Our mediated certificateless public key encryption and hier- archical schemes also support role based access control (RBAC) without the key escrow to manage ...
Efficient Revocation of Security Capability in Certificateless Public Key Cryptography Hak Soo Ju1 , Dae Youb Kim2 , Dong Hoon Lee2 , Jongin Lim2 , and Kilsoo Chun1 1 2
Korea Information Security Agency(KISA), Korea {hsju,kschun}@kisa.or.kr Center for Information and Security Technologies {david kdy,donghlee,jilim}@korea.ac.kr
Abstract. This paper presents the first mediated certificateless public key encryption and signature schemes. We also extend our schemes into hierarchical schemes. Our schemes does not suffer from the key escrow property that seems to be inherent in the mediated identity-based schemes. Key escrow is not always a good property for all applications because the exposure of a master key enable all the users’ private keys to be leaked. Our mediated certificateless public key encryption and hierarchical schemes also support role based access control (RBAC) without the key escrow to manage the access to resources of a system. We finally describe security of our schemes and compare our schemes with the mediated identity based schemes from efficiency points of view.
1
Introduction
Revocation is one of the main difficulties faced in implementing Public Key Infrastructures (PKIs). Boneh et al. [1, 2] introduced an efficient method for obtaining instantaneous revocation of a user’s public key and is called the mediated RSA(mRSA). Their method was to use an online semi-trusted entity called the SEcurity Mediator(SEM) which has a piece of each user’s private key. In such a setting, a signer can’t decrypt/sign a message without a token information generated by the SEM. Instantaneous revocation is obtained by instructing the mediator to stop helping the user decrypt/sign messages. This approach has several advantages over previous certification revocation techniques such as Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol(OCSP): fast revocation and fine-grained control over users’ security capabilities. Recently Libert and Quisquater showed that the SEM architecture in a mRSA can be applied to the Boneh-Franklin identity-based encryption and GDH signature schemes [3]. Nali, Miri and Adams have shown that Libert and Quisquater’s mediated identity-based encryption scheme is suitable for the cryptographic support of role-based access control(RBAC) in [7]. They also presented the first mediated hierarchical identity based encryption and signature schemes by extending the mediated identity-based encryption scheme of Libert and Quisquater in [8]. R. Khosla et al. (Eds.): KES 2005, LNAI 3682, pp. 453–459, 2005. c Springer-Verlag Berlin Heidelberg 2005 �
454
Hak Soo Ju et al.
Unfortunately, all identity based cryptographic schemes have inherent weakness, a key escrow property. Our main contribution is to remove key escrow property in the above mentioned mediated identity-based schemes and the hierarchical schemes by designing the first mediated certificateless public key encryption, signature and hierarchical schemes. A cryptosystem with the key escrow property has some serious disadvantages. For example once the master key is exposed, all the users’ private keys are leaked and all the prior communication information is under the threat of exposure. In mediated identity based encryption and signature schemes, the trusted authority T A (in fact PKG) issues a partial private key dID,user for user and another partial private key dID,sem for SEM from a private key dID using its master secret key. As the result, the T A is still able to decrypt or sign any messages. Moreover, the hierarchical schemes of [8] still have an undesirable escrow property. Here, we present the hierarchical encryption scheme which will protect all users against any of their ancestors and against the root T A. Certificateless public key cryptography (CL-PKC) [5] do not explicitly provide revocation of users’ security capabilities. This is natural since it aims to avoid the use of certificates as in ID-PKC. On the other hand, revocation is often necessary and even imperative. The way to obtain revocation in CL-PKC systems can be handled in the same way as in Boneh-Franklin IBE [6]. Their method is to require time dependent public keys, e.g., public keys derived from identities combined with time or date stamps. This has an unfortunate consequence of having to periodically reissue all private keys in the system. Moreover, these keys must be periodically and securely distributed to individual users. In contrast, our mediated CL-PKC schemes inherits its fine-grained revocation as in mRSA. The remainder of this paper is organized as follows: In section 2, we present our scheme, mCL-PKE to show how to remove the key escrow property. A security analysis of our scheme is given in section 3. In section 4 and 5 we present a signature scheme and show how to extend our schemes into hierarchical schemes. Section 6 discusses application aspects of our schemes. Finally, we conclude in section 7.
2
Our Mediated Certificateless Public Key Encryption
Our mediated certificateless public key encryption (mCL-PKE) scheme uses two private keys < DID , x >. The first private key issued by a trusted authority T A is used to inherit one to one mapping between public ID and private key DID . We use the second private key x ∈R Zq∗ in order to remove a key escrow property and generate the corresponding pubic key Ppub . We name the private keys < DID , x > as < P rkeyI, P rkeyII >. In our scheme the first private key DID are split into shares via a one out of two secret sharing scheme, with one share held by the user and the other by the SEM. The encryption is then performed as a function of ID, Ppub as in the CLPKE scheme [5]. The decryption requires the cooperation of a user and a SEM created by a T A. Our scheme using this mediator SEM supports instantaneous revocation by instructing the SEM to stop interacting the user. Moreover, in
Efficient Revocation of Security Capability
455
our scheme the key escrow property is removed because only the user knows the second private key x corresponding to Ppub . 1. Setup. Given a security parameter k, a T A: (a) Run IG with input k in order to generate output < G1 , G2 , eˆ > where G1 and G2 are groups of some prime order q and a bilinear map eˆ : G1 × G1 → G2 . (b) Choose an arbitrary generator P ∈ G1 . (c) Picks s uniformly at random from Zq∗ and computes P0 = sP . (d) Choose cryptographic hash functions H1 : {0, 1}∗ → G∗1 , H2 : G2 → {0, 1}n H3 : {0, 1}n × {0, 1}n → Zq∗ , H4 : {0, 1}n → {0, 1}n where n denotes the size of plaintexts. The system’s public parameters are params =< G1 , G2 , eˆ, n, P, P0 , H1 , H2 , H3 , H4 > while the master key s ∈ Zq∗ is kept secret by the T A. 2. Key Generation. Given a user of identity IDA , the T A computes QA = H1 (IDA ) ∈ G∗1 and DID = sQA as a P rkeyI. Then it chooses random numbers DID,user ∈R G1 and computes DID,sem = DID − DID,user . The T A gives the partial private key DID,user to the user A and DID,sem to the SEM over a confidential and authentic channel. The user A selects xA ∈ Zq∗ as his P rkeyII and construct his public key as Ppub =< XA , YA >=< xA P, xA P0 >. 3. Encrypt. To encrypt M ∈ M for a user A with identifier IDA ∈ {0, 1}∗ and public key Ppub =< XA , YA >, perform the following steps: (a) Check that XA , YA ∈ G∗1 and that the equality eˆ(XA , P0 ) = eˆ(YA , P ) holds. If not, return ”Error” and abort encryption. (b) Compute QA = H1 (IDA ) ∈ G∗1 . (c) Choose a binary string σ ∈ {0, 1}n and compute r = H3 (σ, M ). (d) Compute U = rP ∈ G1 , g = eˆ(YA , QA )r ∈ G2 . (e) The ciphertext is C =< U, V, W >=< rP, σ ⊕ H2 (g), M ⊕ H4 (σ) > . 4. Decrypt. When receiving C =< U, V >∈ C, the user A forwards it to the SEM. They perform the following steps in parallel. – SEM: 1. Check if the user’s identity IDA or public key is revoked. If it is, return ”Error”. 2. Compute gsem = eˆ(U, DID,sem ) and send it to the user A. – USER: 1. A computes guser = eˆ(U, DID,user ). xA xA guser . 2. When receiving gsem from the SEM, A computes g � = gsem � � � � 3. A computes σ = V ⊕ H2 (g ) and then M = W ⊕ H4 (σ ). 4. A checks the ciphertext’s validity: U = r� P with r� = H3 (σ � , M � ). Remark 1. In our scheme, the T A is trusted to not replace the public keys of users and to issue only one private key P rkeyI to the correct user. This means that a cheating T A impersonates an honest user by replacing a user’s public key by one for which it knows the private key P rkeyII. We can use a binding technique of [5] for these problems. This binding restricts A to using a single public key. Moreover, if T A impersonates a user A there will be two
456
Hak Soo Ju et al.
private keys for IDA with different public keys and the T A can be identified as having misbehaved.
3
The mCL-PKE’s Security
This section briefly discusses the security of our mCL-PKE scheme. We will show that the mCL-PKE is weakly semantically secure against inside attackers with an argument similar to the one provided for the proof of Theorem 4.1 of [3]. Insider attackers can access only the user part of the private key P rkeyI corresponding to any identity but the one on which they are challenged. We also consider type I adversary AI and Type II adversary AII with and without the master key respectively as in a security model for CL-PKE [9]. Theorem 1. If there exists a Type I or Type II IND-mID-CCA adversary with non-negligible advantage against mCL-PKE, then there exists an adversary B with non-negligible advantage against the CL-PKE scheme. Proof. (Sketch) Only outline is presented here for space limitation. Please refer to the full version of this paper for detailed proof. To prove Theorem 1, we first modify the notion of weakly semantically security against insider attacks (denoted by IND-mID-wCCA) given in [3] to consider type I and type II adversaries. In the random oracle model, we will use the attacker A against mCL-PKE scheme to build an adversary B that is able to distinguish ciphertexts produced by the CL-PKE. Overall the proofs are similar to the one of Theorem 4.1 in [3]. � � Remark 2. Our scheme assumed that users’ private keys must be protected to ensure chosen ciphertext security as in Libert and Quisquater’s scheme [3]. That is, our scheme is secure against chosen ciphertext attack in a weaker sense. Note that this weak assumption can be strengthened in a strong sense by using the ciphertext format of Baek and Zheng’s mediated scheme [4].
4
A Mediated Certificateless Signature Scheme
We will describe a mediated certificateless public-key signature (mCL-PKS) scheme that is based on a provably secure ID-PKC signature scheme [10]. 1. Setup. This is identical to Setup of our scheme mCL-PKE, except that there is only one hash function H : {0, 1}∗ × G2 → Zq∗ . 2. Key Generation. Identical to mCL-PKE. 3. Sign. To sign M ∈ M, the user A with identifier IDA ∈ {0, 1}∗ and private key DID , perform the following steps: (a) Chooses a random number a ∈ Zq∗ . (b) Computes r = eˆ(aP, P ) ∈ G2 and v = H(M, r) ∈ Zq∗ . (c) Sends v to SEM and perform the following steps in parallel. – SEM : 1. Check if the user’s identity IDA or public key is revoked. If it is, return ”Error”. 2. Compute Usem = vDID,sem and send it to the user A.
Efficient Revocation of Security Capability
457
– USER: 1. A computes Uuser = vDID,user . 2. When receiving Usem from the SEM , A computes U = xA (Usem + Uuser ) + aP ∈ G1 . 3. Returns < U, v > as a signature of M . 4. Verify. When receiving < U, v > on a message M ∈ M for identity IDA and public key < XA , YA >, the verifier : (a) Check that the equality eˆ(XA , P0 ) = eˆ(YA , P ) holds. If not, return ”Error” and abort verification. (b) Compute r� = e(U, P ) · e(QA , −YA )v . (c) Accepts the signature if and only if v = H(M, r� ) holds.
5
Mediated Hierarchical CL-PKE
This section describes a mediated hierarchical certificateless public key encryption scheme denoted by mHCL-PKE. Our mHCL-PKE scheme eliminate all kinds of key escrow to any ancestor of an user in the mHIDE scheme [8]. We assumes that there exist two disjoint tree-shaped hierarchies of users and SEMs, respectively. Moreover, the root node of two hierarchies is a root T A and a set of users is associated to each SEM. We denote by Levelt the set of nodes located at tth level of both hierarchies. Except the root node, every node is identified by an ID-tuple IDt = (ID1 , ID2 , . . . , IDt ). The major steps of our scheme are identical to the ones in [8]. 1. Root Setup. This algorithm is identical to Setup for mCL-PKE, except that now the ciphertext space for a level t. For ease of presentation, we denote the master key by x0 instead of s. So we have P0 = x0 P = (x0,user + x0,sem )P , P0,user = x0,user P and P0,sem = x0,sem P . 2. Key Generation. Given each of its child-user IDt = (ID1 , ID2 , . . . , IDt ), the U sert−1 selects xt−1,user ∈R Zq∗ and computes Qt = H1 (ID1 || . . . ||IDt ) ∈ G∗1 , a partial private key Dt,user = Dt−1,user + xt−1,user Qt of P rkeyI. The U sert−1 gives Dt,user to its child IDt over a confidential and authentic channel. Then he computes Rj,user = xj,user P for 1 ≤ j ≤ t, publicly gives Rj,user to its child U sert . The user IDt selects zt ∈ Zq∗ as his P rkeyII and constructs his public key as Pt =< Xt , Yt >=< zt P, zt P0 >. Given each of its child-SEMt associated with U sert the SEMt−1 selects xt−1,sem ∈R Zq∗ and computes Qt = H1 (ID1 || . . . ||IDt ) ∈ G∗1 , a partial private key Dt,sem = Dt−1,sem + xt−1,sem Qt of P rkeyI. The SEMt−1 gives Dt,sem to its child SEMt over a confidential and authentic channel. Then the SEMt−1 computes Rj,sem = xj,sem P for 1 ≤ j ≤ t, publicly gives Rj,sem to its child SEMt . 3. Encrypt. To encrypt M ∈ M for a user IDt with public key Pt =< Xt , Yt >, perform the following steps : (a) Check that Xt , Yt ∈ G∗1 and that the equality eˆ(Xt , P0 ) = eˆ(Yt , P ) holds. If not, return ”Error” and abort encryption. (b) Compute Qi = H1 (ID1 ||ID2 || . . . ||IDi ) ∈ G∗1 for each 2 ≤ i ≤ t. (c) Choose a random value r ∈ Zq∗ .
458
Hak Soo Ju et al.
(d) Compute g = eˆ(Q1 , Yt ) and V = M ⊕ H2 (g r ). (e) Compute U0 = rP and Ui = rQi for 2 ≤ i ≤ t. (f) Set the ciphertext C =< U0 , U2 , U3 , . . . , Ut , V >∈ C. 4. Decrypt. When receiving C =< U0 , U2 , . . . , Ut , V >∈ C, the user with IDt proceeds as follows: (a) Check (U0 , U2 , U3 , . . . , Ut ) ∈ Gt1 . Otherwise, reject C. (b) Forwards C to the SEMt , so that the following steps be performed in parallel: – SEMt : 1. Checks if the user’s identity IDt or public key is revoked. If it is, returns ”Error”. �t 2. Computes gsemt = eˆ(U0 , Dt,sem )( i=2 eˆ(Ri−1,sem , Ui ))−1 and send it to the user IDt . – USER IDt : �t 1. Computes gusert = eˆ(U0 , Dt,user )( i=2 eˆ(Ri−1,user , Ui ))−1 . zt 2. When receiving gsemt from SEMt , IDt computes g r = guser · t zt . gsem t 3. Computes M = V ⊕ H2 (g r ).
6
Application
Using our mCL-PKE scheme of section 2, we modify Nali, Adams and Miri’s RBAC scheme [7] to remove the inherent key escrow property as follows: The role manager (RM) has the role of the T A in our mCL-PKE scheme. For each role IDi , the RM generates a DIDi = sH1 (IDi ) and a pair (DIDi ,user , DIDi ,sem ). The RM gives DIDi ,user to the user and DIDi ,sem , its sub role decryption key shares to the SEMs associated with IDi . Each user chooses a private key x and publish < xP, xP0 > by itself or via a directory service. Database Manager (DBM) obtains from the RM the keys of all roles required to access m and encrypts m using these role keys with virtual identities IDi1 , ..., IDik . The DBM computes QIDij = H1 (IDij ) for j = 1, .., k and the �k virtual identity QV ID = j=1 QIDij . Then the DBM obtains and stores in the cipher table (CT) the ciphertext C = (U, V, W ) = (rP, σ ⊕ H2 (g), M ⊕ H4 (σ)) where g = eˆ(QV ID , xP0 )r . When the user A wants to access a protected M , A obtains C and the list of roles from the DBM. A sends them to a minimum number of SEMs whose roles are all ancestors of the roles. The SEMs check whether the user’s identity, public key or any of the role identities is revoked or an RBAC separation of duty is broken. If these conditions holds, the SEMs compute their partial decryption of C by using their shares of the role keys and send it to the user A. A complete the decryption of C by using his shares of the role keys. Note that our scheme is the same as the RBAC scheme using mIBE except using the pubic key which matches the private key. The application of a mediated hierarchical identity based encryption (mHIDE) which extends mIBE is to support information access control in hierarchical structured communities of
Efficient Revocation of Security Capability
459
users whose access privileges change very dynamically [8]. Using our mHCLPKE scheme of section 5, we can modify the application to remove key escrow property similarly.
7
Conclusion
In this paper, we have shown that the method of mRSA to allow fast revocation of RSA keys can be used by certificateless public key cryptography (CL-PKC). The mediated CL-PKC (mCL-PKC) that combines CL-PKC and mediated cryptography tackles the issues asociated with certificate management in PKIs and supports fine grained revocation. Moreover, we have shown that our mCL-PKC is more suitable for the cryptographic support of role-based access control than mediated ID-PKC because our schemes do not suffer from the key escrow property of mediated ID-PKC. One possible goal for future research is to design and analyze a mediated selective ID-secure schemes in the standard model without random oracles. Another aim is to design and investigate the applications of a mediated certificateless public key cryptography.
References 1. D.Boneh, X.Ding, G.Tsudik, and C.Wong, A method for fast revocaiton of public key certificates and security capabilities,In Proceedings of the 10th USENIX Security Symposium, USENIX, 2001. 2. D.Boneh, X.Ding, and G.Tsudik, Fine-grained control of security capabilities,ACM Transactions on Internet Technology (TOIT) Volume 4, Issue 1, February 2004. 3. B. Libert, J.-J. Quisquater, Efficient revocation and threshold pairing based cryptosystems, Symposium on Principles of Distributed Computing-PODC’2003, 2003. 4. Joonsang Baek and Yuliang Zheng, Identity-Based Threshold Decryption, Proceedings of the 7th International Workshop on Theory and Practice in Public Key Cryptogrpahy (PKC’04), LNCS, vol. 2947, Springer-Verlag, 2004, pp. 262-276. 5. S.S. Al-Riyami and K.G. Paterson, Certificateless public key cryptography, In Advances in Cryptology-ASIACRYPT 2003, volume 2894 of LNCS, pages 452-473. Springer-Verlag, 2003. 6. D.Boneh and M.Franklin, Identity-based encryption from the Weil pairing, In Advances in Cryptology-CRYPTO 2001, volume 2139 of LNCS, pages 213-229. Springer-Verlag, 2001. 7. D. Nali, C. Adams, and A. Miri, Using Mediated Idenitity-Based Cryptography to Support Role-Based Access Control, (ISC 2004), 2004. 8. D. Nali, A. Miri, and C. Adams, Efficient Revocation of Dynamic Security Privileges in Hierarchically Structured Communities, Proceedings of the 2nd Annual Conference on Privacy, Security and Trust (PST 2004), Fredericton, New Brunswick, Canada, October 13-15, 2004, pp. 219-223. 9. C.Gentry and A.Silverberg, Hierarchical ID Based Cryptography, In Advances in Crypotology-ASIACRYPT 2002, LNCS, pages 548-566, Springer-Verlag, 2002. 10. F. Hess, Efficient identity based signature schemes based on pairings, In K. Nyberg and H. Heys, editors, Selectd Areas in Cryptography 9th Annual International Workshop, SAC 2002, volume 2595 of LNCS, pages 310-324. Springer-Verlag, 2003.
