New PKI Protocols Using Tamper Resistant Hardware. Peter Landrock euroPKI2008, Trondheim. Tools in Communication Security. Cryptographic Techniques for the protection of messages for appropriate protocols Tamper Resistant Hardware for the protection of keys
- first a few words on key management:
2. Light weight PKI in Vehicular Communication
3. Mobility in Electronic Banking
1) How can we take the maximal advantage of the fact that each vehicle will have a tamper resistant device installed?
2) How do we provide an appropriate PKI solution with as little overhead as possible?
P. Fermat observed that if p is a prime, then
(1) p ≈ 1mod4 iff there exist a, b with p = a2+b2
i.e. p factors into the primes (a+ib)(a-ib) in the Gaussian ring Z[i] (which happens to be a unique factorization domain).
An equivalent, although not entirely obvious, statement is that
(2) p ≈ 1mod4 iff –1 is a square root modulo p
Now, let n = pq be an RSA modulus, where p and q are primes which both are 1 mod 4.
Then the multiplicative subgroup of Z/nZ has exactly 4 square roots of -1, say +/− δ and +/− ε, where say
δ ≈ ε mod p and ≈ – ε mod q
Then obviously gcd(δε+1, n) = p, i.e. knowing δ and ε is equivalent to knowing p and q.
However, knowing only one of them and then calculating the other from that is likely as hard as factoring, as is finding even one of them!
1. Let n = pq be an RSA modulus, where p and q are primes which both are 1 mod 4.
2. Prover knows a square root γ of –1 mod n
3. Verifier knows Prover’s public RSA key
Let m be a message (or a hash) with m < n.
Choose a random and calculate b to satisfy γab = m mod n
Set r := (a+γb)/2, s := (γa+b)/2
Then (r,s) is called the γ-signature of m with respect to a
The verifier V receives m, r and s, and verifies that
r2+s2 = (a2–b2+2γab–a2+b2+2γab)/4 = γab mod n = m
Notice here that if a is revealed, too, then calculating rs reveals γ:
4rs = (a+γb)(γa+b)/4 = γ(a2+b2), as we know a2 and b2 from γb
y = a2+b2
1) tamper resistant
2) authorised and certified with the alleged functionality -
Provide digital signatures without any software, hardware or key installed at client
- Enable full user mobility
- No risk of physical loss of user key, card, PC, ...
- Secure environment: Hardware modules, physical, ...
- Secret keys never leaves the secure environment
- e.g. by SMS, Fax, e-Mail, Paper, Scrape Off Sheet, e-KeyRing, ...
Web, mail, ...
Secure tunnel, password,opt. one-time password
Signature for message,
Security now hinges on strict control of access to the signing key
This can be imposed by authentication through two independent channels
How does a Signature Server work?
(5) Send message through
secure channel to the Signer
(4) Send one-time SMS to
User and Signer
(2) Web server request
(3) Signer request one-time SMS
(1) User logs on to Web Server