Cryptography Reference
In-Depth Information
is referred to as
authentication
of the key. However, assurance of purpose
is often much more than identification of the entity associated with the
key. Assurance of purpose impacts all phases of the key lifecycle since, for
example:
• if a key is established without providing assurance of purpose then it might later
be used for a purpose other than that for which it was originally intended (we
will show how this could happen in Section 10.6.1);
• if a key is used for the wrong purpose then there could be very serious
consequences (we will see an example of this in Section 10.6.1).
In some applications we require an even stronger requirement that assurance
of purpose is
provable to a third party
, which might be the case for verification
keys for digital signature schemes.
The need for secrecy of keys is self-evident and much of our subsequent
discussion about the key lifecycle will be targeted towards providing it. Assurance
of purpose of keys is more subtle and is often provided
implicitly
. For example,
in the AKE protocol from ISO 9798-2 that we discussed in Section 9.4.3, Alice
and Bob establish a shared AES encryption (say) key using a TTP, in each case
receiving the key encrypted using a key known only to Alice or Bob and the TTP.
In this case the assurance of purpose is implicitly provided through a combination
of the facts that:
1. the key arrives shortly after a specific request for a shared AES encryption key;
2. the key has clearly come from the TTP (this case was argued in the protocol
analysis in Section 9.4.3);
3. the name of the other communicating party is included in the associated
ciphertext.
Assurance of purpose in the above example is largely facilitated by the
fact that the parties relying on the key, Alice and Bob, are both part of a
'closed' system where they both share long-term symmetric keys with a TTP.
In most environments where symmetric key cryptography is used, assurance of
purpose is provided through similar implicit arguments. In contrast, public-key
cryptography facilitates the use of cryptography in 'open' environments where
there are no sources of implicit assurance of purpose of keys. Public keys can,
literally, be public items of data. By default there are no assurances of whether
a public key is correct, with whom it can be associated, or what it can be used
for. Thus key management of public keys needs to focus much more explicitly on
assurance of purpose of public keys. This is the main subject of Chapter 11.
Finally, the purpose of a key is not always intuitive. For example, we saw in
Section 7.2.3 that a user who has a MAC key might not be allowed to use it
both for MAC creation and verification. Similarly, a user might not be allowed
to use a symmetric key for both encryption and decryption. We will also see in
