Cryptography Reference
In-Depth Information
7.2.3
Enforced trust
A third scenario where MACs could provide non-repudiation is where all
cryptographic computations take place in hardware security modules (HSMs).
These are special trusted hardware devices that have protection against tampering
and are discussed in more detail in Section 10.5.3. We can then use MACs
generated using keys that are only valid for MAC creation by one signer
and MAC verification by one verifier (but not the other way around). For
example:
• the MAC key
K
AB
is only allowed to be used by Alice's HSM to create MACs that
can be verified by Bob's HSM;
• a separate MAC key
K
BA
is only allowed to be used by Bob's HSM to create
MACs that can be verified by Alice's HSM.
So long as these usage rules are enforced by the HSMs, a judge will be able to
decide if some data and an accompanying MAC was generated by the alleged
signer. If Alice tries to deny generating some data on which a valid MAC using
K
AB
has been found, the judge will rule against her since the HSMs are trusted
to enforce the usage rule that only Alice's HSM creates MACs using
K
AB
. This
judgement also relies on the belief that although Bob's HSM contains
K
AB
, it only
uses it to verify MACs sent to it by Alice, never to create MACs. In this way we
have turned a symmetric key into the type of secret parameter only known by the
signer that is necessary for non-repudiation.
We nowdiscuss what most people would regard as 'true' digital signature schemes,
which are those based on public-key cryptography. Indeed, Whit Diffie, one of
the authors of the seminal research paper proposing public-key cryptography, has
indicated that his motivation for the idea was substantially driven by a desire to
find a means of creating 'digital signatures' and not public-key encryption. We
will present a basic model of a digital signature scheme and describe two digital
signature schemes based on RSA.
7.3.1
Complementary requirements
Keeping in mind our concerns about arbitrated digital signature schemes in
Section 7.2.2, it is preferable to avoid the direct involvement of a third party
in the generation of digital signatures. This leads us to some very simple
requirements for a digital signature scheme, which we indicate in Table 7.1.
As can be seen, these requirements have more than a passing resemblance to
