Management of signature keys for government

Bodo Moeller Bodo_Moeller at public.uni-hamburg.de
Wed, 4 Mar 1998 12:41:39 +0100 

Bodo Moeller:
> Brian Gladman <gladman@seven77.demon.co.uk>:
>> Dave Howe <DHowe@tecsun.demon.co.uk>:
 
>>> I don't know why, but I seem completely unable to see why
>>> users can't generate their own keys for use in smart cards,
>>> using their own trusted software, and uplink their own trusted
>>> copy of the key to the smartcard.
 
>> One issue in the self generation of keys is how to prevent a user
>> repudiating their own key by revealing its private component.
 
> If DSA or the ElGamal signature algorithm in a prime-order subgroup
> of  (Z/pZ)*  is employed, [...]
> the following scheme could be employed:
[...]
>    When Carol obtains her card, it already has a "temporary key"
> y = g^x  provided by the issuer of the card.  Of course, the card
> issuer is expected to use high quality randomness, not to store  x
> etc.  Carol can read out   y,  but the card will not reveal the secret
> exponent  x.  Now Carol creates a random number  z  and sends it to
> the card.  The card computes and stores a new private key
>      X := x*z
> and a new public key
>      Y := g^X   (= g^(x*z) = y^z).
> The card may then delete  x  and  y.
[...]

> If at least one party -- the card issuer or Carol -- used a good random
> number generator (for  x  or  z, respectively), then the new private
> key  X  is also a good random number.

This statement is not true.  Carol can choose her random number  z
depending on the key  y  presented by the card.  I think this does
not help her to find out  X  later, but unfortunately I do not have a
proof for that.

Also I forgot an important step: The smartcard has to sign (a hash of)
the new public key  Y  using its original private key  x.  Carol has
to present this signature to the card issuer in order to get her key
certificate.  Otherwise she could ignore the key generation process
described above and simply create a key  (x', y')  of her own (without
using her smartcard), which contradicts our goal of preventing (as far
as possible, depending on the effectiveness of the card's tamper
resistance) the user from revealing their private key.


Bodo M"oller
<Bodo_Moeller@public.uni-hamburg.de>