Cryptography Reference
In-Depth Information
about the revocation status of a given list of certificates, and nothing else.
Hence, there is still the need for CRLs.
KeyBackup and RecoveryServer
This gives the CA a mechanism for backing up private keys together with
a means of recovering them later should end users lose their private keys. Key
recovery is implemented in an individual PKI by its authorities to provide key
recovery for its end users. The key recovery server is an automated process to
relieve the burden on PKI authorities. To prevent an adversary from access-
ing an entity's private key and launching an impersonation attack, a CA may
support not one, but two key pairs: one for enciphering and deciphering and
the other for signature and verification. For instance, in the DSA, discussed on
page 183, the key pair cannot be used for encryption and decryption, whereas
the Di7e-Hellman key pair, discussed on page 166, cannot be used for signing
and verification. The management of key pairs is paramount in any PKI, and
dual key pairs has become a central feature of any in-depth PKI.
First, keys must be generated. The best method is for a CA or RA to
generate the key pair. Once multiple key pairs for individual entities have been
generated, there is a need for multiple certificates, since X.509V3, for example,
does not support multiple key pairs in a single certificate. A private key used
for signing and verification requires secure storage throughout its lifetime. In
this case, we should not back up the key pair, since the compromise of the pair
necessitates the generation of a new key pair, and it makes verification of all
signatures associated with that key pair impossible. Such key pairs must always
be secured, since knowledge of the private key needed for nonrepudiation will
allow the owner of the key to claim the adversary engaged in the nonrepudiable
act, which would defeat the goal of having the key pair for nonrepudiation.
A private key used for decryption must be backed up to enable recovery of
enciphered data, and it should not be destroyed once expired since it may be
needed for later decryptions. It should be placed in a
key archive
, which is a
long-term storage of keying data including certificates. Typically, archives are
appended with timestamp and notarization data in order to resolve any future
disputes, as well as for audit purposes.
If private keys are lost by end users (and they will be) there should also be
an optimal automatic process of key recovery in the PKI. Note that this means
the recovery of private decryption keys only, not private signature keys, for the
reasons cited above. An alternative method to the CAs storing public keys and
certificates for digital signature purposes is the RSA digital envelope (see page
163). Alice can use a secret symmetric session key to encipher, but also she
encrypted it, using an RSA public recovery key, when it was generated. Thus,
if Alice loses her key, the CA who owns the private RSA recovery key can open
the digital envelope and recover Alice's session key. Key recovery can also be
accomplished using secret-sharing schemes such as those we discussed in Section
5.5. These key recovery threshold schemes are also very common since they
have a nice checks and balances feature. Splitting a private key among shares
thwarts attempts by any one entity from surreptitiously capturing private keys,
Search WWH ::
Custom Search