To use a public key that is contained in a digital certificate, a user queries the public ... to used to create public-key algorithms that get their cryptographic strength from ...... Marc Joye, Gregory Neven, âIDENTITY-BASED CRYPTOGRAPHYâ, IOS.
Combining Mediated and Identity-Based Cryptography for Securing E-mail Sufyan T. Faraj
Hussein Khalid Abd-alrazzaq
Abstract In this thesis, the proposal is to exploit a distinguished method of the public key cryptography which is known as Identity-Based Cryptography (IBC) to solve this usability problem. In this method, the public key is taken from general information (such as e-mail address) of the recipient and thus does not require access to any certificate to validate the key. To increase the system strength, the Identity-Based Cryptography is combined with mediated cryptography to be possible to cancel any key that is being exposed or suspicious. In addition, all the operations of decryption and signature are controlled (without the ability to fraud or detect secret) by the authorized person to prevent hackers and non-authorized parties from using or manipulating of the system. This proposal includes the deployment the method for Mediated Identity-Based Cryptography that is Mediated BF-SOK IBC
Introduction Email is one of the essential applications of the Internet. More than a hundred million electronic messages traverse the world's computer networks every day, most of this electronic mail is vulnerable. Securing email has always been an important issue and a subject of growing concern for the researchers and the users, where the volume of email grows continuously. Various standards and products have been created. Securing E-mails with encryption is introduced broadly by many experts, and they are successful in security matters. Several algorithms are designed for encryption and decryption. But intruders, hackers are still trying to find solution in order to break these algorithms and retrieve the plaintext. For this reason, it must find another solution to raise the security’s level for email and eliminate the increased risk of hackers. The question which draws attention is why most people continuously fail in protecting themselves, despite the long time that has passed on the availability of systems that based on public-key infrastructure? The answer is simple: Public Key Infrastructure (PKI) is just too difficult for the average user. A well-known difficulty with the use of public key cryptographic systems is the verification and distribution of the public keys. Therefore; it requires a tremendous overhead in terms of setting up a public key.
Public Key Infrastructure The public key cryptography requires the receiver’s public key, as a consequence, before sending any message, the sender should take care to go and obtain this public 1
key. Moreover, he should make sure that the public key he obtains is indeed the correct one. This introduces two important steps in real life implementation, fetching the public key and verifying it. It may seem that the second step is the difficult one. Getting data is reasonably easy; verifying that it is genuine seems to be much more difficult. However, there is a simple solution that allows one to verify a public key is public-key certificates. At the most basic level, a public-key certificate is simply a message that asserts: “The public key of user Bob is upkB”, to make sure that the certificate is genuine. It needs to be signed [1, 2]. To use a public key that is contained in a digital certificate, a user queries the public repository where the certificate can be found and retrieves the certificate. Because a public key may be valid for quite a while, it is often necessary to check such a public key for validity before using it. A much more difficult problem when using such certificates is the management of trust. What guarantees that you can trust the owner of the verification key? The Public Key Infrastructure provides the digital certificates that can identify the individual’s identity. The digital certificate is used to offer level of security that means each person must present the digital certificate which contains the public key to check from the identity. PKI is the combination of hardware, software, encryption technology, people, and policies. The PKI consist of many parts are [2, 3]:
Certification Authority (CA): CA is to oversee the generation, distribution, renewal, revocation and suspension of the digital certificates. Register Authority (RA): RA is accredited that it must be trustworthy, it is responsible for assurance all procedures executed is corresponded within the followed policy and all requirements of issuance and verifies are provided accordant for local policy. Certificate Revocation Lists (CRLs): A CRL is a time stamped list identifying revoked certificates which is signed by a CA. Certificate Repositories: is a system or distributed systems that stores certificates and CRLs and serves as a means of distributing these certificates and CRLs to end-entities.
Identity-Based Cryptography (IBC) In 1985 Shamir introduced the concept of identity (ID) based cryptosystems where it offers a nice solution to a large fraction of these practical problems. This new concept is using to eliminate the complexity of using digital certificates, this concept is Identity-Based (ID-based) Cryptography. Identity-Based (ID-based) Cryptography where the public key of a user can be derived from public information that uniquely identifies the user. It allows a party to encrypt a message using the recipient’s identity as a public key. and the corresponding private key is generated by a trusted third party called the Private Key Generator (PKG). ID based cryptosystems are advantageous over the traditional public key cryptosystems (PKC) as they avoid the need of 2
certified public key register [4, 1]. In 2001, Boneh and Franklin first gave a practical Identity-Based Encryption scheme relies on the bilinear Diffie-Hellman problem for its security and uses a complicated mathematical transformation called the Tate pairing [5, 6]. Let G1 be a cyclic group generated by P, whose order is a prime q, and G2 be a cyclic multiplicative group of the same order. The discrete logarithm problems in both G1 and G2 are hard. Let e: G1 × G1 → G2 be a pairing which satisfies the following properties [7, 8]: 1. Bilinear: 𝑒 (𝑃1 + 𝑃2 , 𝑄) = 𝑒 (𝑃1 , 𝑄) 𝑒 (𝑃2 , 𝑄) 2. Bilinearity: 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for all P, Q ∈ G1 and a, b ∈ 𝑍𝑞∗ . 3. Non-degeneracy: If P∈E[n]\O, then there exists Q∈E[n] such that 𝑒(𝑃, 𝑄) ≠ 1. If 𝑒(𝑃, 𝑄) = 1 for all Q∈E[n] then P=O and also that if 𝑒 𝑃, 𝑄 = 1 for all Q ∈ E[n] then P = O. 4. Computability: There is an efficient algorithm to compute 𝑒 𝑃, 𝑄 for all P, Q ∈ G1.
Some of Computational Problem Some computational problems have the property that they are suitable hardness to used to create public-key algorithms that get their cryptographic strength from the difficulty of the hard problem, the following are some computational problems which depend on Diffie-Hellman problem: 1.
The Decision Diffie-Hellman Problem The decision Diffie-Hellman problem (DDHP) was invented in 1998 by Boneh which is related to the discrete log assumption, where is: given g , g 𝑎 , g 𝑏 , and x, determine whether or not 𝑥 = g 𝑎𝑏 . One obvious way to solve this problem is to determine b solving the CDHP1 and then to calculate (g 𝑎 )𝑏 = g 𝑎𝑏 , and then compare this value of g 𝑎𝑏 to the given value of x.[1]. Definition: Let G be a group and g ∈ G. The Decision Diffie-Hellman problem (DDH) is given a quadruple (g , g 𝑎 , g 𝑏 , g 𝑎𝑏 ) = (g , g 𝑎 , g 𝑏 , g 𝑐 ) of elements in g to determine whether or not g 𝑐 = g 𝑎𝑏 [9]. The decisional Diffie–Hellman (DDH) is a computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups. It is used as the basis to prove the security of many cryptographic protocols, such as Cramer– Shoup cryptosystems. 2. The Bilinear Diffie-Hellman Problem The bilinear Diffie-Hellman problem (BDHP) generalizes the CDHP to groups with a pairing. Where, Let 𝔾1, 𝔾2 be two groups of prime order q. Let 𝑒 ∶ 𝔾1 × 𝔾1 → 1 Sometimes the Diffie-Hellman Problem (DHP) is called the computational Diffie–Hellman problem (CDHP) to more clearly distinguish it from the DDHP
3
𝔾2 be a bilinear map and let P be a generator of 𝔾1. The BDH as follows: Given (𝑃, 𝑎𝑃, 𝑏𝑃, 𝑐𝑃 ) for some 𝑎, 𝑏, 𝑐 ∈ 𝕫∗𝑞 compute 𝑒(𝑃, 𝑃 )𝑎𝑏𝑐 ∈ 𝔾2,.The BDHP is no more difficult than calculating discrete logarithms, BDHP can be solved if we can calculate the discrete logarithm of 𝑐𝑃 in 𝔾1 to find value of c or if we can find it by calculating the discrete logarithm of 𝑒(𝑃, 𝑐𝑃) = 𝑒(𝑃, 𝑃 )𝑐 in 𝔾2, then we can calculate 𝑒(𝑎𝑃, 𝑏𝑃 )𝑐 = (𝑒(𝑃, 𝑃 )𝑎𝑏 )𝑐 = 𝑒(𝑃, 𝑃 )𝑎𝑏𝑐 . In other side, the 𝑓𝑃 ∶ 𝔾1 → 𝔾2 is defined by 𝑓𝑃 (𝑄) = 𝑒(𝑃, 𝑄) which is an isomorphism of groups, If any one of these isomorphisms turns out to be invertible then BDH is easy that is we can easily calculate, 𝑓𝑝−1 (𝑒(𝑃, 𝑄)) = 𝑄 [5, 1]. 3. The Decision Bilinear Diffie-Hellman Problem The decision bilinear Diffie-Hellman problem (DBDHP) generalizes the DDHP. The DBDHP is Let 𝔾1, 𝔾2 be two groups of prime order q. Let 𝑒 : 𝔾1 × 𝔾1 → 𝔾2 be a bilinear map and let P be a generator of 𝔾1,the decisional bilinear Diffie–Hellman (BDH) problem is to determine, given g, 𝐴 = 𝑎𝑃, 𝐵 = 𝑏𝑃, 𝐶 = 𝑐𝑃 and 𝑋 = 𝑒(𝑃, 𝑃)𝑥 , determine whether or not 𝑋 = 𝑒( g, g)𝑎𝑏𝑐 for hidden values of a, b, c and x [10].
The Fujisaki-Okamoto Transform A technique, invented by Fujisaki and Okamoto in 1999 which is widely known to be able to generically transforms a public-key encryption algorithm with fairly weak properties into one which is secure against chosen ciphertext attacks. [11]. In particular, if we have ℰ𝑝𝑘 (𝑀, 𝜎 ), where ℰ𝑝𝑘 is a public-key encryption algorithm that encrypts the plaintext M using the random input 𝜎 and the public key pk, if 𝒟 is the decryption function that corresponds to ℰ𝑝𝑘 , and let H1 and H2 are ′ cryptographic hash functions. The encryption algorithm ℰ𝑝𝑘 is resistant to chosenciphertext attacks is: ′ ℰ𝑝𝑘 𝑀, 𝜎 = (ℰ𝑝𝑘 (𝜎, 𝐻1 (𝜎, 𝑀)) , 𝐻2 (𝜎) ⨁ 𝑀) = (𝐶1 , 𝐶2 ) = 𝐶
Where 𝐶1 = ℰ𝑝𝑘 (𝜎, 𝐻1 (𝜎, 𝑀)) 𝐶2 = 𝐻2 (𝜎) ⨁ 𝑀 The decryption 1. Calculate 𝒟𝑝𝑟 (𝐶1 ) = 𝜎. 2. Calculate 𝐻2 (𝜎) ⊕ 𝐶2 = 𝑀. 3. Set 𝑟 = 𝐻1 (𝜎, 𝑀) and check that ℰ𝑝𝑘 (𝜎, 𝑟) = 𝐶1 This transformation can be used to create a more secure scheme from a less secure algorithm [12, 1].
Formal Definition Identity-Based Cryptography Formally, an identity-based cryptographic protocol is a family of algorithms, usually consisting of four algorithms. An identity-based encryption (IBE) scheme 4
consists of: Setup, Private key Extraction (Generation), Encryption, Decryption, the describe IBE scheme using the following steps [13]: Setup: This algorithm is run by the key generation center, which generates the common system parameters together with the master secret key, (msk). The system parameters include a description of the message space M, the ciphertext space C and the identity space I and the master public key (mpk). They are publicly known while the master secret key is known only to the private key generator (PKG). Key Extraction (Derivation): This algorithm is run by the key generation center on behalf of a user that requests his own private key, after checking that the user matches his claimed identity, then takes as input an identity id ∈ I together with the system parameters and the master secret key (msk) and returns a private key of the user (usk), using the master secret key. The identity id is used as the public key while (usk) is the corresponding private key. Encryption: This algorithm takes as input an identity id ∈ I and a message M ∈ M and produces a ciphertext C ∈ C encrypted under the public key id using the master public key (mpk). Decryption: This is a deterministic algorithm which takes as input a ciphertext C ∈ C, the private key (usk) of the corresponding identity id and the system parameters. It returns the message M. If use identity-based signature (IBS) scheme then replace the Encryption and Decryption with Sign and Verify: Sign: Using its private key usk, sender creates a signature σ on the message M. Verify: Having obtained the signature σ and the message M from sender, the verifier checks whether σ is a genuine signature on M using sender's identity and the PKG's public key. If it is so, he returns “Accept". Otherwise, he returns “Reject".
Security-Mediated Cryptography In [14] proposed by D. Boneh, Ding, Tsudik, and Wong, they present a new approach to fast certification revocation centered about the concept of an on-line semi-trusted mediator (SEM). It is use to help the client in completing sign and decrypt message where the client must first obtain message-specific token from SEM without this token the client cannot use his/her private key. The security mediated (SEM) approach has many advantages such that, the full operation cannot accomplish without acceptance of SEM that is only if the SEM believes the private key of user is valid this way reduces or eliminates need to certification revocation The SEM uses to immediate revocation of user’s ability to sign or decrypt the message. The SEM itself not gain any useful information because it is only able partially to decrypt or sign the message. In the mRSA uses standard RSA but within implementation the main idea behind mRSA is the splitting of an RSA private key into two parts as in threshold 5
RSA, one of the two is given to user and other given to SEM, no one can use knowledge half-key (its own part) to derive another half [14 , 15].
General Structure of the Proposed System The basic idea in this proposed system is by replacing the traditional public key cryptography with Identity-Based Cryptography and combines it with mediated cryptography technique to build secure email system. This paper proposed email security system to satisfy the following objectives: 1. To provide email system most security and most robust to resist the hacker attack by using more force methods 2. To make the secure email system easier to user, and provide more usability and flexibility. 3. To eliminate need to certificate and use simple method to distributed key (by using IBC where use user’s email address as public key), and provide immediate revocation of public key (by using the SEM). 4. To design system to be more convenient for the establishments and organizations, because it will be monitor by the administration. The main part of the system is email client that used to secure messaging after it comprised on the strong cryptography algorithms. Two methods used to provide the security are: Identity-Based cryptography and mediated cryptography. Each one of them contain of parts which work together to achieve the aims. At the combining between IBC and mediated cryptography, the system must be consisting of three parts are: the first part is generating private keys from public information (public key) and public parameters that are called by Generation Center (GC), it has three functions: generate public parameters to freely available this called Parameters Generation Center (PGC), generate private key from public key which be often email address (or any public information) this called Private Key Generation Center (PKGC), and divide the private key into two parts and give one for user and other for the SEM. The GC is consider the trusted authority where is known all keys of users, for that, any compromise by it will expose the system to destruction. The second part is SEM which completes decrypt/sign for user where has the half of the user’s private key. SEM takes all the half of the user’s private key from PKGC and stores it in the database. The client is the third part that should download the parameters before request his private key from PKGC in order to use the system The Figure 1 illustrates the general structure of the system.
6
GC
Public Parameters (PP)
PGC
SEM
Client PP
PKGC
complete decrypt/sign for client
PRu
SEM Database of PRsem
Figure 1 General Structure of System Since the private key in this method is generated by PKGC, therefore; it must be provide a way to distribute the private key, there are two options for implementation: 1. Provide the key remotely, by sending request and receive respond include private key, in this exchange will use session key to protect the key. 2. Provide the key directly (manually), that requires presence the personal to take the key hand by hand. When dealing with the large scale environment the first option is more appropriate to use in the proposed system. In this proposed the PKG will need session key. In addition, other cryptography algorithms will be used to verify the security services, such as AES cipher that is used as symmetric key algorithm.
Distribute Private Key Delivering private key to user should be performing secretly. Keys distribution protocols are so necessary to establish a secure channel, where need to session key (secret key) to achieve that. This secret key is transferred with the use of PKGC’s public key. The authentication process is accomplished by using the message digest algorithm. The user must send his/her email address as definition of identifies, this method does not guarantee the credibility, but guarantee the respond will be send to this address. This method prevents the forgers from benefit impersonation of another user because they cannot arrival to email contents. The user should obtain on the email address of PKGC to can send request. This process executes between user and PKGC, as in following steps, shown in Figure 2: 1- The user (email client) must first obtain the public system parameters to be able to generate the ciphertext of message request by IBE.
7
2- The user generates the session key which is used by a PKGC, then the email client creates request that includes: user’s email address, timestamp, and session key and message digest of (email address, time stamp and session key). The message digest added to detect any change in request (integrity), this request encrypts with public key of PKGC by using IBE (PKGC’s public key is the email address), then send. The session key should keep secretly in order using in decrypt the private key. 3- The PKGC receive the request message, it decrypts the request to extract session key, and compute the message digest for request to compare with message digest which sent. If true, then the PKGC generates the user’s private key depended on the email address which append in message as corresponding public key. The PKGC constructs the responding message and encrypt it using session key by using any symmetric algorithm (in this proposal AES is used), and sign it by using PKGC’s private key. After that send the result to user by using the email address. 4- After receiving the message from PKGC decrypt it by session key to retrieve the private key, then user verifies the sign using public key.
8
Obtain the Public parameter
E(PUGC, Req) Req=[email-address, SK, TS,H(email-address, SK, TS)]
D(PRGC, Req)
False
Check TS and H
True Reject the request
Extract PRClient
Generate S=Sign (PRGC, H(PRClien,U,TS) If not error [PRClien,SEM, Sign,TS]=D(SK, C) Verify((PUGC,S)= true
Store the private key
Send to Client
C=E(SK, Res) Res= [PRClien,U, Sign,TS]
[PRClien,SEM, Sign,TS]= D(PRSEM, C) Verify(PUGC,S)= true Store the private key
Generate S=Sign (PRGC, H(PRClien,SEM,TS)
C=E(PUSEM, Res) Res= [PRClien,SEM, Sign,TS]
Send to SEM
Figure 2 Distribute Private Key.
The Proposed Method In order to perform the combining between two methods, there must be, at least, change in architecture one of them; therefore, suggested way to divide the private key. It is applied on the Boneh-Franklin IBE scheme. To apply IBC in secure email, we must use the signature with the encryption, but the problem is not all the schemes use the same method to generate the private key. This means the private key almost in any scheme not similar to that generated by other scheme, consequently, the user needs two private keys, one for encryption and other for signature, for this reason, the schemes must be chosen carefully to be compatible with each other to have the same algorithms (setup, extract) which is used in GC. These hybrid techniques which combine between IBE, IBS and mediated offer the best solution to solve the great problem of complexity in secure email.
9
Mediated BF-SOK Identity-Based Signature/Encryption Scheme This proposed method combines between two schemes are BF Identity-based Encryption and Sakai-Ogishi-Kasahara (SOK) identity-Based Signature. The BF scheme cannot use to signature service; therefore, it used another schema to do this service. Both schemas depended on identity information as public key and both have similar algorithm for setup and extract. The modification will apply on extraction private key to split it into two parts, in signature algorithms, the sign algorithm will be shared between user and SEM. This means it will perform in two steps. Although the verification algorithm achieves only by the recipient, but it must modify to be compatible with modification signature algorithm. Since the need to the private key will be only in decryption, so that, the change in BF scheme will be only on the decryption algorithm without modifying on encryption algorithm.
Mediated BF-IBE Scheme This scheme consists of three parties: GC, SEM and users, and four algorithms: Setup, Extract, Encrypt and Decrypt. The GC governs the SEM and a SEM can serve many users. Two of the algorithms, Setup and Encrypt, are analogous to those in the original schema, the others, Extract and Decrypt, provide the mediated cryptography capability. These four algorithms described as follows: Setup: Let P be a generator of G. Pick a random s ∈ 𝕫∗𝑝 and set Ppub = sP. Choose cryptographic hash H1:{0, 1}* → 𝔾1, H2: 𝔾T → {0, 1}n , H3 : {0, 1}n ×{0, 1}n ⟶ 𝕫∗𝑝 , H4 : {0, 1}n ×{0, 1}n ⟶ 𝕫∗𝑝 , The master secret is s and the public parameters are the similar use in BF Full schema, (q, E/𝔽q, p,𝔾1,𝔾T,𝑒,n,P,Ppub,H1,H2,H3,H4). Extraction: Given an identity ID, PKGC chooses a random number su from 𝕫∗𝑝 , computes Qid = H2(id), Duser = suQid and Dsem = (s – su)Qid. Duser is sent secretly to the user whose identity is ID as his private key and (Dsem, id) is sent to the SEM. Encryption: the sender encrypts the message M with id of recipient as public key as in the following step (similar original algorithm): 1) 2) 3) 4) 5) 6)
Calculates 𝑄𝑖𝑑 = 𝐻1 (𝑖𝑑 ). Picks a random 𝜎 ∈ {0, 1}𝑛 . Calculates 𝑟 = 𝐻3 (𝜎 , 𝑀 ). Calculates 𝐶1 = 𝑟𝑃. Calculates 𝐶2 = 𝜎 ⨁ 𝐻2 (𝑒(𝑄𝑖𝑑 , 𝑃𝑝𝑢𝑏 )𝑟 ). Calculates 𝐶3 = 𝑀 ⨁ 𝐻4 (𝜎).
The Ciphertext is 𝐶 = (𝐶1 , 𝐶2 , 𝐶3 ).
10
Decryption: To decrypt the message, the recipient must obtain agreement of SEM to decrypt the message. This algorithm passes through two parties (user, SEM), after receiving the message the recipient sends some information to SEM in order to complete calculation the remaining half of decryption. As in the following steps: User 1) Pick a random number x ∈ 𝕫∗𝑝 2) Calculates D1 = 𝑒(𝐷user , 𝑟𝑃)𝑥 3) Calculates D2 = 𝑥(𝑟𝑃) The user sends (D1, D2) to SEM SEM 4) Calculates D3= D1 𝑒(𝐷𝑠𝑒𝑚 , 𝐷2 ) Return D3 to user User 1
5) 6) 7) 8) 9)
Calculates Calculates Calculates Calculates Calculates
K= (𝐷3 )𝑥 𝜎 = 𝐶2 ⨁𝐻2 (𝑘) 𝑀 = 𝐶3 ⨁ 𝐻4 (𝜎). 𝑟 = 𝐻3 (𝜎 , 𝑀). rP. If C1 ≠ rP then rejects the ciphertext as invalid
Security Analysis of the Mediated BF-IBE Scheme Firstly, it must prove that the scheme is correct: To decrypt, we must compute 𝑒(𝑄𝑖𝑑 , 𝑃𝑝𝑢𝑏 )𝑟 = 𝑒 𝑄𝑖𝑑 , 𝑃 𝑒(𝑄𝑖𝑑 , 𝑃𝑝𝑢𝑏 )𝑟 = 𝑒(𝑄𝑖𝑑 , 𝑃)𝑠𝑟 1
1
𝑘 = (𝐷3 )𝑥 = [𝐷1 𝑒 𝐷𝑠𝑒𝑚 , 𝐷2 ]𝑥 1
= [𝑒 𝐷𝑢 , 𝑟𝑃 𝑥 𝑒(𝐷𝑠𝑒𝑚 , 𝐷2 )]𝑥
1
= [𝑒 𝑠𝑢 𝑄𝑖𝑑 , 𝑟𝑃 𝑥 𝑒(𝑠𝑠𝑒𝑚 𝑄𝑖𝑑 , 𝑥𝑟𝑃)]𝑥
1
= [𝑒 𝑠𝑢 𝑄𝑖𝑑 , 𝑥𝑟𝑃 𝑒(𝑠𝑠𝑒𝑚 𝑄𝑖𝑑 , 𝑥𝑟𝑃)]𝑥 = 𝑒 (𝑠𝑢 + 𝑠𝑠𝑒𝑚 )𝑄𝑖𝑑 , 𝑥𝑟𝑃 = 𝑒 𝑠𝑄𝑖𝑑 , 𝑃
𝑥𝑟
1 𝑥
1 𝑥
11
𝑠𝑟
where
= 𝑒 𝑄𝑖𝑑 , 𝑃
𝑠𝑟
This scheme based on the same problem which the original scheme depended it; therefore, the level of security is at least is same. The adversary can obtain P and sP from the public parameters, can calculate Qid =tP from the recipient’s identity and observes rP in the ciphertext. If he can calculate 𝑒(P, P)rst from P, rP, sP, and tP then he can recover the plaintext message M. The user’s private key is sent with raise to power of random number to prevent the SEM to retrieve the plaintext message, because the SEM has not the random number (x). If it's supposed that an attacker is able to compromise the SEM and discover the secret key Dsem that corresponds to an ID, but this does not enable the hacker to decrypt the message because he will need to know the remaining half key. On the other hand, the SEM can revoke or block the possible use of the user’s private key that corresponds with ID.
Mediated SOK-IBS Scheme By depending on the SOK-IB signature scheme submitted to the ID-based mediated signature scheme. The submitted scheme also consists of three parties: GC, SEM and users, in addition to four algorithms: Setup, Extract, Sign and Verify. Two of the algorithms, Setup and Extract, are analogous to those in Mediated BF-IBE scheme, the others, Verify and Sign, are different which provide the mediated signature's capability. They are described as follows: Setup: Let P be a generator of G. Pick a random s ∈ 𝕫∗𝑝 and set Ppub = sP. Choose cryptographic hash H1:{0, 1}* → 𝔾1, H2: 𝔾T → {0, 1}n , H3 : {0, 1}n ×{0, 1}n ⟶ 𝕫∗𝑝 , H4 : {0, 1}n ×{0, 1}n ⟶ 𝕫∗𝑝 , The master secret is s and the public parameters are the similar use in BF Full schema, (q, E/𝔽q, P,𝔾1,𝔾T,𝑒,n,P,Ppub,H1,H2,H3,H4). Extraction: Given an identity ID, PKGC chooses a random number su from 𝕫∗𝑝 , computes Qid = H2(id), Duser = suQid and Dsem = (s – su)Qid. Duser send secretly to the user whose identity is ID as his private key and (Dsem , id) is sent to the SEM. Signature: To sign a message m, the user must cooperate with the SEM to do that, solely with help of the SEM, the user can generate a valid signature. At initial the user must send information to SEM in order to enable complete signature message. As in the following steps: User 1) Calculates SHA =H(M) 2) Choose random number u1 and Calculates U1 = 𝑢1 𝑃. The user sends (U1, SHA, id) to SEM. SEM 12
3) 4) 5) 6) 7)
Calculates H = H1(SHA) Choose random number u2 and Calculates U2= 𝑢2 𝑃. Calculates U= U1+ U2. Calculates h =H2(SHA, U, id). Calculates Ssem = hDsem + u2(Ppub+ H).
Return (U, Ssem) to user User 8) Calculates 9) Calculates 10) Calculates 11) Calculates
H = H1(SHA) h =H3(SHA, U, id). Suser = hDuser + u1(Ppub+H). 𝑆 = 𝑆𝑠𝑒𝑚 + 𝑆𝑢𝑠𝑒𝑟 .
The Signature is 𝜎 = 𝑈, 𝑆 . Verification: Given a signature 𝜎 = 𝑈, 𝑆 on message M under ID, a verifier computes 1) 2) 3) 4) 5)
Calculates SHA =H(M) Calculates H = H1(SHA) Calculates Qid = H1(id) Calculates h =H3(SHA, U, id). If 𝑒 𝑃, 𝑆 = 𝑒 𝑃𝑝𝑢𝑏 , ℎ𝑄𝑖𝑑 𝑒(𝑈, 𝑃𝑝𝑢𝑏 + 𝐻), signature.
then
he
accepts
the
Security Analysis of the Mediated SOK-IBS Scheme The following steps are the evidence that the scheme is correct: To verify, the recipient must ensure 𝑒 𝑃, 𝑆 = 𝑒 𝑃𝑝𝑢𝑏 , ℎ𝑄𝑖𝑑 𝑒(𝑈, 𝑃𝑝𝑢𝑏 + 𝐻) , we note that 𝑒 𝑃, 𝑆 = 𝑒(𝑃, 𝑆𝑠𝑒𝑚 + 𝑆𝑢𝑠𝑒𝑟 ) = 𝑒(𝑃, ℎ𝐷sem + 𝑢2 𝑃𝑝𝑢𝑏 + 𝐻 + ℎ𝐷user + 𝑢1 𝑃𝑝𝑢𝑏 , +𝐻 ) = 𝑒(𝑃, ℎ 𝐷𝑠𝑒𝑚 + 𝐷𝑢𝑠𝑒𝑟 + (𝑢2 + 𝑢1 )(𝑃𝑝𝑢𝑏 , +𝐻)) = 𝑒 𝑃, ℎ𝐷 + 𝑢 𝑃𝑝𝑢𝑏 , +𝐻 = 𝑒 𝑃, ℎ𝐷 𝑒(𝑃, 𝑢𝑃𝑝𝑢𝑏 )𝑒(𝑃, 𝑢𝐻) = 𝑒 𝑃, 𝑄𝑖𝑑
ℎ𝑠
𝑒(𝑃, 𝑃)𝑢𝑠 𝑒(𝑃, 𝐻)𝑢
𝑒 𝑃𝑝𝑢𝑏 , ℎ𝑄𝑖𝑑 𝑒(𝑈, 𝑃𝑝𝑢𝑏 + 𝐻) = 𝑒 𝑃𝑝𝑢𝑏 , ℎ𝑄𝑖𝑑 𝑒(𝑢1 𝑃 + 𝑢2 𝑃, 𝑃𝑝𝑢𝑏 + 𝐻)
13
= 𝑒 𝑃𝑝𝑢𝑏 , ℎ𝑄𝑖𝑑 )𝑒 (𝑢1 + 𝑢2 𝑃, 𝑃𝑝𝑢𝑏 + 𝐻 = 𝑒(𝑃𝑝𝑢𝑏 , ℎ𝑄𝑖𝑑 )𝑒( 𝑢𝑃, 𝑃𝑝𝑢𝑏 + 𝐻) = 𝑒(𝑃𝑝𝑢𝑏 , ℎ𝑄𝑖𝑑 )𝑒(𝑢𝑃, 𝑃𝑝𝑢𝑏 )𝑒(𝑢𝑃, 𝐻) = 𝑒 𝑃, 𝑄𝑖𝑑
ℎ𝑠
𝑒(𝑃, 𝑃)𝑢𝑠 𝑒(𝑃, 𝐻)𝑢
Where u = u1+ u2 is a number in 𝕫∗𝑝 , therefore U = 𝑢1 𝑃 + 𝑢2 𝑃 = 𝑢𝑃. From this perspective, the function of the SEM is to revoke a user’s signing privilege. It cannot generate a valid signature of some message on behalf of its users, since it does not know the private keys of the users, and the users never send own partial signatures in the signature protocol. Let us consider an attacker trying to forge a user’s signature of some message. The token sent by the SEM returns to the user a pair of points (U, Ssem), U = U1+ U2 = 𝑢1 𝑃 + 𝑢2 𝑃 and Ssem. In fact, the attacker can obtain such part for any message that he chooses, but he cannot obtain the corresponding half key. Even the attacker impersonates the SEM and users (men-inthe-middle attack) he could not get the key from the user, and could not alter the message digest because the message digests the product by random number (u which added to the two parts of signature Suser and Ssem) that cannot separate it. Therefore; if the attacker tries to replace the original message by his message, he will obtain two incompatible signatures.
System Operation In order to use the system the SEM and all users must obtain the public parameters from GC. When any user (Alice) wants to send the message to another one (Bob) must execute those procedures, as shown in Figure 3: 1. 2. 3. 4. 5. 6. 7. 8. 9.
Alice sends request to get her private key from PKGC. Alice sign the email message by generating the message digest for email message and sign it using her private key with help of SEM. Alice generates session key (one-time key) using as a key for symmetric algorithm (AES). Alice encrypts the email message by symmetric cryptography using session key. Alice encrypts the session key using Bob’s identity (email address) as a public key by Identity-Based Cryptography. Alice sends a message that includes (encryption message, signature and encryption session key). Bob receives the message that he cannot decrypt it without his private key; therefore, he sends request to get his private key. Bob decrypts the session key using his private key with help the SEM. Bob decrypts the message using the session key by the same symmetric algorithm (AES). 14
10. Bob verifies the signature using Alice’s public key and generates message digest for email message to compare with that sent. In the next times, Alice and Bob continue send and receive the messages without need to contact with GC, this means that the same procedure is used but without need to the steps 1 and 7.
GC
SEM 𝐴𝑃𝑅𝑠𝑒𝑚 , 𝐵𝑃𝑅𝑠𝑒𝑚
Alice
Bob
𝐴𝑃𝑅𝑢𝑠𝑒𝑟
𝐵𝑃𝑅𝑢𝑠𝑒𝑟
Alice send request partial signature sha= H(M) SMuser=S[𝐴𝑃𝑅𝑢𝑠𝑒𝑟 , sha] SM= SMuserwith SMsem
Verify the signature sha1=V[𝐴𝑃𝑈 , SM] sha2=H(M) If sha1=sha2 then OK else reject
Generate SK
SMsem=S[𝐴𝑃𝑅𝑠𝑒𝑚 ,sha]
M=D(SK,SM)
EK=E(𝐵𝑃𝑈 ,SK)
EKSem=D(𝐵𝑃𝑅𝑠𝑒𝑚 ,EK)
EM=E(SK,M)
R= EK||EM||SM
Bob send request partial decryption EKuser=D(𝐵𝑃𝑅𝑢𝑠𝑒𝑟 ,E K) SK= EKuser with EKSem
R= EK||EM||SM
Figure 3 Procedures of System Operations
15
Conclusions 1. The combination among the methods gives good characteristics. 2. The designed system has been submissive to supervise the provider in order to be more suitable for organizations and establishments. 3. Using Mediated cryptography helped to keep users under control to be possible prevent any unauthorized person from using the system. 4. The elimination of need to use the digital certifications in secure email system by using IBC. 5. Obtainment of schemes that have higher speed and most efficient compared with MRSA. 6. Both MIBC schemes are stronger than MRSA and operating it needs lesser length of key. 7. The MBB-CSA IBC is the more strengthable from MBF-SOK IBC because it contains more complexity operation. 8. When use this system not need to use key ring for public key of users (as exist in PGP) because the public key is the e-mail address of the user.
References 1. Luther Martin, “Introduction to Identity-Based Encryption”, ARTECH HOUSE INC., 2008. 2. D. Richard Kuhn, Vincent C. Hu, W. Timothy Polk, Shu-Jen Chang, “Introduction to Public Key Technology and the Federal PKI Infrastructure”, National Institute of Standards and Technology (NIST), U.S. Government publication, 26 February 2001. 3. John R. Vacca, “Public Key Infrastructure Building Trusted Applications and Web Services”, AUERBACH PUBLICATIONS, 2004. 4. Zhi Guan, Zhen Cao, Xuan Zhao, Ruichuan Chen, Zhong Chen, Xianghao Nan, “WebIBC: Identity Based Cryptography for Client Side Security in Web Applications”,
Institute of Software, School of Electronics Engineering and
Computer Science, Peking University, Key Laboratory of High Confidence Software Technologies, 2008. 5. Dan Boneh, Matthew Franklin, “Identity-Based Encryption from the Weil Pairing”, Lecture Notes in Computer Science, 2003. 6. Luther Martin, “Identity-Based Encryption: A Closer Look”, THE ISSA JOURNAL, September 2005.
16
7. Animesh Agarwal, Vaibhav Shrimali, and Manik Lal Das, “GSM Security Using Identity-based Cryptography”, Institute of Information and Communication Technology, India, 2009. 8. Yong Yu, Bo Yang, and Ying Sun,” ID-Based Threshold Signature and Mediated Signature Schemes”, IEEE computer society, 2007. 9. Steven Galbraith, “Mathematics of Public Key Cryptography”, University of Copenhagen, Denmark. Version 0.6 10. [10] M. Abdalla, E. Kiltz, G. Neven, “Generalised key delegation for hierarchical identity-based encryption”, IET Information Security, July 2008. 11. Eiichiro Fujiski, Tatsuaki Okamoto,”Secure Integration of Asymmetric and Symmetric Encryption Schemes”, 19th Annual; International Cryptography Conference, California, USA, August 1999. 12. Peng Yang, Takashi Kitagawa, Goichiro Hanaoka, Rui Zhang, Kanta Matsuura, Hideki Imai, “Apply Fujiaski-Okamoto to Identity-Based Encryption”, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes,16th International Symposium,AAECC-16,Las Vegas, USA, February 2006. 13. Marc Joye, Gregory Neven, “IDENTITY-BASED CRYPTOGRAPHY”, IOS Press, 2009. 14. Dan Boneh, Xuhua Ding, Gene Tsudik, Chi Ming Wong, “A method for fast revocation of public key certificates and security capabilities” 15. Satoshi Koga, Kenji Imamoto, and Kouichi Sakurai, “Enhancing Security of Security-Mediated PKI by One-time ID”, Kyushu University.
17
