Cryptography Reference
In-Depth Information
its own issues and does not do away with the need for a trusted third party of
some sort. This now takes the form of a certificate authority, which we discuss in
Section 11.1.2.
10.4.2
Unique key per transaction schemes
We now look at a different way of establishing a cryptographic key.
Unique key
per transaction
(UKPT) schemes are so called because they establish a new key
each time that they are used.
MOTIVATION FOR UKPT SCHEMES
Most of the previous key establishment mechanisms that we have discussed
involve one, or both, of the following:
• Use of long-term (top-level) secret keys, for example, the use of master keys or
key encrypting keys in key hierarchies.
• A special transfer of data explicitly for the purposes of key establishment.
This applies to every technique that we have discussed thus far, except key
predistribution.
While these are acceptable features in many environments, they may not be
desirable in others. The first requires devices that can securely store and use
long-term keys, and the second introduces a communication overhead.
One of the reasons that most of the previous schemes require these features
is that the new key that is being established has been generated
independently
,
in the sense that it has no relationship with any existing data (including existing
keys). An alternative methodology is to generate new keys by deriving them
from information already shared by Alice and Bob. We discussed derivation
in Section 10.3.2, where the shared information was an existing key known to
Alice and Bob. However, importantly, this shared information does not need to
be a long-term secret key. Rather it can be a short-term key, other data, or a
combination of the two.
If key derivation is used to generate new keys then the processes of
key generation and key establishment essentially 'merge'. This brings several
advantages:
1. Alice and Bob do not need to store a long-term key;
2. Alice and Bob are not required to engage in any special communication solely
for the purpose of key establishment;
3. Key generation and establishment can be 'automated'.
APPLICATION OF UKPT SCHEMES
UKPT schemes adopt the methodology we have just described by updating keys
using a key derivation process after each use. A good example of an application of
UKPT schemes is retail point-of-sale terminals, which are used by merchants to
