Cryptography Reference
In-Depth Information
Recall from our discussion in Section 10.1.3 that the main challenge for the
management of public keys is providing assurance of purpose of public keys.
In this section we introduce the most popular mechanism for providing this
assurance of purpose, the
public-key certificate
.
11.1.1
Motivation for public-key certificates
We begin by recalling why we need assurance of purpose of public keys, since this
is of crucial importance in public-key management.
A SCENARIO
Suppose that Bob receives a digitally signed message that claims to have been
signed by Alice and that Bob wants to verify the digital signature. As we know
fromChapter 7, this requires Bob to have access toAlice's verification key. Suppose
that Bob is presented with a key (we do not concern ourselves with how this is
done) that is alleged to be Alice's verification key. Bob uses this key to 'verify' the
digital signature and it appears to be correct. What guarantees does Bob have that
this is a valid digital signature by Alice on the message?
As is often the case in security analysis, the best way of approaching this
question is to consider what might have gone wrong. Here are some questions
that Bob would be strongly advised to consider, especially if the digital signature
is on an important message:
Does the verification key actually belong to Alice?
This is the big question. If an
attacker is able to persuade Bob (incorrectly) that their verification key belongs
to Alice, then the fact that the signature verification is successful will suggest
to Bob that Alice signed the contract, when in fact it might have been signed
by the attacker.
Could Alice deny that this is her verification key?
Even if Bob does have Alice's
correct verification key, Alice could deny that it belonged to her. If Alice denies
signing the message and denies that the verification key belongs to her, then the
fact that the signature verifies correctly is of little use to Bob, since he cannot
prove who the signer was.
Is the verification key valid?
Recall from Section 10.2 that cryptographic keys have
finite lifetimes. It is possible that, even if Alice did use this verification key
once, it is no longer a valid verification key for Alice since it has expired. Alice
might have (naughtily!) signed the message with an expired key, knowing that
the digital signature would not be legally accepted because she did not sign it
with a signature key that was valid at the time of signing.
Is the verification key being used appropriately?
It is generally regarded as good
practice that cryptographic keys should have specifically designated uses. For
example, in order to enforce the principle of key separation that we discussed
