Cryptography Reference
In-Depth Information
The attacker now has a public-key certificate issued in their name for a verification
key for which they do not know the corresponding signature key. At first glance
this might not seem a very useful outcome for the attacker. However, a problem
arises if Alice now digitally signs a message with her signature key, since the
attacker will be able to persuade relying parties that this is actually the attacker's
digital signature on the message. This is because the attacker's name is on a
public-key certificate containing a verification key that successfully verifies the
digital signature on the message.
This attack can be prevented if the CA conducts a simple check that the public-
key certificate applicant knows the corresponding private key. This type of check
is often referred to as
proof of possession
(of the corresponding private key). If the
public key is an encryption key then one possible proof of possession is as follows:
1. The RA encrypts a test message using the public key and sends it to the
certificate applicant, along with a request for the applicant to decrypt the
resulting ciphertext.
2. If the applicant is genuine, they decrypt the ciphertext using the private key and
return the plaintext test message to the RA. An applicant who does not know
the corresponding private key will not be able to perform the decryption to
obtain the test message.
It should be noted that proof of possession checks are only required in applications
where the outlined 'attack' is deemed to be meaningful. Proof of possession does
require a small overhead, so once again we encounter a potential tradeoff between
the extra security gained by conducting the check versus the efficiency gained by
omitting to do so.
GENERATING CA PUBLIC-KEY PAIRS
Public-key certificates involve a CA digitally signing the owner's public key
together with related data. This in turn requires the CA to possess a public-key
pair. This raises the interesting question of how assurance of purpose of the CA's
verification key will be provided.
The most natural solution is to create a public-key certificate for the CA's
public key. But who will sign the public-key certificate of the CA? This is an
absolutely crucial question, since any compromise or inaccuracy of this public-
key certificate may compromise all public-key certificates signed by the CA. The
two most common methods of certifying the CA's verification key are:
Use a higher-level CA
. If the CA is part of a
chain
of CAs (we discuss this in
Section 11.3.3) then the CA may choose to have their public key certified by
another CA. Of course, this does not address the question of who certifies the
public key of the higher-level CA.
Self-certification
. A top-level CA probably has no choice other than self-
certification. It may suffice that this process involves making the public key
available in high-profile media, such as daily newspapers. There is a strong
