Cryptography Reference
In-Depth Information
9.7 Public-Key Infrastructures
In this section we discuss methods to ensure the secure distribution of public keys.
9.7.1 Certificates
When discussing public-key encryption and public-key signatures, we mentioned
that an essential requirement for public-key cryptography to work as intended is the
secure distribution of public keys by means of an authenticated channel. Indeed,
if public keys are not authenticated, then Bob has no way of knowing whether the
key he received is authentic or perhaps an adversary, Oscar, has mounted a 'man-
in-the-middle' attack and replaced Alice's public key by Oscar's own public key,
allowing Oscar to decrypt all the messages that Bob subsequently sends to Alice.
Exercise 9.17
Describe in detail how digital signature schemes are vulnerable to
'man-in-the-middle' attacks if unauthenticated channels are used to distribute keys.
It is clear that secure distribution of public keys is also essential for digital sig-
nature schemes to work as intended but, on the other hand, if public keys are to be
authenticated, digital signatures will be the essential tool to achieve the authentica-
tion. Thus it seems that we have reached a vicious circle: we need digital signatures
to ensure that digital signatures work!
The solution to this apparent dead-end comes from the fact that it can be shown
that an authenticated channel is needed
only once
to ensure the secure distribution of
arbitrarily many public keys. The essential instruments to achieve this are (digital)
certificates
and
Public
-
Key Infrastructures
.
The idea behind certificates is to bind a particular entity to a public key by means
of a digital signature that serves to attest the ownership of the public key. These are
frequently called public-key certificates and, more generally, a certificate can also
attest the truth of any property attributable to a certificate owner, in which case it
is called an attribute certificate. Let us consider the basic structure of a public-key
certificate. Suppose that
C
generates a public key/private key pair
for a
secure digital signature scheme, that
A
's public key/private key pair for an encryption
or digital signature scheme is
(
pk
C
,
sk
C
)
and that
C
knows that the public key of
A
is indeed
pk
A
. Then a public-key certificate for
A
is a pair:
(
pk
A
,
sk
A
)
Cert
A
=
((
Id
A
,
pk
A
),
(
sk
C
,(
Id
A
,
pk
A
))),
Sign
where
Id
A
is the information that uniquely identifies user
A
.
6
6
In practice, the certificate contains additional information such as, for example, the name of the
entity
C
signing it, the names of the algorithms in which the public key is used, start and end of
validity period, etc.
