Cryptography Reference
In-Depth Information
with users. They proposed the following scenario: whenever a user joins a
network, she (a) registers her public key with the public file in person or
through any suitable offline channel; in return, she (b) receives (in similar
offline manner) the public key of the public file authority. Each time the
user requires the public key of another user, she (c) requests it from the
public file authority. The authority (d) sends a copy of that key, itself signed
with the public file authority's private key. The user then (e) verifies the
public file's signature on the key, using the public file's public key obtained
in step (b).
The advantages of such a system were to minimize offline interactions
to “a single secure meeting between each user and the public-file manager
when the user joins the system.”
29
However, users would still need to
interact with the public file for each and every signature verification. Alter-
natively, Rivest, Shamir, and Adleman suggested that users might be pro-
vided at the time of their joining the system with “a topic (like a telephone
directory) containing all the encryption keys of users in the system.”
Loren M. Kohnfelder, an undergraduate student of Adleman at MIT,
noted the practical difficulties posed by such a system. In his 1978 honor's
thesis, he remarked that it presented a single point of failure: “An enemy
that has broken the Public File encryption function could authoritatively
pass out bogus encryption functions and thereby impersonate any com-
municant in the system.” The system would also introduce considerable
inefficiencies: “Continually referencing the Public File is a nuisance. . . . If
it is frequently used, it will need to be a very large and complex system.
Securely updating such a large system will be difficult. The communica-
tions equipment will be very expensive since it must be secure against
tampering.”
30
Kohnfelder proposed to improve on the concept by eliminating the
need for users to communicate with the public file beyond their initial
registration into the system, though the use of
public key certificates.
A
certificate is simply a document that associates a user's identity to a public
key. For each user in the system, the public file authority issues and signs
such a certificate, using its own private key. To verify the authenticity of
a user's public key, users need only obtain the public key of the public file
authority, presumably through offline means.
Public-key certificates thus offered interesting improvements over Diffie
and Hellman's original scheme: using certificates, public keys can be dis-
