Identity-based public key cryptography
Peter Fairbrother
peter.fairbrother at ntlworld.com
Mon, 17 Dec 2001 19:45:40 +0000
This is all possible, but like you I have reservations about anything from
CESG. I tried to get the source code but they require a NDA which I won't
agree to - I couldn't criticise it.
The splitting of the CA is contentious, and there is a (split?) secret that
if revealed would compromise _every_ key. Anyone can request a private key
from the CA and it will be sent to the identity inherent in the key, so
identity theft/spoofing is a problem, never mind the secure transfer of the
private key - a MITM attack is possible. Key revocation is a nightmare too.
Getting a bit technical here, there is another possible problem, the CA
responds with the square root of the hashed identity (eg an email address)
mod N (=pq). As anyone can request a square root from the CA for a hashed
identity, Mallory can ask for two sq.roots for numbers that are eg factors
of Alice's hashed identity mod N (this is much easier than factorising N).
This means the security relies on the hashing algorithm, but as the
potential identities are large in number and can be hashed by Mallory
without the involvement of the CA, Mallory can create a large pool of hashed
identities, find a combination that eg factor Alice's identity, request
those private keys from the CA and calculate Alice's private key. I'm not
too sure how effective this might be, and there may be another similar
attack, I'll have to think more about it.
In short this is full of potential holes and without seeing the precise
implementation, and being assured that it is being used on the particular
machines the CA uses, I would not touch it with a bargepole. Even then it is
dubious. It is saying "trust the (split?) CA, the protocol is secure", but
it isn't, especially if the link between the client and the CA is open to
compromise. Whether the CA is worthy of trust is a human decision mostly,
but I prefer to generate my own private keys, I have more control over them.
It isn't a "breakthrough", new or inventive, and I doubt it would even get a
US patent.
-- Peter Fairbrother
> John Williams wrote:
> The powers that be continue to agonise over the use of cryptographic
> services for the NHS. Setting up the necessary PKI seems to be particularly
> challenging.
>
> Then all of a sudden we are being told about ID-PKC where no complicated PKI
> is needed. Public keys can be computed and we get our private keys from a
> CA. The CA can be split into pieces so that only someone with all of the
> pieces gets to have the working private key. How secure is this system and
> is it in use anywhere? It seems too good to be true and I feel uneasy about
> where I am being told to go to view it from:
>
> http://www.cesg.gov.uk/technology/id-pkc/index.htm
>
>
> Does this have any place?
>
>
> John Williams
>
> Dr John Williams
>
>
>
>