Information Technology Reference
In-Depth Information
Since only the generator of the pseudonym knows the factorization of
n
,only
he can calculate
d
. The verifier who holds a pseudonym
P
=E
e
(
UID
||
Data
||
PAD
)
n
knows
e
and
n
and can simply run a challenge-response protocol,
where the holder of the pseudonym has to prove the knowledge of
d
.Toachieve
this, the verifier encrypts some (random) challenge
r
with the public key (
e, n
)
and sends
c
=E
e
(
r
) to the prover. The prover decrypts the encrypted challenge,
retrieves
r
=D
d
(
c
) and returns
r
to the verifier. If
r
matches
r
the verifier is
convinced, that the prover has generated the pseudonym.
Since the verifier chooses the challenge, he might try to trick the prover by
sending
c
=E
e
(
UID||Data||PAD
). In this case, the prover would return the
value
r
=D
d
(E
e
(
UID||Data||PAD
)) =
UID||Data||PAD
which would reveal
his identity
UID
. So the prover has to dismiss the encrypted challenge
c
if it
matches E
e
(
UID
||
e
||
PAD
).
Within our scheme of pseudonyms, two users may accidently choose the same
public key (
e, n
) and hence the same value of
d
. In this case, they can obviously
forge the proof of ownership of each other's pseudonym. Regarding key com-
ponents of 1024 bits, this is a very rare scenario. To overcome this drawback,
one may use the original scheme of generating unique key-components by use of
trustworthy smartcards presented in [3] which has been refined in [4,5,6,14]. By
applying this scheme, all primes and hence all public and private keys will be
pairwise different (see also figure 1).
||
Data
||
4
Disclosure of Pseudonym
In order to disclose his pseudonym (and to reveal his identity), the user simply
presents his private exponent
d
. Now, the encrypted identifier
EID
may be
decrypted and the resulting plaintext holds the user identifier
UID
(see figure
4 and figure 5).
EID
e
n
d
D
UID
||
Data
||
PAD
Fig. 4.
Unique Pseudonyms - Disclosure
5
Forgery of Pseudonyms
Here we will investigate two attack scenarios and present solutions which prevent
the following attacks: