The need for trust
Team-Fly
The need for trust
Certification Authorities provide one example of the concept of a Trusted Third Party (TTP). In this instance two parties trust a third party, the CA, and they then use this trust to establish a secure communication between themselves. TTPs appear almost everywhere that cryptography is used, and their use frequently causes concern. In general TTPs need to the trusted both for their integrity and also for their technical competence. It is often difficult to decide precisely how influential they should be and how much users' security should depend on them.
Consider, for example, the generation of public and private key pairs. As we have already noted, this is a mathematical process that requires dedicated software. It is not something that the ordinary citizen can do for themselves so the keys or the key-generation software are provided externally. In either case, there is an undisputed need for trust. Frequently the keys are generated externally. The obvious question is whether the keys should be generated by the CA or by another TTP. Our aim is not to provide an answer as this clearly depends on both the application and environment, but merely to draw attention to some of the issues. The fear is that, if an organization generates the private and public key pair of another entity, they might keep a copy of the private key or even that they might disclose it to other entities. The debate is far-reaching and some people argue that there is no need for a CA at all.
In 1991, the first version of a software package called Pretty Good Privacy (PGP) was made freely available to anyone wishing to use strong encryption. It employed RSA for user authentication and symmetric key distribution and a symmetric encryption algorithm called IDEA for confidentiality. Although it used digital certificates, the original version of PGP did not rely on a central CA. Instead any user could act as a CA for anyone else. This became known as the Web of Trust approach. It essentially meant that users judge the trustworthiness of any certificate according to whether or not it is signed by someone they trust. For a small communications network, this type of approach certainly removes the need for a central CA and may work. However, there are a number of potential problems for large networks.
Another possibility for removing the need for a CA is to let a user's public key value be completely determined by their identity. If a user's identity and public key were (essentially) identical, then there would clearly be no need to have certificates to bind them together. The concept of identity-based public key cryptography was proposed by Shamir in 1984, and there have been a number of signature schemes based on this concept. However, it was not until 2001 that an identity-based public key algorithm for encryption was produced. There are two such algorithms; one due to Boneh and Franklin and the other designed at CESG (the UK's Communications and Electronic Security Group).
In identity-based systems, there has to be a universally trusted central body that computes each user's private key for their public key and delivers it to them. This approach does not therefore remove the need for a TTP, which generates every user's private key. Nevertheless it does remove the need for certificates. In this instance there is probably no advantage to user A claiming to be B, as only B has the private key determined by B's identity.
The use of identity-based public key systems represents an interesting alternative to the traditional PKI approach. Unfortunately it also presents its own problems. The most obvious relate to the concept of a unique identity and to the revocation of public keys. Suppose that a user's name and address were to determine their public key. If their private key were compromised, then they would have to move home or change their name. Clearly this is not practical. There are solutions to this particular problem of identity theft. One might be to let a user's public key depend on their identity and another publicly known variable, such as the date. This would ensure that a user's private key changed every day but might produce an unacceptable workload for the centre. There is considerable current research being conducted to see whether there are scenarios in which identity-based systems could be used to replace PKI.
At the other extreme, there are people who argue that the best way to approach security is to concentrate as many of the risks at a single location and then provide maximum security at that point. If this approach is adopted, then the CA may generate the users' keys. It is then often argued that if you trust the CA enough to generate your keys you might as well trust it to manage them on your behalf. The justification is that keys need the highly secure environment of the CA. This is known as the server-centric approach and is proving attractive to certain organizations.
Team-Fly
file:///D|/1/4303/Fly0038.html [08.10.2007 12:51:20]