Professional Documents
Culture Documents
Ralph C. Merkle
ELXSi International
......
Sunnyvale, Ca.
take full advantage of the unique pro- liar with the general ideas behind pub-
signatures are briefly compared with we assume there are two communicants,
each other and with the conventional al- called A and B, and an opponent E. A
ternative. and B will attempt to send secret mes- t,
i
sages and sign contracts, while E will
1. Introduction attempt to discover the keys, learn the
secrets, and forge contracts. Some-
times, A will attempt to evade a con-
The special strengths of public key
systems are briefly considered by exa-
. tract he signed with B, or B will at-
tempt to forge A~s signature to a new
mining cryptographic protocols for key
contract.
distribution and digital signatures us-
A and B will need to apply one way
functions to various arguments of vari-
This work was partially supported under ous sizes, so we assume we have a one
NSF Grant ENG 10173, and much of the way function F which can be applied to
work was done at Stanford University arguments of any size and produce a
ISL. The author would also like to ack- fixed size output. For a more complete
nowledge the support of BNR Inc, where
discussion of one way functions, see
much of the work reported here was done. [2,9,13,19].
An extended version has been submitted
to CACM.
122
p
the only reasonable method of handling will compromise all users of the system.
environment before the discovery of pub- keys destroys the key distribution
lic key distribution methods. Only con- mechanism for all users.
The security and reliability of
ventional encryption functions need be
used, which presently offers a perfor- centralized key distribution can be in-
mance advantage. (Presently known pub- creased by using two or more centers,
each with its own keys [1]. Destruction
lic key systems are less efficient than
or compromise of a single center will
conventional cryptographic systems.
Whether or not this will continue is not not affect the other centers.
I
now known. Discovery of new public key security can also be improved if
systems seems almost inevitable, and all the user keys are encrypted with a
master key by the center. The master
discovery of more efficient ones prob-
key must still be stored securely (and
able.)
In centralized key distribution, A, suitable provision made for its backup),
t
1
B, and all other system users somehow but the (encrypted) user keys can be
t, stored anywhere. This approach is used
deposit a conventional cryptographic key
!,
with a central key distribution center. by IBM (23).
If A wishes to communicate with B, the This protocol does not fully solve
key distribution center will send a com- the key distribution problem: some sort
of key distribution method must be used
mon (session) key to A and B using the
between each user and the center to es-
previously agreed on central keys. A
tablish the original keys. This problem
and B can then communicate with no
is nontrivial because no electronic com-
further assistance from the key distri-
bution center. munications can be used and inexpensive
physical methods, e.g., registered mail,
This protocol is simple and re-
offer only moderate security. The use
quires only conventional encryption
of couriers is reasonably secure,
functions. Its use has been defended in
although more expensive.
the literature [17,18,20].
I
I 123
The disadvantage of this protocol
is that E might actively interfere with
3. Simple Public Key Distribution
the exchange of keys. Worse yet, E can
force a known k on both A and B.
This is the most basic application
of public key systems [1,5,6,7,8]. Its
purpose is to allow A and B to agree on
4. Authenticated Public Key Distribution
a common key k without any prior secret
arrangements, even though E overhears
all messages. A randomly computes enci- The now classic protocol [1] for
phering and deciphering keys EA and DA, secure and authenticated communications
and sends EA to B (and E). B picks the between A and B is: A and B generate EA
random key, k, and transmits EA(k) to A and EB and make them public, while keep-
(and E). A computes DA(EA(k» = k. A ing DA and DB secret. The public enci-
then discards both EA and DA, and B dis- phering keys of all users are entered in
cards EA. The key in future communica- a public file, allowing easy and authen-
tions is k. It is used to encrypt all ticated access to EX for any user, x.
further messages using a conventional If A and B wish to agree on a com-
encryption function. Once A and B have mon key k, then each sends a (session)
finished talking, they both discard k. key to the other by enqrypting it with
If they later resume the conversation the others public key. The two keys
the process is repeated to agree o~ a thus agreed on are combined and used to
new key k~. encrypt further messages.
This protocol is very simple, and At the end of this protocol, A and
has a great deal to recommend it. B have agreed on a common key, k, which
First, no keys and no secret materials is both secret and authenticated.
exist before A and B start communicat- This protocol suffers from two
ing, and nothing is retained after they weaknesses. First, entries in the pub-
have finished. It is impossible for E lic file might be altered. This can be
to compromise any keys either before the dealt with both by good physical securi-
conversation takes place, or after it is ty, or by using new protocols (see sec-
over, for the keys exist only during the tions 5 and 6) for authenticating the
conversation. entries in the public file.
124
p
Kohnfelder [3] first suggested that person who has learned DCA can produce
entries in the public file be authenti- false certificates at will.
each other~s certificates. This proto- was vulnerable to the criticism that DCA
\ col assures A and B that each has the can be compromised, resulting in system
t other~s public enciphering key, and not wide loss of authentication. This prob-
the public enciphering key of some im- lem can be solved by using tree authen-
on the assumptions that the secret deci- authenticate entries in the public file.
phering keys of A, B, and CA have not However, instead of signing each entry
been compromised~ that A and B have in the public file, this protocol ap-
correct copies of ECA (to check the plies a one way hash function, H, to the
signed certificates); and that CA has entire public file. Even though H is
not issued a bad certificate, either applied to the entire public file, the
125
..
..
126
-----------------------------
The only practical method of
For a more detailed discussion the
compromising this protocol is to
reader is referred to [13].
compromise DA or OS. A user's security
Using tree authentication, user A
is thus dependent on himself and no one
has an authentication path which can be
else.
used to authenticate user A's public en-
ciphering key, provided only that R has
already been authenticated. An "authen-
tication path" is a new form of certifi- 7. Digital Signatures
127
must somehow generate a sequence of bits 1
disputes ~ different. Failure to °
tosystems but it will be convenient no- relies on the observation that if A and
tationally to let A sign message m by B trust some central authority CA, and
computing the signature, DA(m). Check- if A and B have a secure method of com-
ing a signature will then be done by municating with CA, then A can "sign n a
message simply by sending it to CA and
bits) then the signature is rejected as This approach is defended by some [17].
128
m
pi
message. B (or a judge) can compute been confused with each other for this
m, thus confirming the reason. Some criticism of "the" public
correctness of the signed message. A is key digital signature protocol has actu-
held responsible for a signed message if ally been of this second protocol, and
and only if it can be verified by apply- failed to consider the first protocol at
ing A's public enciphering key to it. all.
This protocol can be criticized If we.assume that A knows DA, then
[16,17,20] on two grounds: First, the under the second protocol A can make DA
public file might have been tampered public and effectively disavow the
with. Methods of authenticating the signed message. For this reason, some
public file, discussed previously under critics have argued that this protocol
key distribution protocols, solve this is inadequate.
problem. If we assume that A does not know
A second criticism is that A has no DA, then he is unable to disavow his
recourse should his secret deciphering signature under this protocol. It is
key be compromised and made public. easy to design a system in which this is
it Anyone can sign any message they desire the case.
I with A's compromised D , and A will be The major difference between the
I1
held responsible.
It seems clear
A
129
We introduce time into the following been dealt with fairly.
protocol by using time-keepers who can The major disadvantage of this pro-
digitally time-stamp information given tocol, as compared with the basic digi-
to them. We assume that both A and B tal signature protocol, is the require-
have agreed on a set of acceptable ment that B obtain both a time-stamp and
time-keepers whose time-stamps will be a validity-check, presumably in real
accepted in dispute resolution. time. These requirements force the use
If A can report that DA has been of a communications network, which both
lost, then he must report this fact to increases expense and decreases relia-
some agent who will be responsible for bility.
answering queries about the current If B is willing to obtain the
status of D , i.e., has it been lost or time-stamp and the validity-check after
A
not. For simplicity, we shall assume the transaction has been completed,
this role is played by the t central au- i.e., within a few days, an off-line
thority, CA. CA will sign messages system can be used. This modified pro-
stating that A's secret deciphering key tocol could be used by B either as a
has not been compromised as of the fail-soft protocol during communications
current time. These signed messages outages, or as the standard protocol if
will be called "validity-checks." communication costs are too high.
In the time stamp protocol, user A Off-line operation is cheaper ahd
signs message m by computing DA(m) and more reliable, but it exposes B to some
sending it to B. B then has a time- risk: A might have recently reported
keeper time stamp the message and ob- the loss of DA and B would not know
tains a validity-check from CA. about it. If physical security for
has already been reported lost B rejects secret deciphering keys is good, this
the signature, otherwise he accepts. risk should be minimal.
In dispute resolution, the judge
holds that a message has been validly
signed if and only if it can be checked
11. Witnessed Digital Signatures
by applying A's public enciphering key
AND it has been time-stamped prior to
any reported loss of DA• If the value of a transaction is
This protocol provides very good high enough, it might be desirable to
assurance to all parties that they have have a witness physically confirm that A
130
signed message m. The witness, W, would vious solution is for updates to be di-
compute DW("I, W, physically saw A agree gitally signed by an appropriate network
to and sign message m.n). It would be administrator, and for the nodes to
necessary for A and B to agree in ad- check the digital signature prior to ex-
vance on acceptable witnesses. ecuting them.
The primary advantage of this pro- This example leads naturally to
tocol is that it reduces B~s risk. The another ap~lication of digital signa-
primary disadvantage is that it forces A tures in operating system security. A
131
code in privileged mode, then it is pos- 15. BIBLIOGRAPHY
I
:1
I
Of course, this does not necessarily
mean that the operating system is 2. Evans A., Kantrowitz, W., and Weiss,
secure, but it does eliminate a major E. A user authentication system not re-
class of worries. quiring secrecy in the computer. Comm.
ACM 17, 8(Aug. 1974),437-442.
132
•
Comm . ACM 21 , 2 (Feb . 1978) , 120-1 26 . 17. Popek G.J. and Klin e , C . S. Encryp-
9. Wilkes, M. V. , Time- Sharing Computer and Digital Sig natur es in Computer Net-
tion pp . 133-153 .
IEEE Vo l. 67, No.3, Ma r . 1979 pp . 397 - Large Networks o f Comput ers . CACM 21,12
pho ne s, Ch ic ago Tribune pp. 123, J u ne a nd public key sys tems . S tanford El ec .
12. Davi s , R. Remedies sought to defeat 20 . Popek , G. J ., and Klin e , C.S. En-
Soviet eavesdropping on microwave links, crypt ion and Secure Compu ter networks.
13. Merkle , R.C. A certified digi tal 2 1. Simmons, G.J . Symmetric and Asym-
15. Rab in, M.O. , Digitalized 5ig na- t ern. CACM 21,7 Jul 1978 pp . 558 - 565.
133
23. Ehrsam, W.F., Matyas, S.M., Meyer,
C.H., and Tuchma~ W.L. A cryptographic
key management scheme for implementing
the data encryption standard. IBM sys.
Jour. 17,2 1978 pp. 106-125.
no. 1
134