Cryptography Reference
In-Depth Information
adversary to substitute someone's identity for his own (see figure 4.3). If
signatures provide data integrity, a corresponding threat is the ability for
an adversary to forge signatures on messages of her choice (see figure 4.4).
If signatures must “convince a judge” and “protect against false denials,”
a corresponding threat is the ability for the signer to create signatures that
can be easily denied and fail to convince a third party (see figure 4.5). The
development of means to effectively protect against these threats has sig-
nificant implications for the design and usability of cryptographic signa-
ture technologies and the infrastructure necessary for their large-scale
deployment.
The Threat of Substitution
Diffie and Hellman argued that public-key cryptography solved a funda-
mental obstacle to electronic commerce by eliminating the need for parties
for prior communication in order to establish common keys. If Alice wants
to send a confidential message to Bob, she acquires Bob's public key and
encrypts her message with it. If she wants to send him a signed message,
she encrypts it instead using her private key, and Bob can verify the result-
ing signature using Alice's public key. But how exactly do Alice and Bob
gain access to each other's public key? In both scenarios, Diffie and Hellman
proposed that the public key simply “be made public by placing it in a
public directory along with user's name and address.” 28 Provided with
access to such a centralized telephone book, each user could simply obtain
the necessary public key whenever required.
But such a scenario prompted the question of how Alice and Bob can
be certain they have obtained each other's authentic public keys. A simple
subversion of the public directory seemed immediately possible: by substi-
tuting Bob's public key with his own, an adversary may send messages to
Alice that will appear to have originated from Bob, given that the signature
verification process will proceed using the subverted public key. The precise
details of how parties might obtain authentic public keys would turn out
to have great practical import for the implementation of public-key cryp-
tosystems. To understand why, it is useful to retrace the history of the
technical design of what came to be known as public-key infrastructures.
Rivest, Shamir, and Adleman addressed the issue in their RSA paper,
suggesting that the authority managing the public file be assigned its own
public/private key pair with which to authenticate its communications
Search WWH ::




Custom Search