Cryptography Reference
In-Depth Information
Since everything is unchanged except the anonymous actual bit string, the receiver
will not be able to detect that it is in fact Oscar's. This observation has far-reaching
consequences which can be summarized in the following statement:
Even though public-key schemes do not require a secure channel, they require authen-
ticated channels for the distribution of the public keys.
We would like to stress here again that the MIM attack is not restricted to the DHKE,
but is in fact applicable to any asymmetric crypto scheme. The attack always pro-
ceeds the same way: Oscar intercepts the public key that is being sent and replaces
it with his own.
The problem of trusted distribution of private keys is central in modern public-
key cryptography. There are several ways to address the problem of key authentica-
tion. The main mechanism is the use of
certificates
. The idea behind certificates is
quite easy: Since the authenticity of the message (
k
pub
,
A
,
ID
A
) is violated by an ac-
tive attack, we apply a cryptographic mechanism that provides authentication. More
specifically, we use digital signatures.
2
Thus, a certificate for a user Alice in its most
basic form is the following structure:
Cert
A
=[(
k
pub
,
A
,
ID
A
)
,
sig
k
pr
(
k
pub
,
A
,
ID
A
)]
The idea is that the receiver of a certificate verifies the signature prior to using the
public key. We recall from Chap. 10 that the signature protects the signed message
— which is the structure (
k
pub
,
A
,
ID
A
) in this case — against manipulation. If Oscar
attempts to replace
k
pub
,
A
by
k
pub
,
O
it will be detected. Thus, it is said that
certifi-
cates bind the identity of a user to their public key
.
Certificates require that the receiver has the correct verification key, which is a
public key. If we were to use Alice's public key for this, we would have the same
problem that we are actually trying to solve. Instead, the signatures for certificates
are provided by a mutually trusted third party. This party is called the
Certification
Authority
commonly abbreviated as
CA
. It is the task of the CA to generate and issue
certificates for all users in the system. For certificate generation, we can distinguish
between two main cases. In the first case, the user computes her own asymmetric
key pair and merely requests the CA to sign the public key, as shown in the following
simple protocol for a user named Alice:
2
MACs also provide authentication and could, in principle, also be used for authenticating pub-
lic keys. However, because MACs themselves are symmetric algorithms, we would again need a
secure channel for distributing the MAC keys with all the associated drawbacks.
