line TTP is positionedin the communicationpathbetweentheentities.Suchanarrangementallows theTTP to offer a wide rangeof secu-rity servicesdirectly to users.SincetheTTPinterruptsthecommunicationpath,differentsecuritydomainscanexist on eithersideof it.

3.5 Public Key Infrastructur e (PKI) Models

Thereare two principle PKI models,the “Open PKI Model” and the “Closed PKIModel” [McC97].

3.5.1 OpenPKI Model

TheOpenPKI Model is apublicmodelin whichaCA provides“generic”all-purposedigital certificatesto thesubscriber. Therelationshipwith theindividual requestingthedigital certificateis typically minimalandthesubscribervouchesfor herown identity.The issueddigital certificatedoesnot provide the recipientwith much informationaboutthecertificateholder.

3.5.2 ClosedPKI Model

UndertheClosedPKI model,digital certificatesareissuedfor a specificpurposebyan organizationor businessthat hasan establishedrelationshipwith the subscriber(suchas an employer issuingdigital certificatesto its employees). The businessororganizationdeterminestheverificationlevel6 necessaryfor issuingthedigital certifi-

6For exampleVeriSign,currentlyoneof themajorissuersof digital certificates,supportsthreedistinctcertificateclasses.Eachclassprovidesfor adesignatedlevel of trust.Thedifferencesconcerntheamountof verificationbeforethecertificateis issued.For exampleClass1 certificatesconfirmthata usersname(or alias)ande-mailaddressform anunambiguoussubjectnamewithin theVeriSignrepository, whereasClass3 certificatesprovide importantassurancesof the identity of individual subscribersby requiringtheir personal(physical)appearancebeforea Class3 LRA or its delegate(suchasa notary)[Ver97].

29

Chapter3. PublicKey Infrastructure 3.6.Certificationpracticestatement

cate,dependingon its intendeduse.Thespecificusefor which thedigital certificateisissuedcouldbethingssuchaselectronicpaymentsor securenetwork access.

3.6 Certification practice statement

Differentsecurityrequirementscall for differentsecuritymeasures.The transferofone million dollars is probablya more sensitive information transferthen a simplehappy birthdaymessageto a friend.

Themostcommonprocedureto checkfor the“trustworthiness”is to checkfor thepolicy statementof the TTP. This is usuallyreferredto asthe CertificationPracticeStatementor CPS.

“A Certification Practice Statementis a statementof the practiceswhich a certificationauthorityemploysin issuingcertificates”[Ass96].

ReadingaCPScangive informationconcerningtheoperationsof aCA. Thismostoftenconcernsthepracticesconductedby theCA. It canbeseenasacontractbetweenanend-entityandaCA.

TrustedThird Partiescanbe establishedindependentlyfor differentapplications,businesssectorsor geographicalregions. However thereis a needfor cooperationifan informationexchangebetweenthesedifferentareasis requiredlike, for example,for electroniccommerce.The technicalbasisfor this co-operationis calleda trustinfrastructure [Poh97].

This trust infrastructurecanonly be establishedif the samepracticesare imple-mentedat bothTTP’s. If differencesexist in the interpretationof namesor functionsthenthetrustworthinessis in jeopardy. ThustheCPSof two TTP’swilling to cooper-ateshouldequal.Equalpoliciescanmakeapartnershippossible.A methodto achievethis is with thehelpof aPolicy Authority.

3.6.1 Policy Authority

To granttrustto theusersof a trustinfrastructure,it is necessaryto establishtrustwor-thy TTP’s. Otherwisethe usersmay not be surethat they know eitherthe usertheycommunicatewith nor the TTP asthe issuerof the certificatefor the correspondentuser[Poh97]. A methodto achieve this is to establisha policy certificationauthority.A policy authoritycouldcertify aTTPandissueacertificatethatauthorizestheTTP.

Thefollowing typesof authoritiescanbedistinguished[Poh97]:~ Policy Approval Authority (PAA)An authoritywhichestablishestheoverall infrastructuresecuritypolicy andcre-atesguidelinesthat all subordinateentitiesmustfollow. The PAA alsoactsasa root certificationauthority, issuingcertificatesfor thenext tier of certificationauthorities(PCA’s).~ Policy CertificationAuthority (PCA)An authoritywhich establishespolicy for a singleorganizationor singlecom-munity of interest.A PCA alsoactsasa certificationauthorityfor thenext tierof certificationauthorities(CA’s).

30

Chapter3. PublicKey Infrastructure 3.6.Certificationpracticestatement

� CertificationAuthorities(CA)An authoritytrustedby oneor moreusersto create,assignandissuepublic ver-ification key certificatesto endentitiesandothercertificationauthoritiescertifi-cates- by bindingthepublickey andanentity - maybeanindividual - by name.Optionally the certificationauthoritymay createthe userskeys. Certificationauthoritiesissuecertificaterevocationlistsperiodically, andpostcertificatesandcertificaterevocationlists to a repository.� Registration Authority (RA)An entity thatactsasanintermediarybetweentheCA andaprospective certifi-catesubject;the CA truststhe RA to verify the subject’s identity andthat thesubjectpossessestheprivatekey correspondingto thepublickey to beboundtothatidentity in acertificate.

Theseactorscanbeseenin figure3.5. In thisfigurethereis aPolicy approving au-thority that issuesthegeneralguidelines.Thosecomplyingwith theoveralguidelinesform a Policy Certificationauthoritythat establishpolicy for singleorganizationsorcommunitiesthathave thesameinterest,suchashospitals,bankset cetera.DifferentCA’s thatcomplywith thesepoliciescanthenbeformed. Theactualregistrationcanthenbeperformedby aninternalregistrationauthoritywithin acompany.

Figure3.5: HierarchicalTrustModel [Poh97]

Oncethepolicy approvesthenalliancescanbeformed.Thiscanbedonein severalwaysasshown in figure3.6. Thismayinclude[Poh97]:� SingleCentralizedAuthority.

31

Chapter3. PublicKey Infrastructure 3.7.Summary

A centralizedarchitectureconsistsof only onecentralizedauthority. Suchacen-tralizedauthorityis relatively inflexible anddoesnot scalewell in an environ-mentwheredifferentsectors,differentapplicationareasanddifferentcountriesmight beinvolved. It seemsalsodifficult for political reasonsto promotesuchacentralizedauthorityif differentmemberstatesareinvolved.� Hierarchical CertificateModelAuthoritiesarearrangedhierarchicallyundera“root” certificationauthoritythatissuescertificatesto subordinatecertificationauthorities.Thesecertificationau-thoritiesmayin turn issuecertificatesto subordinatecertificationauthorities,orto users.Every userknows thepublic key of theroot certificationauthority, andany user’scertificatemaybeverifiedby verifying thecertificationpaththatleadsbackto theroot certificationauthority.� NetworkCertificateModelIndependentcertificationauthoritiescross-certifyeachother, resultingin agen-eral network of trust relationshipsbetweencertification authorities. A userknowsthepublickey of acertificationauthoritynearhimself,generallythelocalcertificationauthoritythat issuedhis certificate,andverifiescertificatesby ver-ifying a certificationpaththat leadsbackto that trustedcertificationauthority.

� Hybrid CertificateModelThehierarchicalandnetwork trustinfrastructurearchitecturesarenotmutuallyexclusive. The following is a hybrid certificationpatharchitecture:Therewillbe a hierarchicalpathof certificatesleadingfrom the root certificationauthor-ity to its subordinatecertificationauthorities,andfrom eachof thesecertifica-tion authoritiesto their subordinates,andso on, until every enduseris issueda certificatewith a certificationpathfrom theroot certificationauthority. Eachcertificationauthoritywill have a singleparent.In parallelto thecertificateshi-erarchicallylinking certificationauthoritiesto the root will be cross-certificatepairsattributesalsolinking thosecertificationauthorities.Theseparallelcross-certificatepairsare required. This will allow client applicationsthat performcertificationpath verification from the verifier’s parentcertificationauthority,usingthecross-certificatepair directoryattribute, to operatefrom any certifica-tion authority. Certificationauthoritiesmaycross-certifyeachotheralongpathsthatdo notparallelthehierarchy.

3.7 Summary

Thepreviouschaptershowedhow atechnicalsolutioncouldbeimplementedthatmadeit possibleto securelysendinformationacrosstheInternet.

Theorganizationalaspectsnecessaryto distribute informationto end-entitieswasexplainedin thischapter. It wasshown how apublickey cansafelybedistributed,withacertificate.Furthermorethemanagementof certificateswith thehelpof acertificationauthoritywasexplained. To managecertificatescertainfunctionsarenecessary, thusconstitutingthefunctionsof a CA. Theoperationsof a CA arethenwritten down in a

32

Chapter3. PublicKey Infrastructure 3.7.Summary

Figure3.6: Optionsfor a trustinfrastructure

CertificationPracticeStatement,thatcanbeseenasa contractbetweenanend-entityanda CA. By matchingtheoperationsof differentCA’s, thesecanstartto co-operate.How thiscanbedonewasexplainedat theendof this chapter.

At thismomentit hasbeenshown how technicalandorganizationmeasures,withinthe boundariesof this thesis,caninsuresecureinformationtransfer. Still remainingis the questionwhetherthe informationsentin the way asdescribedin the previouschapterpossesseslegal validity.

33

Chapter 4Legislationfor thepublic keyinfrastructure

“The formal requirementsfor legal transactions,including the needfor signatures,vary in different legal systems,andalsovarywith thepas-sage of time. There is alsovariancein the legal consequencesof failureto cast the transactionin a required form. Thestatuteof fraudsof thecommonlaw tradition, for example, doesnot rendera transactioninvalidfor lack of a writing signedby theparty to becharged,but rathermakesit unenforceablein court, a distinction which has causedthe practicalapplicationof thestatuteto begreatlylimited in caselaw” [Ass96].

The above statementdescribesthe problemof electroniccommerce.ElectroniccommercecanbeconductedacrosstheInternetbut if adisputearises,thentheevidenceis unenforceablein court,becausethelegalrequirementsof informationsentacrosstheInternetarenearto non-existent.

The(inter)nationalbusinessworld andinternationalorganizationshave identifiedseveral legalobstructionsthatobscureelectroniccommerce[Act98]:� Indistinction concerningthe jurisdiction: the internationalfield of electronic

commerceleadsto thequestionconcerningwhat law hasto beapplied,for in-stance,in caseof a legal dispute;� Uncertaintyconcerningtheliability of theintermediary:it hasto bemadeclearwhat the statusof the intermediaryis in caseof an unauthorizedaction withelectroniccommerce;� Indistinctionconcerningthedigital signature:an infrastructureto issuedigitalsignatures,hasnot beendevelopedasof yet dueto uncertaintyconcerningthejudicially status,includingthelegal validity;� Uncertaintyconcerningthe storageandprove of evidence: the necessityof auniformstorage-obligation,dueto theincreasedintensityof electronicinforma-tion transfer, hasincreasedandbecomemoreimportant. A questionconcernstherequirementsthatapplyfor theprove of anelectronicdatatransfer;

34

Chapter4. Legislation 4.1.Legislationfor digital signatures

� Legislationin existing laws canhindertheusageof electronicdatatransfer.

4.1 Legislation for digital signatures

A greatmany countrieshaveenactedor areconsideringto enactdigital signaturelegis-lation in aneffort to facilitateelectroniccommerce.Currentlegislationcanbebrokendown into threemodels,whichwill becalledtheLimitedLegislativeModel,theCom-prehensiveLegislativeModelandtheMinimalist LegislativeModel[McC97]:

1. LimitedLegislativeModelThe term, “Limited Legislative Model” will refer to digital andelectronicsig-naturelegislation that is very narrow in scope,covering only suchthings asgovernmentcommunications,electronicfiling of securities-relateddocuments,Certificatesof Deathandvoterregistration.

2. ComprehensiveLegislationTheterm“ComprehensiveLegislation”will beusedto referto anall-encompas-sing regulatoryapproachthatpertainsto all communications,andprovidesformuch,althoughnot necessarilyall, of the following: regulatescertificationau-thorities,prescribesdutiesof CA’sandsubscribers,setsforth warranty, liabilityand limitation of liability provisions, is technology-specific(i.e., covers onlydigital signatures),setsforth thelegaleffectsof digital signaturesandelectronicmessageandpresumptionsin adjudicatingdisputes,establishesa stateagencyasaCA andestablishesrepositoriesandprescribestheir liability.

3. Minimalist LegislativeModelTheterm“Minimalist LegislativeModel” will beusedto referto legislationthatpertainsto all communications,is technology-neutralandbasicallydoeslittlemorethangive legaleffect to electronicsignaturesandelectronicrecords.

“Although the expresspurposeof the Limited Legislative Model may not neces-sarily be to encourageelectroniccommerce,nonetheless,it will likely achieve thisobjective becauseit providesfor specificsituationsin which peoplecanbecomeac-customedto filing documentsandcommunicatingwith governmentselectronically”[McC97].

“Proponentsof the Comprehensive Legislative Model contendthat a public keyinfrastructure,suchas that set forth in this model, is the most effective meansforfacilitatingelectroniccommerce,andthat,dueto liability concerns,commercialCA’swill notenterthemarketuntil legislationdefiningtherightsandliabilities of electroniccommerceparticipantsis put in place.

However, critics of theComprehensive Legislative Model contendthatthis modelwill not facilitateelectroniccommercefor thefollowing reasons:”[McC97]:

1. Theelectronicmarketplaceis still in its infancy andit is thereforeprematuretoenactcomprehensive legislation;

2. Legislationshouldtakeplacein orderto takecareof identifiableproblems,aftertheindustryhasmatured;

35

Chapter4. Legislation 4.2.DutchnationalTTPproject

3. The marketplace,not legislation,shoulddictatethe directionof the electroniccommerceindustry;

4. By enactinga Comprehensive Legislative Model, themarket couldbeskewed,facilitatinga businessmodelfor which thereis no demandor placein themar-ketplace;

5. The liability concernsexpressedby proponentsof theComprehensive Legisla-tiveModelaretheproductof flawedbusinessmodels(i.e.,theOpenPKI Model)1

not flawedlaw, andarenot keepingcommercialCA’soutof themarketplace,asevidencedby the numberof CA’s enteringthe marketplacein the absenceoflegislation;

6. Legislationshouldnot be technology-specific,asotherforms of electronicau-thenticationmay be just as,or moresuitable,for authenticatingdocumentsaspublic key cryptography, and

7. Legislationshouldnotoverrideall writing requirements,asanelectronicrecordmaynotbesufficient in all circumstances.

4.2 Dutch national TTP project

“The DutchnationalTTPprojectis basedontheprinciplesof marketforcesanddereg-ulation.Amongotherthingsthis impliesthatthedevelopmentof a TTP infrastructureis regardedasprimarily amarket responsibility”[N.V98].

In retrospectof section4.1 this would definethe TTP projecta Minimalist Leg-islative approach.

TheNationalTTPprojecthasthreeaims:

1. Theformulationof requirementsfor theprovision anduseof TTPservices;

2. Compilinga survey of instrumentswith which theserequirementscanbesafe-guarded;

3. Encouragingthedevelopmentof aDutchTTP infrastructure.

“When it comesto thestorageof dataandexchangeof messages,confidenceandsecurityare consequentlybecomingever more important. An importantmeansofsafeguardingtheseaspectsis theuseof TrustedThird Parties(TTP’s),which togetherform a TTP infrastructure”[N.V98].

1“Critics contendthattheOpenPKI Model is not a winning businessmodelbecauseit involvescon-siderableliability risksandthecostsassociatedwith its implementationcannotbeinternalized.Moreover,saycritics,Comprehensive Legislative Modelsattemptto solve theliability problemby shiftingmany oftheliability risksto consumersby (i) notputtingany capsontheliability of asubscribertherebyexposingthesubscriberto unlimitedliability, (ii) puttinga capon theliability of CA’s which couldunfairly resultin unrecompenseddamagesof third parties,andit (iii) imposingevidentiarypresumptionsthatarebur-densomeon thesubscriber. In fact, it hasbeenpointedout, a subscriberfacesgreaterliability in certainsituations,suchas,in theeventof a forgery, thanit would facein analogoussituations,suchascreditcardtransactions,whereits liability would belimited” [McC97].

36


SinceTTP’s have becomethe focusof internationalattention,theDutchgovern-mentdecidedin early1997to initiateanationalTTPproject.TheDutchnationalTTPprojectrelatessolelyto publicTTPservices,definedas:

“Servicesthatare in principleavailableto anyindividual,businessorinstitutionand/orare offeredvia a public infrastructure” [N.V98].

TheDutchnationalTTPprojectis basedontwo underlyingprinciples,namelythatof market forcesandderegulation. In this respectthedevelopmentof aTTPinfrastruc-tureis regardedasprimarily theresponsibilityof themarket.

4.2.1 TTP services

Thedefinitionof a trustedthird partyin theDutchdefinitionis:

“T rustedThird Parties(TTP’s)areorganizationsthatprovideservicesin order to enhancethereliability of electronic dataexchange” [N.V98].

Reliability comprisesthe following quality aspects,in the point of view, of theTTPproject:� theauthenticityof data;� the integrity, or theaccuracy andcompletenessof data;� thereliability of data2.

In the view of the Dutch TTP project thereis a fundamentaldifferencebetweenTTP servicesaimedat protectingthe authenticityand/orintegrity of data,messagesandtransactionsandTTPservicesaimedatprotectingtheconfidentialityof data,mes-sagesandtransactions:

1. TTPservicesto protectauthenticityandintegrityTTP servicesto protectauthenticityandintegrity includetheprovision of digi-tal certificates(wheretheTTP fulfills therole of CertificationAuthority (CA));theplacementandverificationof digital signatures;irrefutableconfirmationoftransmissionandreceiptof electronicmessages(non-repudiation);themanage-mentof cryptographickeys to protectauthenticityandintegrity, with theexcep-tion of thestorageof privatekeys; andthetime-stampingof electronicreports.

2. TTPservicesto protectconfidentialityTTPservicesto protectconfidentialityincludetheencryptionof electroniccom-municationsandthemanagementof cryptographickeys for confidentiality.

2Reliability in this sensestronglyreston theservicesprovidedby theTTP. TheservicesprovidedbytheseTTP’s arein many casesbasedon theuseof cryptographictechniques.Amongotherthingstheyrelateto theprovision of electroniccertificates;theplacementandverificationof digital signatures;theencryptionof electroniccommunications;thegeneration,distribution,storageand/ordestructionof cryp-tographickeys (i.e. key management);non-repudiation;andthesaving andtime-stampingof electronicmessagesanddata,in encryptedform or otherwise.

37


4.2.2 Requirementswith respectto TTP servicesto protect authenticityand integrity

TTPservicesto protectauthenticityandintegrity include:

1. Theprovision of digital certificates;

2. Theplacementandverificationof digital signatures;

3. Irrefutableconfirmationof transmissionandreceiptof electronicmessages(non-repudiation);

4. The managementof cryptographickeys to protectauthenticityand integrity,with theexceptionof thestorageof privatekeys; and

5. Thetime-stampingof electronicmessages.

Within TTP servicesto protectauthenticityand integrity a distinction is oftendrawn betweentheRegistrationAuthority (RA), with responsibilityfor the legitima-tion of affiliatedusers,andtheCertificationAuthority (CA), whichprovideselectroniccertificatesonbehalfof thoseusers.

Therequirementsapplyingto thiscategoryof TTP’sarethesubjectof acertainde-greeof consensusamongthepartiesconcerned.Amongotherthingstherequirementsrelateto the legal statusof digital signatures,the reliability of the TTP servicepro-vided andthe TTP itself, the protectionof privacy, andinternationalinteroperability[N.V98].

Theseissueswill bediscussedin thefollowing subsections.

4.2.2.1 Legal statusof digital signatures

The legal statusof digital signaturesis currentlysubjectof researchof theDutchna-tional TTP project. At internationallevel policies are being worked out by UnitedNationsCommissionOn InternationalTradeLaw or UNICITRAL [oEC98]. At theEuropeanlevel, a communicationhasbeenissuedannouncingthat theEU is seekingto introducean Europeandirective with respectto the mutual recognitionof digitalsignatures.

At Europeanlevel adistinctionis madebetweentheTTPorganizationandtheTTPservice.

4.2.2.2 Reliability of the TTP organization

Thefollowing reliability criteriaapplyto theTTP[N.V98]:

� lawfulness- TTP’smustactin accordancewith nationalandinternationallaw inevery senseof theword;� financialposition- thefinancialpositionof theTTP organizationmustprovidesufficient guaranteeswith respectto thecontinuityof theTTPservice;

38


� businesscontinuity- thecontinuityof TTPservicesmustbeguaranteedasfaraspossible,e.g.in theeventof a takeover, merger, strike or bankruptcy;� security- the confidentiality, integrity andavailability of dataandinformationsystemswithin the TTP organizationmust as far as possiblebe protectedbymeansof an adequatesystemof measuresagainstloss arising from catastro-phes,breakdowns andintentionalandunintentionalhumanactions.The Codeof Practicefor InformationSecurityManagement(British Standard7799)wouldappearto provide a goodbasisfor thesecurityof TTP organizations,althoughsupplementarymeasuresmay be requiredin the light of the stringentreliabil-ity requirementsthata TTP mustsatisfy. TheInformationTechnologySecurityEvaluationCriteria (ITSEC) and CommonCriteria basedon the ITSEC mayprovide agoodbasisfor theevaluationof theIT-productsused;� personnel- theowners,shareholders,directors,managementandpersonneloftheTTPorganizationmustcommandtrust;� authentication- with respectto thetakingof decisionsandtheperformanceofactivities by its managementandstaff, the TTP organizationmustat all timesbe ableunambiguouslyto establishthe identity of the individuals in question.Determiningthe identity of the individualsin questionshouldalsobepossiblein retrospect;� authorization- specificauthorizationsneedto be assignedclearly andunam-biguouslyto specificpositionsandofficerswithin theTTPorganization;� separation of duties- theremustbea sufficient auditseparationbetweenman-agerial,custodial,executive andcontrol functionswithin theTTP organization,e.g. in relationto key management;� supervision- in order to guaranteethe reliability of a TTP organizationregu-lar checkswill needto be madeby an independentbody to establishwhetherthe organizationis complyingwith a previously drawn up packageof criteriaandrequirementsandwhetherthat packageis sufficient to achieve thedesireddegreeof reliability. Variousmodelsfor achieving sucha form of supervisionareconceivable. It may alsobe emphasizedonceagainthat the relevant legalrequirementswith respectto supervisionandcontrolalsoapplyto TTP organi-zationssupplyingservicesto protectspecificpublic functions;� carefulness- theTTP mustsolely supplydatato third partieswherethereis ademonstrablelegal basisfor doingso. It is highly importantthat theusersof aTTP servicecanrely on thefactthatany provision of datawill take placeunderstrict conditionsonly andthenonly if thereis a demonstrablestatutorybasis,inwhichrespecttheTTPorganizationwill needto convinceitself of thelegitimacyof any requestfor cooperation.Privatekeys usedsolely to protectauthenticityandintegrity mustin nocircumstancesbeprovidedto third parties;� managementof operatingassets- thedevelopmentandmanagementof informa-tion technologyandotheroperatingassetswithin theTTPshouldbearrangedinaccordancewith generallyacceptedquality standards;

39

Chapter4. Legislation 4.3.Germanlegislation

� independence- the TTP mustnot be tied to oneor moreexisting partiesandmustnothave aninterestin any informationto beprotected;� transparency- theTTPmustprovide insightinto its workingmethodsto permitappraisalof theTTP organizationandits services.

4.2.2.3 Reliability of the TTP service

Thefollowing reliability criteriaapplyto aTTPservice[N.V98]:� reliable technology - the technologymustbe sufficiently reliableto ensuretheconfidentiality, integrity andavailability of automateddataprocessing;� documentation- the design,implementation,managementanduseof the TTPservicemustbeadequatelydocumented;� key management- key managementmustbereliable.

A large numberof nationalandinternationalpartiesareinvolved in thedevelop-mentanduseof TTP infrastructures.In this respecta basicdistinctionmaybedrawnbetweenmarket playersandgovernmentauthorities.A specialsituationapplieshow-ever to partieswith a statutoryauthorizationto obtainelectronicdata;this appliestobothmarket playersandgovernmentauthorities.

The most importantrole is setasidefor the market players,or the suppliersandusersof TTPservices.TTPservicesareprovidedby avery wide rangeof commercialandnon-commercialorganizations,which may or may not operatewithin a specificmarketsegment.Theusersof TTPservicesincludebusinesses,institutionsandprivateindividuals.

Giventhepublicissuesatstake,arolefor thegovernmentis setasidein theform ofpolicy, incentives,legislationandregulationsand/orsupervision.Thegeneralnotionin this regardis that thegovernment,makinguseof theavailableinstruments,at leasthasa taskto protectthepublic andindividual citizens,e.g. by ensuringthereliabilityof TTP services,promotingnationalandinternationalinteroperability, protectingtheprivacy of theusersof aTTPserviceandsafeguardinglawful accessto electronicdata.In addition,thegovernmentcanencouragethedevelopmentof asafeandreliableTTPinfrastructure.Finally thegovernmentcanoperateasa market player- asa customerbut alsoasaprovider of TTPservices.

4.3 German legislation

As oneof the first countries,Germany developedcomprehensive legislation for theuseof digital signatures[FMoET97] [Sig97]. In retrospectof section4.1, this woulddefinetheGermanlaw asa Comprehensive Legislative approach.Thepurposeof theAct is asfollows:

“The purposeof thisActis toestablishgeneral conditionsunderwhichdigital signaturesaredeemedsecureandforgeriesof digital signaturesormanipulationof signeddatacanbereliably ascertained”[FMoET97].

40

Chapter4. Legislation 4.3.Germanlegislation

TheGermanlaw thusdoesnotexplicitly statethatdigital signatureswhichcanbeverifiedwith a certificatethathasbeenissuedby aCA arelegally rightful [Dut98].

In theGermanLaw, “theoperationof acertificationauthorityshallrequirealicensefrom thecompetentauthority” [FMoET97].

“A licenseshall be deniedwhen factswarrantthe assumptionthat the applicantdoesnot possessthereliability necessaryto operateacertificationauthority, whentheapplicantdoesnot furnish proof of the specializedknowledgerequiredto operateacertificationauthority.

The requiredspecializedknowledgeshall be deemedavailablewhenthepersonsengagedin theoperationof thecertificationauthorityhave thenecessaryknowledge,experienceandskills. Theotherrequirementspertainingto theoperationof thecertifi-cationauthorityshallbedeemedmetwhenthecompetentauthorityhasbeennotifiedina timely mannerby meansof a securityconceptof themeasuresensuringcompliancewith thesecurityrequirementsin thisAct” [FMoET97].

For digital signaturesa safeguardcatalogueshasbeendraftedby theGermanIn-formationSecurityAgency, or BSI [Age97]. Thecataloguedescribeshow the indi-vidual technicalcomponentsandtheorganizationalenvironmentareto beconfiguredandstructuredin orderto achieve anoverall systemin which digital signaturescanbecreatedwhich possessthenecessarydegreeof securityto prevent forgeryandmanip-ulation.

The securityconceptconsistsof a ‘complete’ overview of all measuretaken, toinsure‘every’ possibleproblemhasbeensecurlydealtwith. Theseinclude[Age97]:

� Generalsecurity requirementsandsecuritypolicy.� Functional security requirementsfor theCA.� Security requirementsand recom-mendationsfor the registrationau-thority� Security requirementsand recom-mendationsfor revocationmanage-ment.� Security requirementsand recom-

mendations for security conceptanddocumentation.� Security requirementsand recom-mendationsfor the organizationalstructure� Security requirementsand recom-mendationsfor thepersonnel.� Security requirementsand recom-mendationsfor theinfrastructure.� Security requirementsand recom-mendationson IT

Thesesecurityrequirementsall take placeat theTTP andshouldinsurethat cer-tificatesarecorrectandvalid. Thustheserequirementsrelatebackto theauthenticityaspect,asstatedin section2.1of chapter2.

4.3.1 Criticism of German Law

The Germanlaw takesan hierarchicalapproachto a TTP ascanbe seenin chapter3 figure3.5.a. In theGermanmodel,“the authorityshall issuethecertificatesfor thesignaturekeys usedfor affixing signaturesto certificates. The authority shall keep

41

Chapter4. Legislation 4.4.Utahdigital signatureact

thecertificateswhich it hasissuedavailablefor verificationandretrieval at all timesandfor everyoneoverpublicly availabletelecommunicationlinks” [FMoET97]. If theprivatekey of the“r oot-CA” is ever compromised,thenall certificatesignedwith thiskey arecompromised.

The Germanlaw is also very rigid. Every CA needsa separatelicenseand acertificateof the central“root-CA”. It is not possiblefor a infrastructureto get onelicenseandthen“design” their own hierarchy.

TheGermanLaw alsoonly recognizesCA’s thatdo “everything”. This limits theorganizationalpossibilityto dividecertainfunctionalityamongdifferentorganizations[Dut98].

4.4 Utah digital signatureact

The Utah digital signatureact hasbeenmadeto, facilitate commerceby meansofreliable electronicmessages,to minimize the incidenceof forged digital signaturesandfraudin electroniccommerce,to implementlegally thegeneralimportof relevantstandardsandto establishuniform rulesregardingtheauthenticationandreliability ofelectronicmessages.

TheUtahactdoesnot forceaCA to geta license,but certificatesissuedby anon-licensedCA, do not have any legal value. The Utah Digital SignatureAct doesnothave amandatorylicensingobligationbut a indirector implicit one.

TheUtahactusesa “Root”-Certification Authority calledthedivision. Thedivi-sion is a certificationauthority, andmay issue,suspend,andrevoke certificates.Thedivision furthermaintainsa publicly accessibledatabasecontaininga certificationau-thority disclosurerecordfor eachlicensedcertificationauthority and publishesthecontentsof the databasein at leastonerecognizedrepository. The devision furthermakesrulesincluding:� governing licensedcertificationauthorities,their practice,andthe termination

of acertificationauthority’s practice;� determininganamountappropriatefor asuitableguarantee,in light of:

– theburdena suitableguaranteeplacesuponlicensedcertificationauthori-ties;and

– theassuranceof financialresponsibilityit providesto personswhorely oncertificatesissuedby licensedcertificationauthorities;� for reviewing softwarefor usein creatingdigital signaturesandpublishreports

concerningsoftware;� specifying reasonablerequirementsfor the form of certificatesissuedby li-censedcertificationauthorities,in accordancewith generallyacceptedstandardsfor digital signaturecertificates;� specifyingreasonablerequirementsfor recordkeepingby licensedcertificationauthorities;

42

Chapter4. Legislation 4.4.Utahdigital signatureact

� specifyingreasonablerequirementsfor thecontent,form, andsourcesof infor-mationin certificationauthoritydisclosurerecords,theupdatingandtimelinessof suchinformation,andotherpracticesandpoliciesrelatingto certificationau-thority disclosurerecords;and� specifyingtheform of certificationpracticestatements.

To obtainor retaina licenseacertificationauthorityshall:� bethesubscriberof a certificatepublishedin a recognizedrepository;� employ asoperative personnelonly personswho have not beenconvicted of afelony or acrimeinvolving fraud,falsestatement,or deception;� employ asoperative personnelonly personswhohave demonstratedknowledgeandproficiency;� file with the division a suitableguarantee,unlessthe certificationauthority isthe governor, a departmentor division of stategovernment,the attorney gen-eral, stateauditor, statetreasurer, the judicial council, a city, a county, or theLegislatureor its staff officesprovidedthat:

1. eachof theabovenamedgovernmentalentitiesmayactthroughdesignatedofficials authorizedby ordinance,rule, or statuteto performcertificationauthorityfunctions;and

2. oneof theabove-namedgovernmentalentitiesis thesubscriberof all cer-tificatesissuedby thecertificationauthority;� have theright to useatrustworthysystem,includingasecuremeansfor control-

ling usageof its privatekey;� presentproof to the division of having working capital reasonablysufficient,accordingto rulesof thedivision, to enabletheapplicantto conductbusinessasacertificationauthority;� maintainanoffice in Utahor have establisheda registeredagentfor serviceofprocessin Utah;and� complywith all otherlicensingrequirementsestablishedby division rule.

4.4.1 Legal statusof digital signature

Wherea rule of law requiresa signature,or providesfor certainconsequencesin theabsenceof asignature,thatrule is satisfiedby adigital signatureif:

� that digital signatureis verified by referenceto the public key listed in a validcertificateissuedby a licensedcertificationauthority;� thatdigital signaturewasaffixedby thesignerwith theintentionof signingthemessage;and

43

Chapter4. Legislation 4.5.Cryptoregulation

� therecipienthasnoknowledgeor noticethatthesignereither:

– breachedaduty asasubscriber;or

– doesnot rightfully hold theprivatekey usedto affix thedigital signature.

A messageis asvalid, enforceable,andeffective asif it hadbeenwrittenonpaper,if it:� bearsin its entiretyadigital signature;and� thatdigital signatureis verifiedby thepublic key listedin acertificatewhich:

– wasissuedby a licensedcertificationauthority;and

– wasvalid at thetime thedigital signaturewascreated.

Thereis somecriticism concerningtheUtahact. This concernsthecriteria thataCA hasto meetin orderto geta license.Only a few CA’scansatisfyall requirementsandthuscanreceive a license.Only licensedCA’s adhereto thedigital signatureactandthussubmitlegalsignatures[Dut98].

4.4.2 Overview of regulation

In table4.1 a overview follows of the natureandpurposeof several draftsandlaws[Dut98].

TheNetherlands Germany Utahpurposeregula-tion

negative, licensingis voluntary

positive, licensingis mandatory

negative, licensingis voluntary

nature regula-tion

facilitate electroniccommerce

technical frame-work for theuseofdigital signatures

legalisationof digi-tal signatures

Table4.1: Overview of thenatureandpurposeof severaldraftsandlaws

4.5 Crypto regulation

“Governmentshavelong restrictedexport of cryptography for fearthat their intelligenceactivitiesarehamperedby thecryptouseof foreignstatesandscoundrels. Sincetherise of cryptouseover thepastdecades,governmentsincreasinglyworry about criminals using cryptography tothwart law enforcement.Thus,manycountriesare consideringlaws fo-cusingonmaintaininglaw-enforcementandnational-securitycapabilitiesthroughregulationof cryptography” [Koo98].

“Criminals andterroristsmaytake advantageof theconcealingmeritsof cryptog-raphyto remainoutof reachfrom wiretappingofficials. It is becauseof this nefarious

44


useof cryptographythatgovernmentshave long restrictedits export,andarenow alsoconsideringto regulateits usedomestically”[Koo97].

Theothersideof thestory is the fact that cryptographicmechanismareanenor-mouslyimportanttool for informationsecurityandthusgovernmentsarestimulatingits use.

Figure4.1: Balancebetweensecuretransferandcryptoregulation

4.5.1 A brief survey of crypto regulation

Theexport regulationsof cryptographyin Europeareharmonizedby bothanEU de-cision, from December1994on dual-usegoods,andtheWassenaarArrangementonExportControlsfor ConventionalArmsandDual-UseGoodsandTechnologies.Bothregulatetheexport of dual-usegoods;cryptographyis sucha dual-usegood,asit hasbothmilitary andcivil applications.Thegeneraldrift of theseregulationsis thatyouneeda licenseto export crypto hardwareandsoftware,with the exceptionof mass-market andpublic-domainsoftware.Exportwithin theEU shouldbeeasier, althoughsomemanufacturerscomplainthat herealso,bureaucraticprocedureshave to be fol-lowed.Mostcountriesin theEU andahostof other, mainlydeveloped,countrieshaverecentlyimplementedtheWassenaarArrangement[Koo97].

In Europe,only FranceandRussiahave considerablerestrictions,but lately, someothercountrieshave alsostatedintentionsto regulatecrypto. Thelaws in FranceandRussiaareanearcompleteprohibitionon cryptouse,saleandmanufacture.

Otherattemptsto controlcryptographyhave takenplacein variouscountries.Bel-giumadopteda law in late1994whichwasnoticedonly in 1996to containaprovisionthat might be interpretedas a prohibition of usingcryptographyin telecommunica-tions. If youuse‘equipmentwhich renderstappingineffective’, your telecommunica-tionsequipmentmight beseized,accordingto theprovision. Somehave seenthis asa requirementto useescrowedencryption3. Onememberof parliamenthasproposeddroppingtheprovision andinsteadrequiringpeopleto decryptif this is necessaryfortheinvestigation[Koo98]

3Key escrow is a capabilitythatallows authorizedpersonsor agencies,undercertainprescribedcon-ditions,to readthekeysusedwith thehelpof informationsuppliedby oneor moretrustedpartiesstoringescrowedpartsof theusedkeys [Poh97].

45


4.5.1.1 Export Control

COCOM, the CoordinatingCommitteefor Multilateral Export Controls,wasan in-ternationalorganizationfor themutualcontrolof theexport of strategic productsandtechnicaldatafrom countrymembersto prescribeddestinations.It maintained,amongothers,theInternationalIndustrialList andtheInternationalMunitionsList.

Themaingoalof theCOCOMregulationswasto preventcryptographyfrom beingexportedto “dangerous”countries- usually, thecountriesthoughtto maintainfriendlytieswith terroristorganizations,suchasLibya, Iraq, Iran, andNorth Korea. Export-ing to othercountriesis usuallyallowed,althoughstatesoftenrequirea licenseto begranted.

In 1995, 28 countriesdecidedto establisha follow-up to COCOM, the Wasse-naarArrangementon Export Controlsfor ConventionalArms andDual-UseGoodsandTechnologies.Thenegotiationson thetreatywerefinishedin July 1996,andtheagreementwassignedby 31 countries4.

TheWassenaarArrangementcontrolstheexportof weaponsandof dual-usegoods,thatis, goodsthatcanbeusedbothfor amilitary andfor acivil purpose;cryptographyis sucha dual-usegood.Theprovisionsarelargely thesameasCOCOMregulations.TheGeneralSoftwareNoteexceptsmass-market andpublic-domaincryptosoftwarefrom thecontrols;fivecountries,includingtheUS andtheUK, deviatefrom theGSNandcontroltheexport of mass-market andpublic-domaincryptosoftware[Koo98].

Apart from therestrictionof cryptography, anotherpartof legislationis aimedataccessingthecontentsof cryptographiclyencipheredmessages.This canbeachievedif onehasaccessto thecryptographickey material.

4.5.1.2 Key-escrow

As partof apossiblesolution,for governmentsandtheirneedsto haveaccessto infor-mationto enforcethe law, to protectthenationalsecurity, a greatmany countriesarefocusingon theuseof key-escrow. In theview of severalgovernmentsthey hadthreeoptions[Kam94]:� To donothing,resultingin thepossibleproliferationof productswith encryption

capabilitiesthat would seriouslyweaken, if not wholly negate, the authorityto wiretapanddamageintelligencecollectionfor nationalsecurityandforeignpolicy reasons;� To supportanapproachbasedonweakencryption,likely resultingin poorsecu-rity andcryptographicconfidentialityfor importantpersonalandbusinessinfor-mation;and� To supportan approachbasedon strongbut escrowed encryption. If widelyadoptedandproperly implemented,escrowed encryptioncould provide legiti-mateuserswith highdegreesof assurancethattheirsensitive informationwould

4Theseinclude: Argentina,Australia, Austria, Belgium, Canada,the CzechRepublic,Denmark,Finland,France,Germany, Greece,Hungary, Ireland,Italy, Japan,Luxembourg, the Netherlands,NewZealand,Norway, Poland,Portugal,theRepublicof Korea,Romania,theRussianFederation,theSlovakRepublic,Spain,Sweden,Switzerland,Turkey, the United Kingdom, the United States,BulgariaandUkraine.

46


remainsecurebut neverthelessenablelaw enforcementand nationalsecurityauthoritiesto obtainaccessto escrow-encrypteddatain specificinstanceswhenauthorizedunderlaw. Moreover, theAdministrationhopedthatby meetingle-gitimate demandsfor betterinformation security, escrowed encryptionwoulddampenthemarket for unescrowedencryptionproductsthatwoulddeny accessto law enforcementandnationalsecurityauthoritiesevenwhenthey soughtac-cessfor legitimateandlawfully authorizedpurposes.

As partof thesolutiontheUS governmentintroducedtheClipper Initiative. TheClipper initiative wasconceived asa way for providing legal accessby law enforce-mentauthoritiesto encryptedtelephony.

4.5.1.3 The Clipper initiati ve

TheClipperchipsis anintegratedcircuit chipsthatis build into devicesusedfor voicecommunications.Thesechipsarepartof anoverallsystemandprovidevoiceconfiden-tiality for theuserandexceptionalaccessto law enforcementauthorities.To providethesefunctions,theClipperchipwasdesignedwith a numberof essentialcharacteris-tics [DL96]:� Confidentialitywouldbeprovidedby aclassifiedalgorithmknown asSkipjack.

Usingan80-bit key, theSkipjackalgorithmwouldoffer considerablymorepro-tectionagainstbrute-forceattacksthanthe56-bit DESalgorithm.TheSkipjackalgorithmwasreviewed by several independentexperts,all with thenecessarysecurityclearances.In the courseof an investigationlimited by time andre-sources,they reportedthat they did not find short-cutsthatwould significantlyreducethetime to performacryptanalyticattackbelow whatwouldberequiredby bruteforce.� Thechip would beprotectedagainstreverseengineeringandotherattemptstoaccessits technicaldetails.� Thechipwouldbefactory-programmedwith achip-uniquesecretkey, the”unitkey” or ”device key,” at the time of fabrication. Possessionof this key wouldenableoneto decryptall communicationssentto andfrom thetelephoneunit inwhich thechipwasintegrated.� A law enforcementaccessfield (LEAF) wouldbea requiredpartof every trans-missionand would be generatedby the chip. The LEAF would containtwoitems:

– thecurrentsessionkey, encryptedwith acombinationof thedevice-uniqueunit key, and

– thechipserialnumber.

TheentireLEAF woulditself beencryptedby adifferentbut secret”f amily key”alsopermanentlyembeddedin thechip. The family key would be thesameinall Clipperchipsproducedby agivenmanufacturer.

47

Chapter4. Legislation 4.6.Summary

To managetheuseof theLEAF, theU.S.governmentwould undertake a numberof actions:� Theunit key, known at thetimeof manufactureandunchangeablefor thelife of

chip,wouldbedividedinto two components,eachof whichwouldbedepositedwith and held underhigh securityby two trustedgovernmentescrow agentslocatedwithin theDepartmentsof CommerceandTreasury.� Theseescrow agentswouldserveasrepositoriesfor all suchmaterials,releasingtherelevantinformationto law enforcementauthoritiesuponpresentationof theunit identificationandlawfully obtainedcourtorders.

Whenlaw enforcementofficials encountereda Clipperencryptedconversationonawiretap,they wouldusetheLEAF to obtaintheserialnumberof theClipperchipper-forming theencryptionandtheencryptedsessionkey. Uponpresentationof theserialnumberandcourtauthorizationfor thewiretapto theescrow agents,law enforcementofficialscouldthenobtaintheproperunit-key components,combinethem,recover thesessionkey, andeventuallydecrypttheencryptedvoicecommunications.

As aFederalInformationProcessingStandardsPublication(FIPS), theEscrowedEncryptionStandard(EES)is intendedfor useby thefederalgovernmentandhasnolegal standingoutsidethe federalgovernment. Privateconsumersarefree to decidewhetheror not to useEES-compliantdevices to safeguardcommunicationsandarefreeto useotherapproachesto communicationssecurityshouldthey sodesire[DL96].

Anotherapproachadhereto the law, is to make a distinctionbetweenconfiden-tiality andauthenticationof data. Thusa messagecould besignedwith a strongkeybut sentunencrypted.Thusthemessagecouldbe readby anyonebut not alteredbe-causethiswouldbenoticeddueto thedigital signatureattached.Thisapproachwouldhowever meettherequirementsa many usersthatneedconfidentiality.

4.6 Summary

At the startof this chapterit wasshown how crypto regulation is makingan effortto provide peoplewith a robust, reliablecryptosystem.Legislationis put in placetoassurecommerceconductedwith thehelpof theInternethasasecurebasis.Standardsaregeneratedandimplementedto assurethepublic is providedwith secureandtestedcryptography. Theend-productshouldbe,aproductthatis secureand“trusted”by allusers.

Countriestake differentapproachesto how legislationsshouldbe implemented.Their is however broadconcensusas to how a TTP shouldimplementits organiza-tion. Theseinclude,asstatedin section4.2.2.2,suchaspectaslawfulness,financialpositionof theTTP, businesscontinuity, security, personnel,authentication,authoriza-tion, separationof duties,supervision,carefulness,managementof operatingassets,independenceandtransparancy.

At the otherend,governmentsare raisingconcernswhetherlaw enforcementisbeing obstructedby the proliferation of unbridledgrowth and usageof cryptogra-phy. Measurearetakento insureencryptedmessagescanbereadby law enforcement.

48

Chapter4. Legislation 4.6.Summary

Theserangefrom thecompletebanof encryption5, abanon “strongencryption”6 andmostof all theuseof key-escrow agents7.

Providing asecureandrobustcryptosystemandgiving governmentsaccessto thisinformation,aretwo differentaspectsthat do not mix. Thereareseveral reasonsforthis [Koo98]:� Crooksand criminalshave never beenlaw-abiding andwill simple useother

meansof cryptography;� A secondobstacleto key recovery is liability. Agenciesthat provide law en-forcementwith accessto keys,eitherthroughkey depositsor throughsent-alongsessionkeys, will bea target for attacks,andlossof keys mayhave hugefinan-cial consequences.Therefore,it is to be expectedthat key recovery agencieswill want to exoneratethemselvesfrom liability, at leastto a largeextent. Willusersacceptthis?� The third issuein key recovery is constitutionalrights. At stake is the right toprivacy, includingtheright to confidentialcommunication,aright establishedbyhumanrightscovenantsandmany constitutions.If statesimplementkey recov-ery, they mustseeto it that this constitutionalright is not hampered.Althoughpotentially, key recovery is compatiblewith theright to privacy, whenyou startimplementingkey recovery, you will have to addresstheextra risk sucha sys-temposesto privacy - afterall, key recoverysystemsareinherentlyweaker thannon-recovery systems.� Although most governmentsrecognizethat crypto policies cannotbe imple-mentedonapurelynationalbasis,theinternationaldiscussionsindicatethatit isdifficult indeedto establishcooperationbetweenstates.For instance,key recov-ery dependson accessto keys, andfor this to work on any scale,internationalaccessto keys mustbesafeguardedsomehow8.� Key recovery schemeshave beenproposedonly since1993,andconsequently,have not beenresearchedto theextent that traditionalsystemsasRSA or DEShave. It is aprimarycryptographicprinciplethatthestrengthof asystemcannotbeproventheoretically, but hasto beprovenin practice,by longyearsof attacksby cryptanalysts.Key recovery systemshave yet to be subjectedto thoroughexaminationsby thecryptographiccommunity.

Onecanconcludethat legislation is not uniform acrossdifferentnations. Somecountriestake anactive approach,thatoftenis very rigid andotherleanbackandwaitwhatwill come.Thereis however a broadconsensusthatsomeform of internationallegislationhasto becreatedthatwill give informationsentacrossthe interneta legalstatus.Thismayhowever take sometime.

5Thelaws in FranceandRussiaarea nearcompleteprohibitionon cryptouse,saleandmanufacture[Koo98]

6TheUS export controlallows a maximumof 40-bit symmetriccryptobeingexportable7TheUK hasbeenleaningtowardsdepositingof keys with TTP’sashave theUS[Koo98].8Supposethat theUS, UK, FranceandRussiawill implementkey recovery systems:how will they

handlecommunicationswith therestof theworld?

49

Chapter 5Specificaspectsof thePKI model

In the previous chaptersan outlay hasbeengiven of the PKI model and the actorsinvolved. It hasbeenexplained,in chapter2, how informationcanbeprotectedwiththehelpof encryption.A modelhasbeengiven how to protectinformationwith thehelpof public key encryption.Chapter3 hasgiven a modelon how informationcanbesentacrossnetworks in a safemannerandcomplywith therequirementsthathavebeenformulated.Chapter4 hasgivenaninsight into therequirementsthathave beenstatedby legislators.

Certainaspectsof digital signatureshavebeengivenbut nofurtherexplanationwasgivenasto how theseshouldprovide adequatesecurity. This concernsthefollowing:� aspectsof keys andmorespecifichow goodkeys canbe generated,how they

shouldbestoredanddeleted;� aspectsof certificates.This will includea generalhistoryandcurrentstatusofthe“official” standard,X-509;� aspectsof public key encryptionmethodsanddifferentstandardssuchasRSA,DSSetc. . . .� aspectsof trap-doorand/orhash-functions,what standardsareusedandwhatcanbesaidof thesestandards.

Theseissueswill be explainedmore thoroughlyin this chapter. Aspectsof thischapterwill perhapsbecomeobsoletewithin ayear, but currentlytheseareveryactualandgive abetterunderstandingof theissuesinvolved.

5.1 Aspectsof keys

Encryptiontodayis donewith theuseof awell known algorithmandsecretor privatekey. If thekey is known by an intruderthenthis canhave consequences.This wouldenabletheattackerbothto readall messagesencryptedwith thepublickey andto forgesignatures.Informationconcerningthekey couldbegainedatseveralpoints:� atthekey generation,if someonecouldhaveinformationhow akey is generated;

50

Chapter5. Specificaspects 5.1.Aspectsof keys

� when a messageis sent, if someonecould decipherthe information with anattackon themessageitself. Thishasbeenexplainedin chapter21.� the storageof the key, if the key could be stolenfrom a personthen also aproblemarises.

5.1.1 Keygeneration

“Securitysystemstodayarebuilt onincreasinglystrongcryptographicalgorithmsthat foil patternanalysisattempts.However, the securityofthesesystemsis dependentongenerating secret quantitiesfor passwords,cryptographic keys, and similar quantities. The useof pseudo-randomprocessesto generatesecret quantitiescanresultin pseudo-security. Thesophisticatedattacker of thesesecuritysystemsmayfind it easierto re-producethe environmentthat producedthe secret quantities,searchingtheresultingsmallsetof possibilities,thanto locatethequantitiesin thewholeof thenumberspace”[DE94].

Whenarandomnumbergeneratoris usedin thekey generationprocess,all valuesmustbe generatedrandomlyor pseudo-randomly2 in sucha mannerthatall possiblecombinationsof bitsandall possiblevaluesareequallylikely to begenerated[FIP94].

5.1.1.1 Decipheringa key

In mostcases,an adversarycantry to determinethe “secret” key by trial anderror.This is possibleaslong asthekey is enoughsmallerthanthemessagethatthecorrectkey canbeuniquelyidentified.Theprobabilityof anadversarysucceedingatthismustbemadeacceptablylow, dependingontheparticularapplication.Thesizeof thespacetheadversarymustsearchis relatedto theamountof key “information” presentin theinformationtheoreticsense[Sha63]. This dependson thenumberof differentsecretvaluespossibleandtheprobabilityof eachvalueasfollows:

�� (�8� �/�/�w�� )�� A�!� � ¡ ¢ � � £(5.1)

where¤ variesfrom 1 to thenumberof possiblesecretvaluesand¥§¦ is theproba-bility of thevaluenumbered¤ . Since¥§¦ is lessthanone,thelog will benegativesoeachtermin thesumwill benon-negative.

If thereare ¨ © different valuesof equalprobability, then�

bits of informationarepresentandanadversarywould, on theaverage,have to try half of thevalues,or¨ ª © «/¬ , beforeguessingthesecretquantity. If theprobabilitiesof differentvaluesareunequal,thenthereis lessinformationpresentandfewer guesseswill, on average,be

1Becausethealgorithmis believedto besecurethis will notbedealtwith here.2Statisticianhave sincelong madeuseof randomnumbersto test theories. Theserandomnumber

generatorsareactuallypseudo-randomnumbers,generatedin a deterministicway, which only appeartoberandomin a statisticalsense.

51


requiredby an adversary. In particular, any valuesthat the adversarycanknow areimpossible,or areof low probability, canbe initially ignoredby an adversary, whowill searchthroughthemoreprobablevaluesfirst [DE94].

For example,consideracryptographicsystemthatuses56 bit keys. If these56bitkeysarederivedby usingafixedpseudo-randomnumbergeneratorthatis seededwithan8 bit seed,thenanadversaryneedsto searchthroughonly 256keys,by runningthepseudo-randomnumbergeneratorwith every possibleseed,not the ® ¯ ° keys thatmayatfirst appearto bethecase.Only 8 bits of “information” arein these56 bit keys.

5.1.1.2 Finding random sources

What is a truly randomnumber?The definition canget a bit philosophical. Knuthspeaksof:

“a sequenceof independentrandomnumbers with a specifieddistri-bution, each numberbeingobtainedby chanceandnot influencedby theothernumbers in thesequence”[Knu81].

Rolling adiewouldgivesuchresults.But computersarelogicalanddeterministicby nature,and fulfilling Knuth’s requirementsis not somethingthey weredesignedto do [Mat96]. This is why it is believed a computer, without somerandomsource,cannotproducetruly randomnumbers.

For thepresent,thelackof generallyavailablefacilitiesfor generatingsuchunpre-dictablenumbersis an openwoundin thedesignof cryptographicsoftware. For thesoftwaredeveloperwho wantsto build a key or password generationprocedurethatrunson a wide rangeof hardware,theonly safestrategy so far hasbeento force thelocal installationto supplya suitableroutineto generaterandomnumbers.To saytheleast,this is anawkward,error-proneandunpalatablesolution[DE94].

For thegenerationof cryptographickey’s,methodsarerequiredthatgiveno infor-mationasto whatthekey might look like. Mosttraditionalsourcesof randomnumbersusedeterministicsourcesof “pseudo-random”numbers.Thesetypically startwith a“seed”quantityandusenumericor logicaloperationsto produceasequenceof values.Thesestatevalues,arethensentthroughahash-function.Thestrengthof thisapproachreliesonahash-functionbeingaone-way function,from therandomoutputbytesit isdifficult to determinethestatevalue,andhencetheotheroutputbytesremainsecure.

If theattackerscannotguessor predicttheseeds,they will beunableto predicttheoutput.Therearetwo aspectsto arandomseed:quantityandquality. They arerelated.Thequalityof a randomseedrefersto theentropy3 of its bits.

Thereareseveralwaysto provide “random” seeds.Somemethodsto obtainran-domseedsproduce“less” randomnessthenonewould perhapsthink. Waysto obtainseedsareshown in table5.1.

3In a systemthatproducesthesameoutputeachtime,eachbit is fixed,sothereis no uncertainty, orzeroentropy perbit. If every possiblesequenceof outputsis equallylikely, i.e. truly random,thenthereis maximumuncertainty, or onebit of entropy peroutputbit [Mat96]

52


SystemUnique VariableandUnguessable ExternalRandomConfigurationfiles Contentsof screen Cursorpositionwith timeDriveconfiguration Dateandtime KeystroketimingEnvironmentstrings High resolutionclock Microphone input (with sam-

plesmicrophoneconnected)Lastkey pressed Mouseclick timingLog file blocks MousemovementMemorystatistics VideoinputNetwork statisticsProcessstatisticsProgram counter for otherprocessesor threads

LessEntropy ±² More Entropy

Table5.1: Seedsources[Mat96]

Theproblemwith therandomnumbersgeneratedin themethodabove is thattheyarenot “truly” random.This is why Germanlaw doesnotacceptskeys to begeneratedin theway mentionedabove [Sch98].

Generatingtruly strongrandomnumbersis actuallyquiteeasy. All that’s neededis a physicalsourceof unpredictablenumbers.A thermalnoiseor radioactive decaysourceand a fast, free-runningoscillator would do the trick directly [Gif98]. Thisis a trivial amountof hardware,andcould easilybe includedasa standardpart of acomputersystem’s architecture.All that’s neededis the commonperceptionamongcomputervendorsthat this smalladditionalhardwareandthesoftwareto accessit isnecessaryanduseful[DE94].

Many computerscomewith hardwarethatcan,with care,beusedto generatetrulyrandomquantities. Increasinglycomputersare beingbuilt with inputs that digitizesomerealworld analogsource,suchassoundfrom amicrophoneor videoinput froma camera.Underappropriatecircumstances,suchinput canprovide reasonablyhighquality randombits.

5.1.2 Keystorage

After akey hasbeengeneratedanotherweaklink in thePKI-modelconcernsthestor-ageof theprivatekey. If thekey canbecomprisedwith or without theuserknowingthis,thenanattackercanpresumetheidentityof theowner. Dependingonthethetime-lag betweena compromisedkey andtheuserrevoking his key, this canhave seriousconsequences.

To insureanattacker cannotobtainor usetheprivatekey of anentity without hisknowledge,severalmeasureshave to betaken:³ Copyingof aprivatekey shouldnotbepossible,without theowningentityfind-

ing out, thiswould insuretheprivatekey from beingcopiedwithout theowning

53

Chapter5. Specificaspects 5.2.Aspectsof certificates

entitiesknowledge;´ Useof a privatekey shouldnot be possible,without someprivateknowledge,thiswould insureastolenkey from beingusedby anattacker.

To insurea private key from being copied, it hasto be assuredthe private keycannotbe read. Readinga key meansbeingable to copy it. Somesort of measureshouldbetakento insureakey from beingread.A possiblemeasurecouldbeto storetheprivatekey in somesortof blackbox or token. A box thatwould take asinput aplaintext andproducea ciphertext asoutput.Germanlaw andotherstandardsrequirethe privatekeys to be storedin cryptographicmodulesin suchway that they canbeusedinsidethetokenbut never beretrievedfrom thetoken[Sig97] [SEI98].

Shouldtheprivatekey somehow becompromised,thena measurehasto betakento insure it can then not be usedwithout somespecialknowledge. This could beachieved with the help of a personal identificationnumberor PIN. By storing theprivatekey of the entity in encryptedformat, with a PIN-codeas the key, it canbesecuredagainstunauthorizedusage.Thestrengthof this methodhowever dependsonthelengthof thekey4, noton theamountof tries.

If the private key is imbeddedin a token then the amountof tries to crack theprivatekey canbelimited. This shouldbelimited to three[SEI98].

5.2 Aspectsof certificates

Becauseof theinternationalaspectsof commerce,certificateshave to bestandardized.A standardthathasreceivedworldwideacknowledgmentandis usedworldwidecon-cernsthe AuthenticationFramework of the ITU-T or ITU-T RecommendationX-509standard[X.597].

5.2.1 History X-509

“Imagine having a telephonein your house, but not having a tele-phonedirectory, or recourse to the ’directory enquiries’ service. Thephonenowbecomesa lot lessusefulthanit was.How canyoutelephoneyour Auntie Margery in Australia to wish her happybirthday? You maynot rememberwhich digits youneedto dial for internationalaccess,norcan you rememberall the several hundred different countrycodes.Andwhat if shehasrecentlymovedhouse, but youdon’t yethaveher new ad-dress?Or whatif youwantto ring up several storesin townto seewhichoneof themhasthelatest’green’gardenfertiliser in stock, andwhich onehasthemostcompetitiveprice?” [Cha96]

“The examplesmightbeflippant,but they makethepoint. While it maybepossibleto keepyour own addressbookof friends,colleaguesandrelativesthatyou call mostfrequently, it certainlyis not possibleto keepanaddressbookof everyonewhomyouhave ever called,or whom you are likely to want to call in the future. And who is

4Crackinga key canbedonein severalwaysascanbeseenin AppendixA.

54


going to updateyour personaldirectorywhenpeoplechangeaddresses,or geta newjob, or install anew line for a fax machine?”[Cha96].

While the telephonecompanieshave trouble keepingup with managingall thetelephoneandfax numbers,keepingtrackof Internetaddressesposesanevengreaterproblem.This leadto thedevelopmentof adirectorythatwouldkeeptrackof all thesechanges.

In 1984,CCITT5 draftedits X.400recommendation,whosemajorconcernwastoprovideawhitepagesservicethatwouldreturneitherthetelephonenumbersor X.400O/R addresses6 of people. On the othersidetherewasthe ISO7 andthe ECMA8,whowereconcernedmainlywith providing thenameserverservicefor OpenSystemsInterconnection,OSI,applications.Thetwo tracksmergedin 1986,with theformationof theJointISO/CCITTworkinggrouponDirectories.

TheX.500 Standardassumesdistributedadministrationof thedatabase,andspe-cific functionsarebuilt in for this.

BecausetheX.500 directorycontainsinformationthat shouldnot be availabletoeveryone,accesssecuritywas added. This becamethe X-509 recommendationorAuthenticationFramework.

5.2.2 Usageof the X-509

Distinguishednamesare the standardform of namingin an ITU-T X.500 directoryandin X-509 certificates.Distinguishednameswereintendedto identify entitiesinthe X.500 directory tree. A relative distinguishednameis the path from one nodeto a subordinatenode. The entiredistinguishednametraversesa pathfrom the rootof the treeto an endnodethat representsa particularentity. A goal of the directorywasto provideaninfrastructureto uniquelynameeverycommunicationsentityevery-where,hencethe“distinguished”in “distinguishedname”.As aresultof thedirectorysgoals,namesin X-509certificatesareperhapsmorecomplex thanonemight like,e.g.,comparedto ane-mailaddress.Nevertheless,for businessapplications,distinguishednamesareworth thecomplexity, asthey arecloselycoupledwith legal nameregistra-tion procedures,somethingthat simplenamessuchase-mail addressesdo not offer[RSA96].

NeverthelesstheX.500hasnot receivedbroadacceptancein theInternetcommu-nity. As it standsthemostusedsystemfor namingon theInternetis basedon SimpleMail TransferProtocol(SMTP).

5Comite ConsultatifInternationalTelephonique6The X.400 addressdescribesa format with which it is possibleto accessspecific information

or a specific person. An X.400 addresscan contain a numberof different items such as: name,commonname,locality name,statename,organizationname,organizationalunit, title, match,emailaddress,country name domain name, given name, initials, numeric user id, organizationalunitname, organizationalunits, postal code, surname,terminal id, address. An X.400 addresslookslike: /C=US/SP=MASSACHUSETTS/L=CAMBRIDGE/PA=360 MEMORIAL DR./CN=KENSMITH/

7InternationalStandardsOrganisation8EuropeanComputerManufacturersAssociation

55


5.2.3 Inf ormation in a X-509 certificate

Theinitial versionof X-509 waspublishedin 1988,version2 waspublishedin 1993,andversion3 wasproposedin 1994andconsideredfor approval in 1995. Thusthecurrentstandardwhich is oftenreferredto is theX-509v3.

The differencesconcerningversion1, 2 and3 includeidentifiersandextensionsthatwereaddedto thestandard.Thesewereaddedto give moremeaningto the roleand/ornameof thesigner. Whensigningacontracttheroleof thesigner, e.g.FinancialDirectorfrom theDeltaCompany, is morerelevantthanits name.Also,atthemoment,no namingschemeis specifiedfor digital signatures.That leadsto thefollowing keyquestion: which techniqueshouldbe usedto point unambiguouslyto a person,orentity, thatcanbeeasilyrecognizedandtraced[(SE98].

TheX-509 certificatehasthecontentasgiven in table5.2.3[X.597]. Thesecon-tentsshouldmake it possibleto uniquelyidentify theobject.

Nameof thefield ContentsandfunctionsVersion Theversionnumberof thecertificate,e.g.1,2or 3

Serialnumber Uniqueidentifierfor eachcertificategeneratedby issuer;integerSignature Algorithm identifierandalgorithmusedto signcertificate

Issuer Name of issuer, certificatesmay employ a variety of nameforms, including Internet electronicmail names,Internet do-mainnames,X.400originator/recipientaddresses,andEDI partynames.

Validity NotBeforeandNotAfterSubject Nameof thesubject

Subjectpublickey info Algorithm identifierandalgorithmusedto signcertificateIssueruniqueidentifier Containsadditionalinformationabouttheissuer, theexactform

of theuniqueidentifiercontentsis unspecifiedandis left to thecertificationauthority, it might be, for example,an objectiden-tifier, a certificate,a date,or someother form of certificationon the validity of the distinguishedname;mustbeversion2 orhigher(optional).

Subjectuniqueidentifier Containsadditional information about the subject. The exactform of the uniqueidentifier contentsis unspecifiedandis leftto thecertificationauthority, it might be,for example,anobjectidentifier, acertificate,adate,or someotherform of certificationon the validity of the distinguishedname;mustbeversion2 orhigher(optional).

Extensions Optional,An extensionfield consistsof an extensionidentifierandacriticality flag,Whenanimplementationprocessingacer-tificatedoesnot recognizean extension,if thecriticality flag isFALSE, it may ignore that extension. If the criticality flag isTRUE, unrecognizedextensionsshall causethe structureto beconsideredinvalid, i.e. in a certificate,anunrecognizedcriticalextensionwould causevalidationof a signatureusingthat cer-tificateto fail.

Issuer’ssignature

Table5.2: contentsof theX-509v3certificate

56

Chapter5. Specificaspects 5.3.Publickey encryption

5.2.4 Attrib ute Certificates

Useridentitiesareboundto their public key certificatesfor authenticationandiden-tification purposes.Eachpublic key certificateconveys the informationnecessarytoperformcertaincryptographicfunctions.Certifiedattributesassociatedwith asubject,suchasclearances,may be conveyed in a separatestructure,definedasan attributecertificate.

An attribute certificateis a separatestructurefrom a subject’s X.509 public keycertificate.A subjectmayhave multiple attribute certificatesassociatedwith eachofits public key certificates.

For examplean attribute certificatecould have validity of oneday statingthat apersonhasthepower to signaonemillion dollar contract.

5.3 Public key encryption

Sincetheinventionof public-key cryptographyin 1976by Whitfield Diffie andMartinHellman [DH76], numerouspublic-key cryptographicsystemshave beenproposed.All of thesesystemsbasedtheir securityon the difficulty of solving a mathematicalproblem[Cer97].

Over theyears,many of theproposedpublic-key cryptographicsystemshavebeenbrokenandmany othershave beendemonstratedto beimpractical.Today, only threetypesof systemsareconsideredbothsecureandefficient. Examplesof suchsystemsandthemathematicalproblemson which their securityis based,are[Cer97]:

1. Integerfactorizationproblem(IFP): RSA andRabin-Williams.

2. Discretelogarithmproblem(DLP): theU.S.government’s Digital SignatureAl-gorithm (DSA), the Diffie-Hellmankey agreementscheme,the ElGamalen-cryptionandsignatureschemes,theSchnorrsignaturescheme,andtheNyberg-Rueppelsignaturescheme.

3. Elliptic curve discretelogarithm problem(ECDLP): the elliptic curve analogof theDSA (ECDSA),andtheelliptic curve analogsof theDiffie-Hellmankeyagreementscheme,theElGamalencryptionandsignatureschemes,theSchnorrsignaturescheme,andtheNyberg-Rueppelsignaturescheme.

It must be emphasizedthat noneof theseproblemshave beenproven to be in-tractable,i.e., difficult to solve in anefficient manner. Rather, they arebelieved to beintractablebecauseyearsof intensive studyby leadingmathematiciansandcomputerscientistshasfailedto yield efficientalgorithmsfor solvingthem[Cer97].

A brief introductiononthesemethodswill begivenandthepossiblefutureof thesesystems.

5.3.1 Algorithm basedon integer factoring

Factoringis theactof splitting anintegerinto asetof smallerintegers,factors,which,whenmultiplied together, form theoriginal integer. For example,thefactorsof 15 are3 and5; the factoringproblemis to find 3 and5 whengiven 15. Primefactorization

57


requiressplitting an integer into factorsthat areprime numbers;every integer hasauniqueprimefactorization.Multiplying two primeintegerstogetheris easy, but asfaraswe know, factoringtheproductis muchmoredifficult [RSA96].

Year Numberof bits

MIPSyears

1984 236 .11988 352 1401993 399 8251994 429 50001995 395 2501996 432 750

The estimateis given in MIPS-Years,wherea MIPS-Year is an approximateamountof computationthata machinecapableof performingonemillion arith-meticinstructionspersecondwouldperformin oneyear.

Thereis somevariationamongpublishedestimatesof runningtime duetotheparticulardefinitionof aMIPS-Yearandto thedifficulty of estimatingactualprocessorutilization. (How many arithmetic instructionsa modernprocessorperformsin a secondwhenrunninganactualpieceof codedependsheavily notonly on the clock rate,but alsoon the processorarchitecture,the amountandspeedsof cachesandRAM, andtheparticularpieceof code.)

Table5.3: Historicaldataon theintegerfactorizationproblem[Cer97]

Factoringis theunderlying,presumablyhardproblemuponwhich severalpublic-key cryptosystemsarebased.Factoringanmoduluswould allow anattacker to figureout the privatekey; thus,anyonewho canfactor the moduluscandecryptmessagesandforgesignatures.Thesecurityof anfactoringalgorithmdependson thefactoringproblembeingdifficult andthe presenceof no other typesof attack. Unfortunately,it hasnot beenproventhat factoringmustbedifficult, andthereremainsa possibilitythat a quick andeasyfactoringmethodmight be discovered,althoughfactoringre-searchersconsiderthis possibility remote. Factoringlarge numberstakesmoretimethanfactoringsmallernumbers.This is why thesizeof themodulusdetermineshowsecureanactualfactoringalgorithmis; thelargerthemodulus,thelongerit wouldtakeanattacker to factor, andthusthemoreresistantto attacktheanfactoringalgorithmis[RSA96].

Developmentin factoringnumbershasleadto increasesin thenumberof bitsnec-essaryto establishsecurity. Developmentwith the quadraticsieve and the numberfield sieve methodhave shown superiorfactoringqualities. Table5.3 containssomehistoricaldataon theprogressof integerfactorization.

Theseresultsindicatethat a 512-bit modulus µ providesonly marginal securitywhenusedin theRSAcryptosystem.For long-termsecurity, 1024-bitor largermodulishouldbeused[Cer97].

58


5.3.2 Algorithm basedon discretelogarithm problem

Thediscretelogarithmproblemappliesto groups. A groupis anabstractmathematicalobjectconsistingof a set ¶ togetherwith anoperation· definedon pairsof elementsof ¶ . Theorder of agroupis thenumberof elementsin ¶ .

If ¸ is a prime number, thenthenon-zeroelementsof ¹�º»8¼�½ ¾À¿ Á ¿ ÂÀ¿ Ã Ã Ã ¿ ¸(Ä Á Åforms a groupof order ¸8Ä Á underthe operationof multiplication modulo ¸ . Theorder of a groupof elementsÆ#Ç)¶ is the leastpositive integer È suchthat Æ » ¼ÉÁ .For example,in thegroup ¹�ºÊ Ë , theelementÆ ¼�Ì hasorder5, since

Ì Ê�Í Ì�Î Ï4Ð Ñ�Á Á Ò ¿Ì Ë Í�Ó Î Ï4Ð Ñ�Á Á Ò ¿Ì Ô Í�Õ Î Ï4Ð Ñ�Á Á Ò ¿Ì Ö Í)× Î Ï4Ð Ñ�Á Á Ò ¿�Ø È ÑÌ Ù Í Á�Î Ï4Ð Ñ�Á Á ÒThediscretelogarithmproblem,asfirst employedby Diffie andHellmanin their

key agreementprotocol,wasdefinedexplicitly astheproblemof finding logarithmsinthegroup ¹ º» : given Æ4Ç5¹ º» of order È , andgiven Ú#Ç#¹ º» , find andinteger Û , where¾(Ü Û Ü È8Ä Á , suchthat Æ Ý Í Ú Î Ï4Ð Ñ ¸ Ò , provided thatsuchan integerexists. Theinteger Û is calledthediscretelogarithmof Ú to thebaseÆ .

For example,consider ¼GÁ Þ . Then Æ ¼GÁ ¾ is an elementof order È ¼ßÁ à in¹ ºÊ á . If Ú ¼ÉÁ Á , thenthediscretelogarithmof Ú to thebaseÆ is 13 becauseÁ ¾ Ê Ô ÍÁ Á§Î Ï4Ð ÑAÁ Þ Ò [Men].

Factoringof thediscretelogarithmicalgorithmhaspreciselythesameasymptoticrunningtimeasthecorrespondingalgorithmfor integerfactorization.Thiscanlooselybe interpretedassayingthat finding logarithmsin thecaseof a â -bit prime modulus¸ is roughly asdifficult asfactoringa â -bit compositenumberÈ . It is likely safetosay that taking logarithmsmoduloa 512-bit prime ¸ will remainintractablefor thenext threeor four years.In comparison,a512-bitRSAmoduluswill likely befactoredwithin ayearor so[Cer97].

Thesediscreteconceptscanbeextendedto arbitrarygroups.Let ¶ bea groupoforder È , andlet ã be an elementof ¶ . The discrete logarithm problemfor ¶ is thefollowing: givenelementsã and ä#Ç�¶ , find andinteger Û ¿ ¾�Ü Û Ü È4Ä Á , suchthatã/Ý ¼ ä , providedthatsuchanintegerexists.

5.3.3 Algorithm basedon elliptic curves

A varietyof groupshave beenproposedfor cryptographicuse.Therearetwo primaryreasonsfor this [Men]:

1. The operationin somegroupsmay be easierto implementin software or inhardwarethantheoperationin othergroups.

2. The discretelogarithmproblemin the groupmay be harderthan the discretelogarithmproblemin ¹ ºå . Consequently, onecoulduseagroup ¶ thatis smallerthan ¹�ºå , while maintainingthesamelevel of security.

59


Theabove is thecasewith elliptic curve groups.Theresultis smallerkey sizes,band-width savings,andfasterimplementations.Thesefeaturesareespeciallyattractive forsecurityapplicationswherecomputationalpower andintegratedcircuit spaceis lim-ited,suchassmartcards,PCcards,andwirelessdevices[Men].

Elliptic curvesaremathematicalconstructionsfrom numbertheoryandalgebraicgeometry, which in recentyearshave found numerousapplicationsin cryptography.An elliptic curve canbedefinedover any field, e.g.,real,rational,complex. However,elliptic curvesusedin cryptographyaremainly definedover finite fields. An ellipticcurve æ over ç/è is definedby anequationof theform

éÀê�ë)ì�í�î#ï ì�î5ð (5.2)

where ïAñ ð#ò ç/è , and ó ï í î�ô§õ ð ê�öK÷�ø ù4ú û/ü�ý togetherwith a singleelementdenotedþ called the “point at infinity,” which canbe visualizedas the point at thetop andbottomof every vertical line. Theset æ ø ç/è ý consistsof all points ø ìIñ é ý ñ ì#òç/è ñ é:ò ç/è , whichsatisfythedefiningequation5.2,togetherwith þ .

Addition of two pointson a elliptic curve is definedaccordingto a setof simplerules,e.g.,point ÿ pluspoint � is equalto point � in figure5.1.Theadditionoperationin an elliptic curve is the counterpartto modularmultiplication in commonpublic-key cryptosystems,andmultipleadditionis thecounterpartto modularexponentiation[RSA96]

Figure5.1: Geometricdescriptionof theadditionof two-distinctelliptic curvepoints:P+Q=R

Until recently, thebestattackson elliptic curve logarithmproblemswerethegen-eral methodsapplicableto any group. The methodshave a runningtime of aboutaconstanttimesthesquareroot of � on average,which is muchslower thanspecializedattackson certaintypesof groups.Thelack of specializedattacksmeansthatshorterkey sizesfor elliptic cryptosystemsgive thesamesecurityaslargerkeys in cryptosys-temsthat arebasedon discretelogarithmproblem. It is possiblethat algorithmde-velopmentin this areawill changethe securityof elliptic curve discretelogarithmcryptosystemsto be equivalent to that of generaldiscretelogarithm cryptosystems.This is anopenresearchproblem[RSA96].

60

Chapter5. Specificaspects 5.4.One-way functions

5.4 One-wayfunctions

Thedefinitionof aone-way functionwasgivenin section2.7.1of chapter2.A lot dependson the one-way function. If a methodcanbe obtainedto develop

a plaintext, �� , thathasthesamemessagedigestastheoriginal plaintext �� thenthedigital signaturecanbeappendedto plaintext �� . This canbeseenin figure5.2. Be-causethe plaintext �� hasthesamemessagedigestasthat of plaintext �� the digitalsignaturewouldbethesamefor message�� asit wouldbefor �� .

Figure5.2: Copying thedigital signaturefor anothermessage

Hashfunctionsare designedwith a variety of propertiesin mind and threearecommonlysingledout in theliterature[Rob96]:

1. Given the hashvalueoutputby somehashfunction, it shouldbe infeasibletofind aninput or pre-imagethatwill producethegivenoutput.

2. Whengiven an input andoutputpair for somehashfunction, it shouldremaininfeasibleto find a seconddistinctpre-imagethatwould generatethesameout-put. This is commonlyreferredto asfinding a secondpre-imageanda hashfunctionfor which it is difficult to find eitherapre-imageor asecondpre-imageis sometimescalledaone-way hashfunction.

3. It shouldbe infeasibleto find two inputsto thehashfunction thatwill producethesameoutput.This is commonlyreferredto asfindingacollision for thehashfunction.

The term collision-resistanthashfunction is sometimesusedto describea hashfunctionthatpossessesall threeof thepropertiesdescribedabove andit is whatmostpeoplehave in mindwhentalkingabouthashfunctionsin general.

61

Chapter5. Specificaspects 5.4.One-way functions

Sincethereareanarbitrarynumberof possibleinputstringsbut only afixednum-berof outputs,collisionsmustexist for a hashfunction,theobjective is to ensurethatit is computationallyin-feasibleto find suchexamples[Rob96].

Examplesof well-known hashfunctionsareMD4, MD5, SHA-1 andRIPEMD-160. MD4 andMD5 weredevelopedby Ron Rivestat MIT for RSA DataSecurity.They are meantfor digital signatureapplicationswherea large messagehasto be“compressed”in a securemannerbeforebeingsignedwith theprivatekey. All threealgorithmstake a messageof arbitrary lengthandproducea 128-bit messagedigest[RSA96].

Recentwork by HansDobbertinhasdiscoveredthat collisions for MD4 canbefound within a few minuteson a typical PC. Even more impressive is the fact thatcollisionscanbeconstructed,in aroundanhour, sothatthetext they representmakessense[Dob95]. Clearly, MD4 shouldnow be consideredbroken andshouldnot beusedanymorefor makingadigital signature.

MD5 wasdevelopedby Rivest in 1991. It is basicallyMD4 with “safety-belts”andwhile it is slightly slower thanMD4, it is moresecure[RSA96]. At Eurocrypt96it wasannouncedthatcollisionsfor thecompressionfunctionof MD5 hadbeenfound[Dob96]. Dobbertindemonstratedthatcollisionsfor thecompressionfunctionof MD5couldbefoundin around10hourson aPC[Rob96].

Both algorithms,MD4 andMD5 weresubmittedto theRIPEconsortium9, whichwasanEU-sponsoredprojectactive between1988and1992with a goal to proposeaportfolio of recommendedintegrity primitivesbasedon an opencall for algorithms.Its independentevaluationof MD4 and MD5 led to the conclusionthat thesehashfunctionsarelesssecurethananticipated.As aconsequence,theconsortiumproposeda strengthenedversionof MD4, which wascalledRIPEMD. This versionwas laterreplacedby RIPEMD-160designedby HansDobbertin,AntoonBosselaers,andBartPreneel.It is intendedto be usedasa securereplacementfor the128-bit hashfunc-tions10 MD4, MD5, andRIPEMD.

Another alternative to RIPEMD-160is SHA-1 [Pub93]. This also is a furtherrefinementover theMD5 algorithm. As it standsbothRIPEMD-160andSHA-1 aredeemedsecureandarethecurrentlyrecommendedhash-functions[IEE98] [Sch98].

At thispointall aspectshavebeendealtwith, within thescopeof this thesis.Whatremainsis anoverview of how thequality aspectsof informationtransfer, asstatedinsection2.1of chapter2, have securelybeentakencareof.

9RIPEstandsfor RACE Integrity PrimitivesEvaluation;theconsortiummemberswereC.W.I. (NL)primecontractor, AarhusUniversity (DK), KPN (NL), K.U. Leuven(B), PhilipsCryptoB.V. (NL), andSiemensAG (D).

10A 128-bit hashresultdoesnot offer sufficient protectionanymore. A brute force collision searchattackona128-bithashresultrequires� or about�� evaluationsof thefunction. In 1994PaulvanOorschotandMike Wienershowedthatthis brute-forcejob canbedonein lessthana monthwith a $10million investment.This costis expectedto halve every18 months.

62

Chapter5. Specificaspects 5.5.Complianceto qualityaspects

5.5 Complianceto quality aspects

Themodelfor secureinformationtransferconsistedof thefollowing quality aspects:

� SafeUsage.

� Contentintegrity;

� Confidentiality;

� Authenticationof senderandreceiver;

� Non-repudiationof delivery andreceipt;

Theseissueshave beendealtwith in thefollowing way.

Safeusage The serviceshouldonly be available to thoseusersthat areauthorized.Issuesthat have coveredthis aspectconcernthekey storagein section5.1.2. The following measuresshouldbetakento insureauthorizedusageof keys:

� Copyingof aprivatekey shouldnotbepossible,withouttheowningentity findingout;

� Use of a private key shouldnot be possible,withoutsomeprivateknowledge.

Integrity Thecontentof datasendmaynot besusceptibleto changeorat leastany changeshouldbeidentifiable.A digital signatureprovides a solution to this problem. The signatureis mes-sageandsignerdependent.If themessagehasbeenchangedthenthis canbe securelyassessedwith the help of the digi-tal signature.Issuesthathave coveredthis aspectconcernthepublic key algorithm,in sections2.7and5.3andtheone-wayfunction,sections2.7.1and5.4. Thesealgorithmsshouldbecloselymonitoredin orderto assessthe declinein ‘security’dueto advancesin cryptography. Germanlaw hasdraftedasafeguardcatalogue,seesection?? [Age97], that describeshow individual componentsshouldbeconfigured.

Confidentiality Thecontentof datashouldbeillegible to third parties.A dig-ital envelop,seesection2.9.7providesasolutionto thisprob-lem. Issuesthat have coveredthis aspectconcernthe publickey algorithm,andtheone-way functionasdiscussedabove.Otherissuesthatalsoneedto behandledconcerntheusagesofsymmetricencryption,seesection2.6andalsoveryimportant,abundantamountsof symmetrickeys have to be ‘produced’.Thegenerationof keys hasbeendealtwith in section5.1.1.

63

Chapter5. Specificaspects 5.6.Summary

Authenticity The origin andthe receiver of datashouldbe irrefutably de-termined.Thishasbeenachievedwith thehelpof certificates,this hasbeendiscussedin section3.1 andsection5.2.3. Thehelpof a third partyis necessaryto securelyassestheidentityof an entity. Introducinga third party requiresmany organi-zationalmeasuresto betakenandtheintroductionof a publickey infrastructure,aswasexplainedin chapter3. The intro-ductionof a truststructureandmorespecifica third party in-troducesa greatmany complex issues.The issue‘trust’ hasonly briefly beendealtwith. Criteriahave to besetto quantifytrust. Thesecriteriahave beentranslatedinto legislation,seechapter4 section4.2.2.2,section??andsection4.4.

Non-repudiation Thesenderor receiver of datashouldnotbeableto deny hav-ing sendor receivedamessage.This item wassplit up into:

� non-repudiationof thesender, this issueis handledwiththehelpof thedigital signaturewhichirrefutablyproofsthesendersentamessage;

� non-repudiationof the receiver, this issueis handledwhen the receiver sendsa signed reply back to thesender.

5.6 Summary

This chapterhasgiven a morethoroughexplanationof specificaspectsthatareveryimportantfor public key encryption.

Key generationis very important. This is necessaryfor the productionof publickeysbut alsobecauseof theuseof digital envelopesthatrequireakey to be’produced’for every package.Thusabundantkey generationpossibilitiesshouldbeavailable.

A standardcertificateis importantwill it bepossibleto communicatewith all peo-ple on theInternet.

An insighthasbeengiveninto differentpublic key encryptiontechniquesthatarebeingdevelopedandthosethatarein use.Dueto betterunderstandingof thetechniqueit is possibleto ‘crack’ the methodsfasterthenever wasthoughtpossible.This willrequireconstantattention.Also anew technique,elliptic curve,wasintroducedwhichis currentlyimplementedinto anIEEE standard.This technique,althoughyoung,hasapromisingfuture.

Differentone-wayfunctionswerealsoshown andthedevelopmentsthathavebeenmadeat thisend.

At theendof this chapteranoverview wasgivenhow thequality aspectsof infor-mationtransferhavebeensecurelydealtwith. Informationfrom thepreviouschapterswasgivento provide acompleteview.

64

Chapter 6Currentimplementations

Up to thispoint all informationgiven,in thepreviouschapters,wasmoreor lessfor atheoreticalbackground.Thequestionnow remainingis:

Howare current implementationsadheringto therequirements?

To get a quick look how certificatesare implementedinto the world today, theeasiestway is to starta currente-mail browser1 They have built in securityfeaturesthatmake useof certificates.

6.1 Inter net browsers

Figure6.1 shows the TTP certificatesthat have beenincorporatedinto the software.With thesecertificatesit is possibleto checkthe certificatesreceived from an entityfor correctness.Takingacloserlook at thecertificate,asshown in figure6.2.a,revealsinformation concerningthe owner and the issuer, the serial number, the validity ofthecertificateandthedigital fingerprintitself2. Furthermoreit canbeaddedwhethera certificatethat hasbeenreceived from an entity shouldbe acceptedfor certifyingnetwork cites,e-mailor softwaredevelopers.

With thehelpof thesecertificatesit is possibleto checkthecorrectnessof www-pages,e-mailmessagesandotherdatareceivedover theInternet.Softwarethatmakesuseof thesecertificatesandtechniquesarethefollowing:

� Secure Socket Layer - SSL. The SSL protocol is able to negotiateencryptionkeys aswell asauthenticatetheserver beforedatais exchangedby thehigher-level application.TheSSLprotocolmaintainsthesecurityandintegrity of thetransmissionchannelby usingencryption,authenticationandmessageauthen-ticationcodes.TheSSLprotocolis applicationindependent,allowing protocolslike HTTP, FTPandTelnetto belayeredon topof it transparently[RSA96].

1Thiscouldfor instancebeNetscapeCommunicatoror Windows InternetExplorer. ThischapterwilluseNetscapeCommunicator4.04asanexample.

2Notethattheissuerandtheownerof thecertificatearethesame.This is becausetheCA hassignedhis own certificate.Everythinghasto startsomewhere.

65

Chapter6. Currentimplementations 6.1.Internetbrowsers

Figure6.1: CA certificateincorporatedin NetscapeCommunicator

� Secure Hypertext TransferProtocol - S-HTTP. S-HTTPis designedto provideconfidentiality, authenticity, integrity, and non-repudiabilitywhile supportingmultiple key managementmechanismsandcryptographicalgorithmsvia optionnegotiationbetweenthepartiesinvolved in eachtransaction.S-HTTPoperatesat theapplicationlayer. [RSA96].

Thismethodis agreatimprovementovernon-encryptedstandarde-mailandweb-browsing,becausethiscanprovide for securewww-sitesande-mail.

6.1.1 Certificate authorities on the web

A certificatefor a webbrowsercanberequestedat any of thecertificationauthoritieson theweb. A sampleof CA’s currentlydelivering certificatesfor web-browserscanbeseenin table6.1[Net].

VeriSign http://www.verisign.comThawteConsulting http://www.thawte.comSocietagrave; per i ServiziBan-cari - SSBS.p.A.

http://www.ssb.net

InternetPublishingServices http://www.ips.esCertisign Certification DigitalLtda

http://www.certisign.com.br

BelSign http://www.belsign.be

Table6.1: Certificationauthorities

TheseCA’s allow for differenttypesof certificatesto becreated.Thereis a com-mondifferentiationbetweencertificateclasses,all providing differentsecuritychecks.

66

Chapter6. Currentimplementations 6.1.Internetbrowsers

Figure6.2: Certificatefrom CA andcertificatefrom entity signedby CA

This canrangefrom checkingwhetherane-mail addressverifying whethera personmight have a certainfunction at an existing company. This al comesat a price, ofcourse.

6.1.1.1 Certificate creation with browser

Thecertificationrequestprocedure,within anbrowser, is analmostautomatedprocess.After selectingthepropercertificateclass3 therequest,for anfreetest-certificatewithlimited value,goesasfollows4:

1. Theuseris requestedto inserthis personalinformationon theweb-site;

2. The public/privatekey-pair, is automaticallygeneratedon the computerof theuser;

3. Thepublickey is sentto theCA, while theprivatekey remainson thecomputerof theuser;

4. TheCA generatesthecertificate;

5. Theusersreceivesane-mailwith anauthenticationcodeto retrieve his certifi-cate;

6. Theuserrequestshiscertificateat thesitewith theauthenticationcodefrom theCA, thusmakingthecertificateavailableto otherusers;

7. Thecertificateis placedon thecomputerof theuserandreadyto use.

3Thereexist differentcertificateclasses.Eachclassprovides for a designatedlevel of trust. Thisdependson thedifferentqualitycontrolprocedures.

4This testwasconductedat theVeriSignsite. At this sitea free testcertificatecanbeobtainedthathascertainlimitations. Class1 Digital ID costsanAnnualfeeof US$9.95,Server Digital ID First year:US$349,CommercialSoftwarePublisher(Class3) Digital ID Annualfee:US$400

67

Chapter6. Currentimplementations 6.2.A specializedimplementation

This is all donein asecuredenvironmentwith thehelpof SSL.For othercertificateclassesprior contactmight be needed.This will allow the CA to checkthe identityof the end-entityandexchangean identificationcodewith which the end-entitycanuniquelyidentify itself at thecertificationrequest.

6.1.2 Shortcomingsin the method

Besidethe fantasticsoftwarethatautomatesalmostevery partof theprocessandtheaddedsecurity, therestill remaina few shortcomingsin thismethod.

TheCA’s asdescribedabove canbequalifiedasanoff-line TTP5. In this methodthereis no automatedprocessto checkfor thevalidity of a certificate.Thussomeonemight receive a messageof which the certificateis compromised.This will not benoticeduntil thereceiver of a messagechecksin therepositorywhetherthecertificatewasrevokedor not.

Furthermorethesenderof a messagehasno automatedmeansto checkwhetheramessagehasbeenreceivedor not.

6.2 A specializedimplementation, Netdox

While the methoddescribedabove providesa greatimprovement,the shortcomingsasdescribedin theprecioussectiondo exist. Thesecanbeovercomewith an in-lineTTP6. An in-lineTTPcanverify certificatesfor therecorrectness,notarizethetimeanddatea messagewassentandprovide otherfeatures.An implementationthatoperatesasanin-line TTP is NetDox7.

If Alice wantsto senda messageto Bob, asshown in figure6.3, shewill do thefollowing 8 9[Net97]:

1. Alice first retrievesthecertificateof Bob;

2. Alice thencreatesadigital envelopfor Bob,theinnerwrapperasshown in figure6.3;

3. The software then attachesthe digital certificatesusedin the transactionandwaybill informationto to thedigital envelop. Anotherdigital signatureis thenmadeof this larger packageusing the sendersprivate key. This entire largerpackageis then re-encryptedwith NetDoxsown public key to form a digitalenvelop. This file is sentover the Internetin a standardformat. This double-encryptedfile is calledaDox;

4. TheDox is thensentto NetDox;

5Seesection3.5chapter3.6As describedin section3.4of chapter37http://www.netdox.com8Both Alice andBobof coursehave to beknown by NetDox9Workingwith NetDoxrequiresthespecialNetDoxprogramthatcanbedownloadedfrom theNetDox

site.

68

Chapter6. Currentimplementations 6.3.Compliancewith qualityaspects

5. NetDox removesthe outerlayer of theDox andchecksthe authenticityof themessageandthenarchivesthe digital signatureof the original messagewith atime-stampindicatingwhen the Dox hasbeenreceived processedandsenttoBob;

6. NetDoxthenrepackagestheinnerwrapperwith thepublickey of Bobandsendsit to Bob;

7. WhenBob receivesthe messageandopensit, a messageis sentto NetDox toindicatethe packagehasbeenopened.This acknowledgmentis time-stampedandarchived.

Figure6.3: Dox goingsenderto NetDox

NetDoxthusalwayscheckstherepositoryto makesurebothpartiesareusingvalidcertificatesandthusaremakinga legal transaction.An automatedreply is alsosentto NetDox. Theaddedfunctionalityof theprocessconcernsthefact thatbothpartiestrustNetDoxandNetDoxnotarizesall actionswith a time-stamp.Thiscanbeusedasevidencein caseof adispute.

6.3 Complianceof implementation with quality aspects

Looking backat thedifferentaspectsof informationtransfer, asstatedin section2.1of chapter2, theseimplementationprovide thefollowing:

� Safeusage, this issuehasnot beendealtwith completely. In theview of theseapplicationsthe end-entityis the only personwho canusehis privatekey be-cause:

69

Chapter6. Currentimplementations 6.3.Compliancewith qualityaspects

1. He haspossessionof theprivatekey;

2. He knows thepassword necessaryto usethekey;

Legislationhowever statesthat it shouldnot be possibleto copy thekey. Thiscannotbeguaranteeddueto thestorageof theprivatekey onadisk.

� Integrity, confidentialityandnon-repudiation, this is achieved with help of thedigital signatureasexplainedin chapter2.

� Authentication, authenticationis providedby theTTP thatissuesacertificate.

6.3.1 Complianceof current implementation with technicalaspects

CurrentInternetbrowsersmake useof ‘weak’ encryption,for confidentiality. This isdueto legislationthathaslimited theuseof strongencryption10. Authenticationoccursin a secureway with a ‘good’ hash-functionanda ‘strong’ public key, thuscreatinga‘strong’ digital signaturewhich is secure.

NetDoxmakesuseof doubleencryption.Themessageis first packed in a digitalenvelop. Extrainformationis thenaddedwhich is thenre-packedandencryptedwith‘strong’ encryption. Shouldan governmentbody want to have accessto a message,thenit shouldhave accessto theprivatekey of NetDoxin orderto extract the ’weak’encryptedmessage11.

6.3.2 Complianceof current implementationswith organizationalaspects

To get a goodoverview of the organizationalimplementationaspectsof a TTP, thebestway is to readtheCertificationPracticeStatement.Theseexplain whatfunctionsor servicesareofferedandhow theseshouldbe interpreted. Therearea few basicrequirementswhichshouldbefulfilled, but moreimportantis thatwhatis saidactuallyoccurs.This shouldverifiedbeby anindependentauditorandtheoutcomeshouldbemadepublic.

6.3.3 Complianceof current implementationsto legislation

Althoughnot onelaw exist, thereis a broadconsensuson how TTP’s shouldmanagetheir organization.Theseissueshave beenstatedin chapter4. After readingtheCPSonecanconcludethat muchattentionhasbeengiven to theseaspects.It is howeverdifficult to checktheseissues,given no more thena CPS.This shouldbe left to anexternalauditorwho,asa trustedthird party, canverify this.

This bringsus to the implementationat the end-entity. Concerningthe creation,storageanduseof keys, mostcurrentimplementationsstoreandcreatetheseon thecomputeritself. As statedbeforethis doesnot comply with legislation12. As addedsecurity, besidesthe password protection,someTTP’s suggestthat the computeron

10For instanceNetscapeoffers only 40 bit symmetricencryption. Plansareto increasethis valueto128bit symmetricencryption

11This weakencryptedmessagecouldbe‘cracked’ by angovernmentagent.12Seesection5.1.2of chapter5.

70

Chapter6. Currentimplementations 6.4.Summary

which thesekeys arestoredshouldbeprotectedagainstunauthorizedaccessandhavevirusprotectionsoftware.In theendhowever, theTTPstatesthat,it is theresponsibil-ity of theend-entityto protecthis privatekey [Ver98].

RecentvirusattackssuchasTrojanHorses13, thatchangeacomputerinto aserverwhenit hasanon-lineconnectionwith theInternet,makephysicalattacksperhapslessof a threat. A hacker couldattacka computer, contaminatedwith sucha virus, fromanywherein theworld withoutever having seenor touchedthecomputer.

Currentlytherearetwo typesof hardwaredevicesavailablethataremoresecurethana harddrive for storinga privatekey andotherinformation14. Theseareknownastokens(typically PCMCIA cardsor specialfloppy disks)andsmartcards”[Ver98].Currentlysuchtokensarenotanintegral partof currentstandardimplementations15.

6.4 Summary

Thischapterhasshown theworkingof two widely availableprograms,NetscapeCom-municatorandWindows InternetExplorerandexplainedtheworking andshortcom-ingsof these.

A specializedapplication,NetDox, wasthenshown that hasaddedfunctionalityandcanovercomecertainproblemsassociatedwith theotherapplications.At thispointall aspectsthatwerenecessaryfor secureinformationtransferhavebeenimplemented.

Theapplicationswerethentestedagainstthequality aspectsof informationtrans-fer asstatedin section2.1 of chapter2. It wasshown that they did not completelycomplywith theserequirements.This includedthestorageof keys, thatoccurredon adisk.

Thethreedifferentviews,technical,organizationalandjudicial,werethenmappedagainsttheworkingof thecurrentimplementations.

13for instance“Back Orifice (BO) is a remoteadministrationsystemwhich allows a userto controlacomputeracrossa TCP/IPconnectionusinga simpleconsoleor GUI application. On a local LAN oracrosstheinternet,BO givesits usermorecontrolof theremoteWindowsmachinethanthepersonat thekeyboardof theremotemachinehas”[Kas98]

14This otherinformationcouldincludethecertificateof theCA. This certificateis necessaryto checkothercertificates,webpagesandprograms.

15Netscapecommunicator4.04doeshave the option of usingdifferentcryptographicmodules.Thiscouldalsoincludea cryptographichard-waretoken.

71

Chapter 7Conclusion

The intentof this thesiswasto, provide requirementsfor secure informationtransferacrossan opendigital network,that hassuch propertiesthat theinformationsenthaslegally bindingproperties.andfurthermoretestcurrentimplementationsagainsttheserequirements.This hadbeendivided into differentaspects:technical,organizationalandlegal.

This chapterwill reflecton thethreeaspectstogetherthathave beendealtwith antry to answerwhetherthis solutioncanbe usedasevidencein court, becauseof thecombinationof theseaspects.

7.1 Technicalaspects

As statedin section5.3 of chapter5, non of the public key encryptionmethodsandone-way functionshasproven to be intractable.Rather, they arebelieved to be. Sev-eral legislation1 have approvedto theusageof thesemethodsbecauseasit standtheyprove to give sufficient security. Thesecurityof thesemethodswill however remainan importantissuethat hasto be evaluatedperiodically. This is also due to recentdevelopmentsthat have shown ever shorterperiodsto ‘crack’ thesemethods.Thesedevelopmentswill probablyproducefaster‘crackingsolutions’in evenshortertimes,for thefollowing reasons:

� Morecomputingpowerhasbecomeavailableto mountbruteforceattacks.Thisis for thefollowing reasons:

– Computersarebecomingever fasterwhile thecostsaredecreasing;

– Advancesin distributedcomputationmake it easierto distributeaproblemover severalcomputer2;

1TheseincludeGermany andUtah2RSA-laboratorieshave issuedseveralchallengesto cracktheDESalgorithm. Theseproducedever

faster‘cracking’ resultsthat wereproducedby teamsall over the world offering processortime. Thelatestchallengewaswon by a teamthatusednearly100.000PC’s on the internetandcracked a 56-bitDESalgorithmin 22Hours[RSA99].

72

Chapter7. Conclusion 7.2.Organizationalaspects

� Increasedinterestin ‘cracking’ thesemethodshave startedspecializedmethodsto bedeveloped3;

At theotherendrecentdevelopmentshave alsoshown new techniquesthatproveto becomputationallyfasterbut just asstrongasRSA encryption4.

Onecanconcludethattechnicallymuchis changing.Methodsthatare‘safe’ todaycouldbe’cracked’ within ayear. Thishastobekeptin mindwhenusingthistechnique.This criticism mustnot be interpretedas,no securemethodexists. Currentlyseveralencryptionmethodsdo possesa certainamountof securitythat is ‘safe’ andhasbeenapprovedby severalgovernmentbodies.

7.2 Organizationalaspects

Building trust structuresis both very complex andcostly. First it hasto be decidedwhat type of TTP will be developed,an off-line, on-line or in-line TTP. Thenwhatservicesor functionswill beoffered.Thiswill thenhave to beimplemented.All theseaspectswill have to bedocumentedandchecked.

At the sametime, attentionhasto be given to legislation. A GermanTTP musthave a licensebeforestartingbusiness.A UtahTTP canstartbusiness,but without alicensethecertificateswill not have any legal value. In theNetherlandsno legislationasof yet exists. A judgemayusea message,digitally signed,asevidence,but couldalso ignore it. The questionremainswhat a Dutch or Germanjudgewill do with adigitally signedmessagethathaslegalvaluein Utah.

Anotherproblemconcernsstandardization.Thereis an internationalstandardoncertificates,the ITU-T X.509. The contentsof this certificatestandardcanhoweverchangefrom CA � to CA � . This is dueto thefollowing reasons:

� Non uniformity of contents.CA � may insertinformationconcerninge-mailortelephonenumberwhile CA � doesnot. Thereis no unique‘standard’contentfor acertificate.Certificatescanthereforebeinterpreteddifferently;

� Interpretationof thecontentsmayvary. While CA � maychecka nameagainstthatof apassport,CA � maytakeanamefor granted.Thusthesameitemslistedin acertificatemayhave differentmeaning;

Besidesthecontentsof a certificate,althoughstandard,theformatin which a cer-tificateis distributedis not standard.Thusa certificate‘understood’by Netscapecan-notbeimportedin Microsoft InternetExplorer5. This is awkwardto saytheleast.

Onecandescribethe actionsof TTP’s asthatof jumping into a large swimmingpool, without knowing how to swim, andtrying to stayafloat. Eventuallysomeonewill hopefullystayafloatandotherswill follow his example,thussettingastandard.

TheTTP’s adhereto thegeneralpublic key infrastructureframework assetforthin chapter3. The generalframework is however also underconstruction. Certain

3seesection5.3of chapter5, for thedecreasein MIPS-yearsfor crackingRSA.4This concernsElliptic curve encryption5VeriSignfor instanceoffersdifferentexport formatsfor their certificates.Thisonly includethosefor

majorformats.

73

Chapter7. Conclusion 7.3.Legislation

features6 arestill underconstructionor revisiondueto problemsencounteredeitherinpracticeor dueto legal obligations.This causestheactualimplementationsto differandthusobstructageneralmethod.

7.3 Legislation

Compliancewith legislationis animportantissuein this thesis.As statedin theintro-duction,smallcommunitiescansolvethereproblemsinternally, but largecommunitiesthat have not hadany previous contact,mustrely on differentsolutions. Legislationcanplayamajorpartin this.

Legislationconcerningdigital signaturesdoesexist, but it is not uniform. Thismeansa differentinterpretationcanbegivento thesamedigital signature.How thesedifferencewill beinterpretedremainsto beseen.No currentjurisprudenceexists.

7.4 Conclusion

Lookingbackat thedifferentaspectsonecanstatethefollowing:

� Fromatechnicalpointof view, thereexiststhenecessaryalgorithms7 to providefor adequatesecurity. The necessarykeys can also be generatedin a secureway. Theimplementationsat theend-entityhowever usenon-hardwaredevicesto generateandstorethesekeys. Thusthetechnicalimplementationsat theend-entity have certainflaws;

� Fromanorganizationalandjudicial pointof view, thereis broadconsensushowa TTP shouldimplementits organization8. The actualimplementationsdifferhowever. Somelegislationacknowledgesdigital signatureswhile othermerelystateswhatshouldconstituteagoodsolution.Both UtahandGermanlaw how-ever statethat a legal TTP shouldhave a yearly audit performedto evaluatecompliancewith this law. TheCPSof VeriSigndoesnotmentionany auditsthathave beenperformed,thusthis issueremainsuncertain.

Concerningthe first issue,the generationandstorageof cryptographicmaterial,theGermanauthoritieshave approved threecryptographicmodules.Theseconcernakey generationmodule,a library functionmoduleanda signaturetoken module.Allthreemoduleshave beenproducedby DeutscheTelekom AG [fTuPR98]. Approvedtokensarethusnotwidely availableandvery costly.

Concerningthesecondissue,theapprovedCA’s, thestateUtahhascurrentlyrec-ognizedonly threeCA’s [Uta99]. VeriSignis not on this list of approved CA’s9. Re-ceiving a licenseis verycostly. It requireextensive proceduresto beimplementedandshouldbecheckedby qualifiedauditors.Becausetheseproceduresarenotuniform,in

6This includesfor instancethe Online CertificateStatusProtocol(OCSP)andthe X.509 certificatethathasa currentversion3

7secretkey, publickey andhash-functions8Theseconcernstheservicessuchascertificategeneration,revocation,productionof a repositoryfor

certificate,productionof a CRL, OCSPet ceteraandthetechnicalandpersonalimplementation.9A licenseonly hasvalidity in thestateof Utah.

74

Chapter7. Conclusion 7.5.Future

differentcountriesandstates,thiswouldrequireanauditto beperformedaccordingtodifferentlaws. An almostimpossibletask.

Providing for a universallyrecognizeddigital signaturesthusproofsvery difficultfor thefollowing reasons:

� Non-uniformityof the technical implementations, differentalgorithmsareusedby differentorganization.Theseincludebothpublic key- andhash-algorithms.This canmakecommunicationbetweenthedifferentapplicationsimpossible;

� Non-uniformityof organizationalimplementations, differentorganizationshaveimplementedPKI-structuresthat differ in structure.This canleadto differentinterpretationsof theimplementations;

� Non-uniformityof legislation, differentlegislationhavedifferentinterpretations.Germanlaw givesaguidelineastowhatshouldconstitutea’good’ signature,butdoesnot give it a legal status,while Utah law actuallygivesa digital signaturethesamestatusasahand-writtenoneundercertaincircumstances.

Theabovecriticismdoeshowevernot limit theuseof theTTP’s. IndividualTTP’scanbuild goodinfrastructurethat canprovide for adequatesecuritywithin a limitedcommunity. Thesestructurecanfunctionperfectlywithout legislation10. Within thelimits of thesestructures,and with the help of the the CPSof the different TTP’s,different“web of trusts”structurescanbebuilt with thereown setof rules.

7.5 Futur e

The futurewill show at what ratethis technologywill be incorporatedinto daily lifeandhow it will beused.A largenumberof organizationshave investedinto buildinga public key infrastructure,but it remainsto beseenwhetherthepublic will perceivethis infrastructureasoneto be ‘trusted’. A greatpart of this trust could perhapsbegeneratedwith a propereducationof thepublic to understandthetechniqueandlearnto useit properly.

Thefuturewill perhapsalsointroducestandardcryptographictokensformats.Thiswill make thesefacilitiesavailableat low costto a wide massof public andenhancethesecurityof digital signatures.

7.6 Afterthought

A greatmany issueshave beendealtwith in this thesisbut many have not evenbeenmentioneddueto thescopeof this thesis. Certainissuesdealtwith have beengivenlimited attentionwhile theseissuescouldhaveproduceenoughinformationto produceanentirethesis.Most issueshave however beendiscussedandthereadershouldnowhave a clearunderstandingof thepublic key infrastructureandtheworking of digitalsignatures.

10VeriSignfor instanceis currentlya mayorsupplierof digital signaturesfor a wide rangeof compa-nies.

75

Chapter7. Conclusion 7.7.Futureresearch

7.7 Futur e research

An importantissuethatshouldbedealtwith concernsthevalidity of adigital signaturesin time. It is commonknowledgethat encryptionmethodshave a limited life-span.This will make signaturesmadein the pastsusceptibleto forgery. Thus signatureupdateprocedureswill have to beinstalledor signaturesshouldreceive a limited life-cycle. For certaindocumentslimiting the life-cycle is not acceptable.Thusmeasureshouldbeinstalledto periodicallyupdatethesignatureandat thesametime take suchmeasuresthatold documentformatscanstill beread.

76

Appendix AHistoryencryption

Encryptionmethodshave historically beendivided into two categories: substitutionciphersandtranspositionciphers.

A.1 Substitution Ciphers

Substitutioncipherspreserve theorderof theplaintext symbolsbut disguisethem.In asubstitutioncipherseachletteror groupof lettersis replacedby anotherletteror groupof lettersto disguiseit. Oneof thefirstmethodsof enciphermentwastheCaesarcipherdevisedby JuliusCaesar. This methodandnumerousothermethodswhich have beendevisedsincethenwerebasedon thesubstitutionof charactersasshown in figureA.1.In this methodA becomesN, B becomesO, C becomesP, . . . andZ becomesM.

Here � becomesa key to the generalmethodof circular shiftedalphabets.Thenext improvementis to have eachof thesymbolsin theplaintext, saythe26 lettersforsimplicity, mapontosomeotherletter. Thegeneralsystemis calledamono-alphabeticsubstitution, with thekey beingthe26 letterstringcorrespondingto thefull alphabet.

Mathematicallyif � �!�#" �%$'& & & �)( is a plaintext messagewith �)*%+-,.�/ 0�1 2 1 & & & 1 354 and 6 is a permutationover , then the encryptionof the message�reads:798 �#:;�=<58 �#" : <58 �%$ :�& & & <58 �)(�:

FigureA.1: Caesarcipher

I

ChapterA. History encryption A.2. TranspositionCiphers

A.1.1 Breaking a substitution cipher

Althoughthecryptoanalistknows thegeneralsystem,hedoesnot know which of the> ?�@�ACB)DFE G H Ikeys is in use.At

E Jsecpersolution,a computerwould take

E G5K Lto

try all keys.Nevertheless,given a surprisinglysmall amountof ciphertext, the ciphercanbe

brokeneasily. In English,for example,e is themostcommonletter, followedby t, o,a, n, i, etc. Themostcommontwo lettercombinations,or diagrams, areth, in, er, reandan. The mostcommonthreeletter combinations,or trigrams, are the, ing, and,andion.

A cryptanalysttrying to breakamonoalphabeticcipherwouldstartoutby countingtherelative frequenciesof all lettersin theciphertext. Thenhemight tentatively assignthemostcommononeto eandthenext mostcommononeto t. Thenhewould look attrigramsto find acommononeto eandthenext mostcommononeto t.

He would then look at trigramsto find a commonone of the form tXe, whichstronglysuggestthatX is h. Thesearchwouldcontinuelookingfor otherknow trigamslike and. By makingguessesat commonletters,diagramsandtrigramsandknowingaboutlikely pattersof vowels andconsonants,the cryptanalystbuilds up a tentativeplaintext, letterby letter.

A.2 TranspositionCiphers

Transpositionciphers reorderthelettersbut donotdisguisethem.Thecipheris keyedby awordor phrasenotcontainingany repeatedletters.For anexampleseefigureA.2.Thepurposeof thekey is to numberthecolumns,column1 beingunderthekey letterclosestto thestartof thealphabet,andsoon. Theplaintext is written horizontally, inrows. Theciphertext is readoutby columns,startingwith thecolumnwhosekey letteris thelowest.

FigureA.2: Transpositionencryption

II

ChapterA. History encryption A.3. One-TimePads

A.2.1 Breaking a transposition ciphers

To breaka transpositioncipher, thecryptanalystmustfirst beawarethatheis dealingwith a transpositioncipher. By looking at the frequency of E, T, A, O, I, N, etc. itis easyto seeif they fit the normalpatternfor plaintext. If so the cipheris clearly atranspositioncipher, becausein suchacipherevery letterrepresentsitself.

The next step is to make a guessat the numberof columns. In many casesaprobablewordor phrasemaybeguessedat from thecontext of themessage.Fromthisthenumberof columnscouldbededuced.

The remainingstepis to order the columns. When the numberof columns, M ,is small, eachof the MON M%PRQ S column pairs can be examinedto seeif its diagramfrequenciesmatchthosefor Englishplaintext. Thiswill betriedandtestedfor differentpositions.

A.3 One-Time Pads

Constructingan unbreakablecipher is actually quite easy; the techniquehasbeenknown for decades.First choosea randombit string as the key. Then convert theplaintext into a bit string, for exampleby using its TVUXWVY Y representation.Finally,computetheexclusive or of thesetwo strings,bit by bit. Theresultingciphertextcannotbe broken, becauseevery possibleplaintext is an equallyprobablecandidate.Thismethodis known astheone-timepad.

Thismethodhowever hasanumberof practicaldisadvantages:Z Thekey cannotbememorized,sobothsenderandreceiver mustcarryawritten

copy with them;

Z Thetotalamountof datathatcanbetransmittedis limited by theamountof keyavailable;

Z Themethodis sensitive to lost or insertedcharactersor synchronization.If thesenderor receiver ever get out of synchronization,thenall datafrom thenonwill appeargarbled.

Traditionally, cryptographershave usedsimplealgorithmsandreliedonvery longkeys for their security. Nowadaysthereverseis true: theobjectis to make theencryp-tion algorithm so complex and involuted that even if the cryptanalystacquiresvastamountsof encipheredtext of hisown choosing,hewill notbeableto makeany senseof it atall.

Transpositionandsubstitutionscanbe implementedwith simplecircuits. FigureA.3(a) shows a device, known asa P-box (P standsfor permutation),usedto effecta transpositionon a 8-bit input. Substitutionsareperformedby S-boxes, asshownin figureA.3(b). In this examplea 3-bit plaintext is enteredanda 3-bit ciphertext isoutput.

Therealpowerof thesebasicelementsbecomesapparentwhenwecascadeawholeseriesof boxesto form a productcipher, asshown in figureA.3(c). With thehelpoftheseswitchesencryptioncanbedoneatpracticallythespeedof light.

This typeof encryptionis collectively known assymmetricor secret-key encryp-tion.

III

ChapterA. History encryption A.4. Two FundamentalCryptographicPrinciples

FigureA.3: Basicelementsof productciphers

A.4 Two FundamentalCryptographic Principles

Althoughtherearenumerousdifferentcryptographicsystemstherearetwo principlesunderlyingall of themthatareimportantto understand:

1. redundancy, all encryptedmessagesmustcontainsomeinformationnot neededto understandthemessage.

2. play-back of message, somemeasuresmustbetakento preventactive intrudersfrom playingbackold messages.

Redundancy is necessaryto preventactive intrudersfrom tricking thereceiver intoactingon a falsemessage.If no redundancy wereaddedanactive intrudercouldcre-atemessages,with somerandomdevice, and trick the receiver into believing thesemessagesweregenuine.

Also measuresshouldbetakento preventanactive intruderfrom playingbackoldmessages.If no suchmeasureswere taken, an active intrudercould keeprepeatingsendingvalid messages.

A distinctioncanbemadebetweentwo modernencryptionmethods:

1. Symmetricencryption;

2. Asymmetricencryptionor PublicKey Encryption(PKE).

IV

Appendix BTheRSA-system

RSA is a public-key cryptosystemfor bothencryptionandauthentication.It wasin-ventedin 1977by RonRivest,Adi Shamir, andLeonardAdleman[RRA77].

The RSA-systemis basedon the fact that it is easyto computethe productoftwo primenumbers,but considerablymoredifficult calculatingthetwo originalprimenumbersfrom theproduct.This is calledthetrapdooreffectasstatedin section2.7.1.

B.1 Key generation

Thegenerationof key-pair with RSAgoesasfollows [Tan96]:

1. Generatetwo largeprimes,[ and \ , at randomeachroughlythesamesize;

2. Compute]#^_[%`%\ and ab^Rc [edgf h c \idjf h ;3. Selecta randominteger k l fVmjkbmja , suchthat n5o p�c k l a5hX^Cf4. Computeauniqueinteger p�l fbmjpemja , suchthat kb`%pq^Cf r%s p5a ;Thepublic key now consistof thenumber-pair c k l ];h . All othernumberswill be

keptsecret.

B.2 Public key encryption and decryption

If B encryptsamessager for A, whichA decrypts,thentheprocessgoesasfollows:B shouldperformthefollowing:

t obtainthepublic key of A: c k l ]'h ;t representthemessager asaninteger r in theinterval u v5l ]%djf wt Computethefollowing: x

^jr%y c r%s p;]'h (B.1)

V

ChapterB. TheRSA-system B.3.Exampleof RSAencryption

The ciphertext is then sentto A. Decryptionis almost the sameas encryption,exceptthe z is replacedwith the { :

|~}��V� � |%� {;�'� (B.2)

The working of the systemis basedon the fact that it is almost impossibletocalculate{ whenoneonly knows � z � �'� . Calculating{ alsorequiresknowledgeof �and � . Becauseoneonly has� thecryptoanalisthasto factor� and � from this.

B.3 Example of RSA encryption

Thissectionwill provide anexampleof RSA encryption.

B.3.0.1 Keygeneration

Assumethefollowing:

� }=� � � � �� }=� � �� .Thenit follows that: � }=� �� 5� �5� and � }=� � �5� � � � ;

Choosez }=� �5� �5�5� � . With zb�%{ }C� � |%� {9�5� it follows that { }j� � �5� �5�Thepublic key thenis: � � �5� � � � � � � �5� �5��

B.3.0.2 Encrypting and decrypting a message

Encryptingamessage,|�}=� � � �5� � � , producesthefollowing:��}j|%� � |%� {;�'� }=� � � �5� � � � � � � � � � |%� { � �� 5� �5�b}=� � � � � � �Decryptingtheciphertext, � � � � � � � produces:|~}�� |%� {;� }=� � � � � � � � � � � � � |%� { � �5� � � � �q}=� � � � �5� �

VI

Bibliography

[Act98] Actieplanelectroniccommerce,March1998.

[AF98] C. AdamsandS. Farrell. Internetx.509 public key infrastructurecer-tificatemanagementprotocols.Technicalreport,PKIX Working Group,may1998.

[Age97] GermanInformationSecurityAgency. Bsi manualfor digital signatures.http://www.bsi.de,November1997.

[AR96] A. Abdul-Rahman.Thepgptrustmodel. Internet,augustus1996.

[Ass96] AmericanBar Association. Digital Signature Guidelines. 750 NorthLakeShoreDrive,Chicago,IL, august1996.

[Cer97] Certicom. Remarkson the securityof the elliptic curve cryptosystem.Whitepaper, Certicom, 200 MathesonBlvd. W. Mississauga,OntarioL5R 3L7, September1997.

[Cha96] D.W. Chadwick.UnderstandingX.500- TheDirectory. 1996.

[dBC98] Drs.A. deBosandM.J. JakRE CISA. De EDPauditor, 1998.

[DE94] J. Schiller D. Eastlake, S. Crocker. Randomnessrecommendationsforsecurity. Requestfor Comments1750, Network Working Group, De-cember1994.

[DH76] W. Diffie andM. Hellman.New directionsin cryptography. IEEETrans-actionson InformationTheory, 22:644–654,1976.

[DL96] KennethDam and HerbertLin. Cryptography’s Role in SecuringtheInformationSociety. NationalAcademyPress,1996.

[Dob95] H. Dobbertin.Collisionsin md4. CryptoBytes, 1(3),1995.

[Dob96] H Dobbertin. Cryptanalysisof md5 compress.Presentedat the rumpsessionof Eurocrypt96,May 1996.

[Dut98] Mr. Drs.A.W. Duthler. Met recht eenTTP! Kluwer, June1998.

VII

BIBLIOGRAPHY BIBLIOGRAPHY

[DZ83] J.D. Day and H. Zimmerman. The osi referencemodel. Proc. of theIEEE, 71:1334–1340,1983.

[FIP94] Securityrequirementsfor cryptographicmodules.FIPSPUB140-1,Na-tional Instituteof StandardsandTechnology(NIST), January1994.

[FMoET97] Research Federal Ministry of Education, Science and Technol-ogy. Informations- und kommunikationsdienste-gesetz - iukdg.http://www.iid.de, 1997.

[fTuPR98] Die Regulierungsbehordefur Telekommunikationund Post (RegTP).Bekanntmachungzurdigitalensignaturnachdemsignaturgesetzunddersignaturverordnung.http://www.regtp.de,September1998.

[Gif98] David K. Gifford. Natural RandomNumber. MIT/LCS/TM-371,September1998.

[IEE98] IEEE. Standardspecificationsfor public key cryptography- p1363.draft 3, theInstituteof ElectricalandElectronicsEngineers,Inc - IEEE,May 1998.

[Kam94] Raymond Kammer. Supporting escrowed encryption.http://www.nist.gov/item/testimony/may94/encryp.html, May 1994.

[Kas98] EugeneKaspersky. Win32.bo,akabackorificetrojan.MetropolitanNet-work BBS inc. http://www.avp.ch,1998.

[Knu81] DonaldE. Knuth. TheArt of ComputerProgramming: SeminumericalAlgorithms. Addison-Wesley, Reading,MA, 1981.

[Koo97] Bert-JaapKoops. Crypto regulationin europe,somekey trendsandis-sues.ComputerNetworksandISDNSystems, 29:1823–1831,July1997.

[Koo98] Bert-Jaap Koops. Crypto law survey.http://cwis.kub.nl/ frw/people/koops/bertjaap.htm, 1998.

[Lex] LexiconPublication,inc. Websters Dictionary, 1991edition.

[Mat96] Tim Matthews. Suggestionsfor randomnumbergenerationin softwaresystem,.Bulletin 1, RSA DataSecurity, January1996.

[McC97] CandenceL. McCuen.Digital/electronicsignaturestatelegislative mod-els.Technicalreport,GTECyberTrustSolutionsIncorporated,Needham,november12 1997.

[Men] Don B. JohnsonAlfred J. Menezes.Elliptic curve dsa(ecdsa):An en-hanceddsa.Technicalreport,CerticomCorp.

[Net] Netscape.Certificateauthorityservices.http://certs.netscape.com.

[Net97] NetDox. Doxit serviceoverview. http://www.netdox.com, 1997.

VIII


[N.V98] KPMG EDPAuditorsN.V. Finalreportnationalttp project.Technicalre-port,Ministry of EconomicAffairs,Ministry of Transport,PublicWorksandWaterManagement,Amstelveen,1 March1998.

[oEC98] Working Groupon ElectronicCommerce.Draft uniform ruleson elec-tronic signatures.TechnicalReportThirty-third session,UNITED NA-TIONS COMMISSIONON INTERNATIONAL TRADE LAW (UNIC-ITRAL), May 1998.

[Poh97] Prof. Dr. HartmutPohl. Guidelinesfor the useof namesandkeys in aglobalttp infrastructure.Technicalreport,ISIS- Institutefor InformationSecurity, may1997.

[Pub93] Federal Information ProcessingStandardsPublication. Securehashstandard.FIPS180-1,National Instituteof StandardsandTechnology(NIST), 1993.

[Rob96] Matt Robshaw. Recentresultsfor md2,md4andmd5.RSALaboratories’Bulletin, 4, November1996.

[RRA77] A. ShamirR.L. RivestandL. Adleman. A methodfor obtainingdigitalsignaturesandpublic-key cryptosystems.Technicalreport,MIT Labora-tory for ComputerScience,april 1977.

[RSA96] RSA DATA SECURITY, INC. Answers to FrequentlyAsked QuestionsAboutToday’s Cryptography, version3.0edition,1996.

[RSA99] RSA. Des challenge iii broken in record 22 hours.http://www.rsa.com/pressbox,January1999.

[RvdB98] E. RidderbeekxandJ.vandenBerg. Internetbeveiliging eenbeheerper-spectief.Informatie, (40),april 1998.

[Sch98] Klaus-DieterScheurle.Manahmenkatalognach16abs.6derverordnungzurdigitalensignatur(signaturverordnung - sigv).TechnicalReport2.0a,Bundesamtesfr Sicherheitin derInformationstechnik, 1998.

[(SE98] ETSI TechnicalCommitteeSecurity(SEC). Telecommunicationssecu-rity; electronicsignaturestandardizationreport.draftTR 101V0.4.2,Eu-ropeanTelecommunicationsStandardsInstitute- ETSI,F-06921SophiaAntipolis Cedex - FRANCE,November1998.

[SEI98] Seiscertificatepolicy. version0.93,SecuredElectronicInformationinSociety- SEIS,c/o PostochTelestyrelsen,Box 5398,10249StockholmSweden,May 1998.

[Sha63] ClaudeE. Shannon.TheMathematicalTheoryof Communication. Uni-versity of Illinois Press,1963. originally from: Bell SystemTechnicalJournal,JulyandOctober1948.

[Sig97] Signaturverordnung- sigv, July 1997.

IX


[Tan96] A.S.Tanenbaum.ComputerNetworks. PrenticeHall, 3 edition,1996.

[Uta96] Utahdigital signatureact.http://www.commerce.state.ut.us/web/commerce/digsig/act.htm,1996.

[Uta99] Utah. Utah licensed certification authorities.http://www.commerce.state.ut.us/,1999.

[Ver97] Verisign.Verisigncertificationpracticestatement.(1.2),May 1997.

[Ver98] VeriSign. Protect your digital id(sm); protect your private key.https://www.verisign.com/repository/PrivateKey FAQ/#14,1998.

[X.597] Informationtechnology- opensystemsinterconnection- the directory:Authenticationframework itu-t recommendationx.509. Recommenda-tion X.509, ITU-T, June1997. The identical text is alsopublishedasISO/IECInternationalStandard9594-8.

X

Index

active intruder, 11aimsNationalTTP project,36attributecertificates,57authentication,2, 7AuthenticationFramework, 55availability, 7

BSI, 41

CA, 24,25,31,38Caesarcipher, Icertificate,21certificateupdate,28CertificationAuthority, 24,25,31certificationauthority, 38Certificationpracticestatement,30certificationpracticestatement,43CertificationRevocationList, 26chosenplaintext, 12ciphertext, 11ciphertext only, 12Clipper, 47Clipperchip,47closedPKI model,29COCOM,46collision-free,15Comprehensive Legislation,35confidentiality, 2, 7contentintegrity, 2, 7contentscertificate,22CPS,30,43CRL, 26cross-certification,28cryptanalysis,11cryptoregulation,44cryptography, 11

cryptology, 11

decryption,11DES,13diagrams,IIDiffie andHellman,14Digital SignatureAlgorithm, 57digital envelope,19digital signaturelegislation,35discretelogarithmproblem,57,59distinguishedname,22distinguishednames,55distributing certificates,26DLP, 57DSA, 57Dual-usegoods,45DutchnationalTTPproject,36

ECDLP, 57EES,48electroniccommerce,34ElGamal,57elliptic curve,59encryption,11End-Entity, 25entropy, 52EscrowedEncryptionStandard,48

FederalInformationProcessingStandardsPublication,48

FIPS,48

GermanInformationSecurityAgency,41

Germanlaw, 25,40,53,54

hash-collision,61

XI

INDEX INDEX

hierarchicalcertificatemodel,32hybridcertificatemodel,32

in-line TTP, 29integerfactoring,57integerfactorizationproblem,57InternetExplorer, 27interoperability, 38intruder, 11ISO/CCITT, 55issuingcertificates,25ITSEC,39ITU-T, 54

key, 11,12key generation,51key information,51key management,28key pairupdate,28key storage,53key-escrow, 45,46key-ring, 22known plaintext, 12

LEAF, 47legal statusdigital signature,38Limited Legislative Model,35link encryption,9

MD4, 62MD5, 62messagedigest,15Minimalist Legislative Model,35mono-alphabeticsubstitution,I

Netscape,27network, 2network certificatemodel,32Non-repudiation,2non-repudiation,7numberfield sieve method,58Nyberg-Rueppelsignaturescheme,57

obstructionfor electroniccommerce,34OCSP, 26off-line TTP, 28on-lineTTP, 29one-timepad,III

one-way function,15,61OnlineCertificateStatusProtocol,26openPKI model,29OpenSystemInterconnection,55OSI,8, 55out-of-bandloading,27out-of-bandpublication,27

P-box,IIIPAA, 30passive intruder, 11PCA,30personalidentificationnumber, 54PGP, 22PIN, 54PKI model,29plaintext, 11Policy Approval Authority, 30Policy Authority, 30Policy CertificationAuthority, 30prettygoodprivacy, 22privatekey, 14productcipher, IIIpseudo-randomnumbers,51,52public key, 14public key encryption,57publicTTP services,37

quadraticsieve method,58

RA, 31,38Rabin-Williams, 57randomnumber, 51randomnumbers,52redundancy, IVRegistrationAuthority, 31registrationauthority, 38relative distinguishednames,55reliability of ttp, 37RIPEMD-160,62RSA,15,57

S-boxes,IIIS-HTTP, 66safeusage,8Schnorrsignaturescheme,57secret-key encryption,IIISecureHypertext TransferProtocol,66

XII

INDEX INDEX

SecureSocket Layer, 65seed,52SHA-1,62SimpleMail TransferProtocol,55singlecentralizedauthority, 32Skipjack,47SMTP, 55SSL,65substitutioncipher, Isymmetricencryption,III

thedivision,42Transpositionciphers,IItrap-door-one-way functions,15trigrams,IItrust,24trustinfrastructure,30trustlevels,23trustedparty, 21TrustedThird Party, 24,37trustworthiness,23TTP, 24,37TTPorganization,38

UNICITRAL, 38Utahact,42

validity certificate,26VeriSign,29

WassenaarArrangement,45webof trust,22work factor, 12

X.400,55X.500,55X.509,54,55

XIII

Digital Signatures and the Public Key Infrastructure faculteit...The Internet appears at the horizon...

Documents

Transcript of Digital Signatures and the Public Key Infrastructure faculteit...The Internet appears at the horizon...