Ebook: Applied Public Key Infrastructure

Over the past years, Public Key Infrastructure (PKI) technology has evolved and moved from the research laboratories to the mainstream, in which many organizations are now leveraging it as part of their core infrastructure system for providing and building security in their businesses. Understanding the challenges and requirements of PKI related operations through the sharing of case studies are critical to supporting the continued research and development of PKI technologies and related systems and applications to further progress and innovate for enhancing future development and evolution of PKI in the enterprises.

The International Workshop for Applied PKI (IWAP) is an annual workshop that was initiated in 2001 with the objective of focusing on research and application of Public Key Infrastructure. The first IWAP was held in Korea in 2001 with the active contributions and participation of Asian experts who shared valuable experiences on constructing PKI, in particular, on connecting PKI among Asian countries. The second IWAP was held in Taiwan in 2002, providing an opportunity for participants to exhibit and share their experiences in PKI construction. In 2004, Japan hosted the third IWAP workshop, further discussing the trend and issue on PKI-technologies.

The 4th IWAP workshop was held in Singapore on September 21–23, 2005, in conjunction with the 8th Information Security Conference (ISC'05) and the 1st Secure Mobile Ad-Hoc Networks and Sensors Workshop (MADNES'05). This is the first year for IWAP to have the formal proceedings published by IOS Press and available at the workshop. Selected papers in the IWAP'05 proceedings will be invited for submission to a special issue of the Journal of Computer Security.

A total of 43 submissions were received, of which the program committee selected 15 papers from 11 countries for inclusion in the proceedings. In addition, to enrich the workshop program, 3 valuable contributions originally submitted to ISC'05 were introduced into IWAP'05 program with the authors' consent. This workshop consists of one keynote speech and six technical sessions, covering the topics of PKI Operation & Case Study, Non-repudiation, Authorization & Access Control, Authentication & Time-Stamping, Certificate Validation & Revocation, and Cryptographic Applications.

This workshop was made possible only through the contributions from many individuals and organizations. We would like to thank all the authors who submitted papers. We also gratefully acknowledge the members of the Program Committee and the external reviewers, for the time and effort they put into reviewing the submissions. Special thanks are due to Ying Qiu for managing the web site for paper submission, review and notification. Patricia Loh was kind enough to arrange for the workshop venue, and takes care of the administration in running the workshop.

Last but not least, we are grateful to Institute for Infocomm Research and Microsoft Asia Pacific for sponsoring the workshop.

Jianying Zhou and Meng-Chow Kang – Program Chairs, Feng Bao and Hwee-Hwa Pang – General Chairs

In this paper we categorise some of the challenges facing those building, deploying and using Public Key Infrastructures (PKIs). Our work is based upon a series of in-depth interviews and analysis. The aim of the work in this paper is twofold: to present the conclusions drawn from work that is based on years of practical experience of those in the field; to analyse those conclusions in order to highlight research avenues that will answer the challenges raised by those in industry.

Certificate life-cycle management operations, especially the initial registration of users, are important but expensive tasks in Public Key Infrastructures. In this paper we propose a mechanism that integrates these tasks with established processes, technology and data. Our approach is based on directory services that are usually already employed by companies, public administration and similar organizations for non-PKI purposes. It spares additional personell and is less error-prone, since the utilized processes are already set up and known to administrative personell and users. This reduces the costs to bootstrap and operate a Public Key Infrastructure. We show a case study about the proposed mechanism that was conducted at the Technische Universität Darmstadt in Germany in order to supply 20,000 students with certificates and keys.

In this paper we explore the problem we call “malicious impostor emails.” Compared with the fairly well-known abuses such as spam and email worms, malicious impostor emails could be much more catastrophic because their payloads may directly target at the victim users' cryptographic keys (via whatever means) and their content—except the malicious payload as an attachment—could look perfectly like a legitimate one. As a first step in dealing with malicious impostor emails, we present a partial solution that mitigates their damage without forcing the involvement of the users.

A non-repudiation protocol is aimed for exchanging a digital message and an irrefutable receipt between two mistrusting parties over the Internet. Such a protocol is said fair, if at the end of any possible protocol execution, either both parties obtain their expected items or neither party does. In this paper, we first argue that it is really meaningful in practice to exploit generic fair non-repudiation protocols with transparent off-line TTP. Namely, in those protocols, each involved party could use any secure digital signature algorithm to produce non-repudiation evidences; and the issued evidences are the same regardless of whether the TTP is involved or not. Then, we present such a fair non-repudiation protocol to overcome the limitations and shortcomings in previous schemes. Technical discussions are provided to show that our protocol is both secure and very efficient. In addition, some extensions are also pointed out.

In an organization, it is a common practice for a user (the delegator) to delegate some rights, in particular the signing right, to another user (the delegate). From the perspective of digital signature, a secure scheme is required to handle the delegation process so that the authorization as well as the signature of the delegate can be verified efficiently. In general, delegation can occur more than one level, thus forming a delegation chain. Among the existing approaches, delegation certificate [1] is a popular technique for performing delegation and handling chained delegation. However, it is not scalable because the verification of authorization is inefficient.

In this paper, we extend Kim et al.'s proxy signature [6], which only handles one level of delegation, to support efficient verification for a delegation chain. We first show that a straight-forward extension of Kim et al.'s scheme does not support strong non-repudiation. Wepropose a possible way to modify the scheme to support the property.

Kremer and Markowitch introduced in [10] a new property for certified email protocols called no author-based selective receipt, and proposed two new protocols respecting it. In this paper we show that these protocols implicitly require the sender of the email to trust the trusted third party to assure this property. We propose a new protocol in which this trusted third party has only to be trusted to assure fairness and timeliness, like in most other exchange protocols. Unfortunately, unlike [10], our protocol does not guarantee the delivery of a non-repudiation of origin evidence to the recipient. We prove that this is impossible to achieve without a fully trusted third party.

Mobile services have been growing fast to facilitate business in wireless network environment. It is both critical and challenging to maintain security and anonymity so as to provide high quality services. In this paper, we propose a ticket-based architecture and a generic protocol for controlling access to mobile services. Our protocol has the following properties. First, it is a generic solution independent of cryptographic algorithms and service models. Second, it is secure against various malicious attacks on mobile services. Third, it provides identity anonymity for customers and/or service providers depending on business requirements. Fourth, it is flexible in dynamic environments where customers and/or service providers are cross multiple domains. We also show an efficient implementation option of this generic protocol based on elliptic curve digital signature algorithm.

The interest in policy specification languages is increasing thanks to the proliferation of authorization solutions that need to define their resource access policies by means of them. These solutions define their own policy syntax, usually based on XML, which involves the definition of non-interoperable policies and non-heterogeneous environments. XACML has been defined with that purpose and is getting more and more acceptance for those type of environments as a valid alternative to proprietary policies. In this paper, we present the definition of the whole policies set needed in an authorization scenario, specifically, the NAS-SAML, which defines a network access control service based on SAML and the AAA architecture. We present the XACML documents representing those policies and the entities involved in the their management life cycle.

Because of the new business trends such as cooperating, downsizing and resource sharing, the use of virtual organization (VO) is gaining increasing importance as a model for building large-scale business information systems. Authorization is essential in VO in order to control the access to shared resources. But authorization in VO is challenging because the participants of VO need to collaborate in a distributed, dynamic and heterogeneous environment, and accordingly the access control policies are complex. A delegation logic based authorization mechanism is put forward in this paper. Our proposed approach translates the access requests, credentials and access policies into unified delegation logic rules. Based on the calculation on those rules, the access decision is made. We introduce the concept of Access Unit (AU), which wraps the AC system of a task. The rule exchange interface of AU is defined. The main contribution of this paper is that it suggests a practical mechanism for implementing authorization for VO. In essence, we propose an approach to enforce RBAC in VO based on task/project structure.

Introduced at EuroCrypt'05, threshold attribute-based encryption (thABE) is a subclass of identity-based encryption which views each identity as a set of descriptive attributes. In order to decrypt a ciphertext c encrypted for a set ω of attributes, users must have attribute keys associated with a sufficiently large subset of ω. Applications of thABE include both biometric-based and role-based cryptographic access control. This paper presents an efficient and flexible thABE scheme which is provably secure in the random oracle model. Let d be a minimal number of attributes which a decryptor must have to decipher a ciphertext. The proposed scheme requires only two pairings for decryption (instead of d pairings as in the original thABE scheme). Moreover, the new scheme enables system engineers to specify various threshold values for distinct sets of attributes. Therefore, this paper describes a practical cryptographic mechanism to support both biometric-based and role-based access control.

Biometric authentication is remarkable with respect to identification of legitimate users. Biometric authentication is hopeful of services on the internet as reinforcement for conventional authentication such as ID and password, however, biometric information –acquisition raw data and template data– is unrenewable even though the data is compromised. We propose a framework of online biometric authentication with verification of validity of user's personal repository based on PKI. In this framework, information of biometrics authentication (certificate of templates) is related to not information of ownership but personal repository. This framework achieves anonymity during biometric authentication process by verifying validity of the user's personal repository.

Time-stamping protocols, which assure that a document was existed at a certain time, are applied to some useful and practical applications such as electronic patent applications and so on. There are two major time-stamping protocols, the simple protocol and the linking protocol. In the former, a time-stamp authority issues a time-stamp token that is the digital signature of the concatenated value of a hashed message and the present time. In the latter, the time-stamp authority issues a time-stamp token that is the hash value of the concatenated value of a hashed message and the previous hash value. Although security requirements and analysis for above time-stamping protocols has been discussed, there are no strict cryptographic security notions for them. In this paper, we reconsider the security requirements for time-stamping protocols and define security notions for them, in a universally composable security sense, which was proposed by Canetti. We also show that these notions can be achieved using combinations of a secure key exchange protocol, a secure symmetric encryption scheme, and a secure digital signature scheme.

PKI based applications use digitally signed certificates to bind public keys to user identities. Some digital certificates need to be revoked before their scheduled expiry. Certificate revocation is an important yet burdensome aspect of PKI. In this paper, we present the augmented CRL scheme, a simple yet novel extension to delta-CRLs. Using this scheme, certificate verifying clients need not download base CRLs yet can construct the same using augmented CRLs. We exploit the similarity between X.509 base and delta-CRL data structures. We show that the augmented CRL scheme provides significant bandwidth savings compared to existing CRL based schemes. The amount of downloaded CRL data is also much less compared to earlier schemes. Our scheme is simple, scalable and can easily be integrated into existing CRL based revocation schemes.

A fast algorithm to execute path validation of the X.509 Certificate was developed. The algorithm used not only certificates and certificate revocation information but also certification path information as cached information in order to speed up transactions. The effect of it was confirmed by the experiment of the server system that had the fast algorithm of certification path validation under the private test environment.

Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI) can respectively be used to support authentication and authorization in distributed scenarios. Certificate path processing is a critical issue in both infrastructures, because it requires several costly processes, such as certificate path discovery, validation of the digital signature and checking the revocation status of each certificate. The problem becomes much more complex when using delegation of privileges in a PMI, because in this case the length of the delegation paths can be high. In this paper, we propose a revocation scheme devised to reduce the communication and computational overhead for certificate status checking in delegation paths. This goal is achieved by using suitable coding techniques.

We propose a peer-to-peer (P2P) architecture where the identity of nodes holding data remains hidden, but the information itself can be efficiently fetched. This architecture can be used to protect P2P networks against malicious attacks towards nodes holding important data. In particular, our protocol can be used for maintaining access to revocation lists, blacklists and similar data, which are of growing importance for modern P2P protocols.

We present a novel scheme of broadcast encryption that is suitable for broadcast servers such as pay TV services. The important feature of our scheme is that the length of a broadcast string in our scheme is independent of the number of receivers in the system; hence it is suitable for large groups. Our scheme is based on a trapdoor encryption technique under the RSA assumption. We also describe a variant of our scheme which provides stronger security.

Zero-Knowledge sets, proposed by Micali et al. in FOCS'03, allow the owner of a set S to publish a very short commitment C_S to S, so that the owner can later prove or disprove, against C_S, the membership of any (potential infinity many) elements chosen by the verifier, without leaking more about S than the membership of the elements. This new secure primitive is proved to be useful in private data queries, and other similar scenarios where depends on the trust and privacy.

We investigate the theoretical primitives underline this new secure notion. The main contribution of this paper is to present a generic scheme for zero-knowledge sets which is as efficient as that in [1]. The new scheme is constructed by adopting the Merkle type of commitment under the assumption of existence of claw free pairs of trapdoor pseudo-permutations.