¬ÛÃö¸ê®Æ
¦V¤W

¡@

¦V¤W
ºtÁ¿ºK­n
ºtÁ¿¸Ô²Ó¤º®e
¬ÛÃö¸ê®Æ
¬ÛÃöºô¯¸

                                                    ¬Û Ãö ¸ê ®Æ

Authentication

Authentication is any process through which one proves and verifies certain information.  Sometimes one may want to verify the origin of a document, the identity of the sender, the time and date a document was sent and/or signed, the identity of a computer or user, and so on.  A digital signature is a cryptographic means through which many of these may be verified.  The digital signature of a document is a piece of information based on both the document and the signer's private key. It is typically created through the use of a hash function  and a private signing function (encrypting with the signer's private key), but there are other methods. 

Identification

Identification is a process through which one ascertains the identity of another person or entity.  In our daily lives, we identify our family members, friends, and coworkers by their physical properties, such as voice, face or other characteristics. These characteristics, called biometrics, can only be used on computer networks with special hardware.  Entities on a network may also identify one another using cryptographic methods.

An identification scheme allows Alice to identify herself to Bob in such a way that someone listening in cannot pose as Alice later. One example of an identification scheme is a zero-knowledge proof.  Zero knowledge proofs allow a person (or a server, website, etc.) to demonstrate they have a certain piece information without giving it away to the person (or entity) they are convincing.  Suppose Alice knows how to solve the Rubik’s cube and wants to convince Bob she can without giving away the solution.  They could proceed as follows.  Alice gives Bob a Rubik’s cube which he thoroughly messes up and then gives back to Alice.  Alice turns away from Bob, solves the puzzle and hands it back to Bob.  This works because Bob saw that Alice solved the puzzle, but he did not see the solution.

This idea may be adapted to an identification scheme if each person involved is given a “puzzle?and its answer.  The security of the system relies on the difficulty of solving the puzzles.  In the case above, if Alice were the only person who could solve a Rubik’s cube, then that could be her puzzle.  In this scenario Bob is the verifier and is identifying Alice, the prover. 

The idea is to associate with each person something unique; something only that person can reproduce.  This in effect takes the place of a face or a voice, which are unique factors allowing people to identify one another in the physical world.

Authentication and identification are different. Identification requires that the verifier check the information presented against all the entities it knows about, while authentication requires that the information be checked for a single, previously identified, entity.  In addition, while identification must, by definition, uniquely identify a given entity, authentication does not necessarily require uniqueness.  For instance, someone logging into a shared account is not uniquely identified, but by knowing the shared password, they are authenticated as one of the users of the account.  Furthermore, identification does not necessarily authenticate the user for a particular purpose.

What is privacy?

Privacy is perhaps the most obvious application of cryptography. Cryptography can be used to implement privacy simply by encrypting the information intended to remain private.  In order for someone to read this private data, one must first decrypt it.  Note that sometimes information is not supposed to be accessed by anyone, and in these cases, the information may be stored in such a way that reversing the process is virtually impossible.  For instance, on a typical multi-user system, no one is supposed to know the list of passwords of everyone on the system.  Often hash values of passwords are stored instead of the passwords themselves.  This allows the users of the system to be confident their private information is actually kept private while still enabling an entered password to be verified (by computing its hash and comparing that result against a stored hash value).

What is public-key cryptography?

In traditional cryptography, the sender and receiver of a message know and use the same secret key: the sender uses the secret key to encrypt the message, and the receiver uses the same secret key to decrypt the message.  This method is known as secret-key or symmetric cryptography.  The main challenge is getting the sender and receiver to agree on the secret key without anyone else finding out. If they are in separate physical locations, they must trust a courier, a phone system, or some other transmission medium to prevent the disclosure of the secret key.  Anyone who overhears or intercepts the key in transit can later read, modify, and forge all messages encrypted or authenticated using that key.  The generation, transmission and storage of keys is called key management; all cryptosystems must deal with key management issues.  Because all keys in a secret-key cryptosystem must remain secret, secret-key cryptography often has difficulty providing secure key management, especially in open systems with a large number of users.

In order to solve the key management problem, Whitfield Diffie and Martin Hellman [DH76] introduced the concept of public-key cryptography in 1976. Public-key cryptosystems have two primary uses, encryption and digital signatures. In their system, each person gets a pair of keys, one called the public key and the other called the private key.  The public key is published, while the private key is kept secret. The need for the sender and receiver to share secret information is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared.  In this system, it is no longer necessary to trust the security of some means of communications.  The only requirement is that public keys be associated with their users in a trusted (authenticated) manner (for instance, in a trusted directory).  Anyone can send a confidential message by just using public information, but the message can only be decrypted with a private key, which is in the sole possession of the intended recipient.  Furthermore, public-key cryptography can be used not only for privacy (encryption), but also for authentication (digital signatures) and other various techniques.

In a public-key cryptosystem, the private key is always linked mathematically to the public key.  Therefore, it is always possible to attack a public-key system by deriving the private key from the public key.  Typically, the defense against this is to make the problem of deriving the private key from the public key as difficult as possible.  For instance, some public-key cryptosystem are designed such that deriving the private key from the public key requires the attacker to factor a large number, it this case it is computationally infeasible to perform the derivation.  This is the idea behind the RSA public-key cryptosystem.

Encryption

When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a directory, uses it to encrypt the message and sends it off.  Bob then uses his private key to decrypt the message and read it.  No one listening in can decrypt the message.  Anyone can send an encrypted message to Bob, but only Bob can read it (because only Bob knows Bob's private key).

What is secret-key cryptography?

Secret-key cryptography is sometimes referred to as symmetric cryptography. It is the more traditional form of cryptography, in which a single key can be used to encrypt and decrypt a message.  Secret-key cryptography not only deals with encryption, but it also deals with authentication. One such technique is called message authentication codes, MACs .

The main problem with secret-key cryptosystems is getting the sender and receiver to agree on the secret key without anyone else finding out.  This requires a method by which the two parties can communicate without fear of eavesdropping.  However, the advantage of secret-key cryptography is that it is generally faster than public-key cryptography. 

The most common techniques in secret-key cryptography are block ciphers , stream ciphers , and message authentication codes.

blind signature

Blind signature schemes, first introduced by Chaum [Cha83][Cha85], allow a person to get a message signed by another party without revealing any information about the message to the other party.

Chaum demonstrated the implementation of this concept using RSA signatures  as follows: Suppose Alice has a message m that she wishes to have signed by Bob, and she does not want Bob to learn anything about m. Let (n,e) be Bob's public key and (n,d) be his private key. Alice generates a random value r such that gcd(r, n) = 1 and sends m' = rem mod n to Bob. The value m' is "blinded" by the random value r, and hence Bob can derive no useful information from it. Bob returns the signed value, s' = (m')d = (rem)d mod n to Alice. Since s'=rmd mod n, Alice can obtain the true signature s of m by computing s = s'r-1 mod n.

Now Alice's message has a signature she could not have obtained on her own. This signature scheme is secure provided that factoring and root extraction remains difficult. However, regardless of the status of these problems the signature scheme is unconditionally "blind" since r is random. The random r does not allow the signer to learn about the message even if the signer can solve the underlying hard problems.

There are potential problems if Alice can give an arbitrary message to be signed, since this effectively enables her to mount a chosen message attack. One way of thwarting this kind of attack is described in [CFN88].

Blind signatures have numerous uses including timestamping, anonymous access control, and digital cash. Thus it is not surprising there are now numerous variations on the blind signature theme. Further work on blind signatures has been carried out in recent years [FY94] [SPC95]. 

electronic money(Digital Cash)

Electronic money (also called electronic cash or digital cash) is a term that is still fairly vague and undefined. It refers to transactions carried out electronically with a net result of funds transferred from one party to another. Electronic money may be either debit or credit. Digital cash per se is basically another currency, and digital cash transactions can be visualized as a foreign exchange market. This is because we need to convert an amount of money to digital cash before we can spend it. The conversion process is analogous to purchasing foreign currency. 

Pioneer work on the theoretical foundations of digital cash was carried out by Chaum [Cha83] [Cha85]. Digital cash in its precise definition may be anonymous or identified.  Anonymous schemes do not reveal the identity of the customer and are based on blind signature schemes. Identified spending schemes always reveal the identity of the customer and are based on more general forms of signature schemes. Anonymous schemes are the electronic analog of cash, while identified schemes are the electronic analog of a debit or credit card. There are other approaches, payments can be anonymous with respect to the merchant but not the bank, or anonymous to everyone, but traceable (a sequence of purchases can be related, but not linked directly to the spender's identity).

Since digital cash is merely an electronic representation of funds, it is possible to easily duplicate and spend a certain amount of money more than once. Therefore, digital cash schemes have been structured so that it is not possible to spend the same money more than once without getting caught immediately or within a short period of time. Another approach is to have the digital cash stored in a secure device, which prevents the user from double spending.

Electronic money also encompasses payment systems that are analogous to traditional credit cards and checks. Here, cryptography protects conventional transaction data such as an account number and amount; a digital signature can replace a handwritten signature or a credit-card authorization, and public-key encryption can provide confidentiality. There are a variety of systems for this type of electronic money, ranging from those that are strict analogs of conventional paper transactions with a typical value of several dollars or more, to those (not digital cash per se) that offer a form of "micropayments" where the transaction value may be a few pennies or less. The main difference is that for extremely low-value transactions even the limited overhead of public-key encryption and digital signatures is too much, not to mention the cost of "clearing" the transaction with bank. As a result, "batching" of transactions is required, with the public-key operations done only occasionally.

Several Web pages surveying payment systems and other forms of electronic money are available, including the following:

http://ganges.cs.tcd.ie/mepeirce/Project/oninternet.html, by Michael Peirce

http://www.w3.org/hypertext/WWW/Payments/roadmap.html, by Phillip Hallam-Baker

http://nii.isi.edu/info/netcheque/related.html, part of the NetCheque project at the Information

What is RSA?

RSA is a public-key cryptosystem that offers both encryption and digital signatures (authentication).  Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA in 1977 [RSA78]; RSA stands for the first letter in each of its inventors' last names.

RSA works as follows: take two large primes, p and q, and compute their product n = pq; n is called the modulus. Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means e and (p-1)(q-1) have no common factors except 1. Find another number d such that (ed - 1) is divisible by (p-1)(q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e); the private key is (n, d). The factors p and q may be kept with the private key, or destroyed.

It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p and q, then one could obtain the private key d. Thus the security of RSA is based on the assumption that factoring is difficult. The discovery of an easy method of factoring would "break" RSA .

Here is how RSA can be used for encryption and digital signatures (in practice, the actual use is slightly different:

RSA Encryption

Suppose Alice wants to send a message m to Bob. Alice creates the ciphertext c by exponentiating: c = me mod n, where e and n are Bob's public key. She sends c to Bob. To decrypt, Bob also exponentiates: m = cd mod n; the relationship between e and d ensures that Bob correctly recovers m. Since only Bob knows d, only Bob can decrypt this message.

RSA Digital Signature

Suppose Alice wants to send a message m to Bob in such a way that Bob is assured the message is both authentic, has not been tampered with, and from Alice. Alice creates a digital signature s by exponentiating: s = md mod n, where d and n are Alice's private key. She sends m and s to Bob. To verify the signature, Bob exponentiates and checks that the message m is recovered: m = se mod n, where e and n are Alice's public key.

Thus encryption and authentication take place without any sharing of private keys: each person uses only another’s public key or their own private key. Anyone can send an encrypted message or verify a signed message, but only someone in possession of the correct private key can decrypt or sign a message.