Key transport based on public-key encryption

Key transport based on public-key encryption involves one party choosing a symmetric key, and transferring it to a second, using that party’s encryption public key. This provides key authentication to the originator (only the intended recipient has the private key allowing decryption), but the originator itself obtains neither entity authentication nor key confirmation. The second party receives no source authentication. Such additional assurances may be obtained through use of further techniques including: additional messages (§12.5.1); digital signatures (§12.5.2); and symmetric encryption in addition to signatures (§12.5.3).

Authentication assurances can be provided with or without the use of digital signatures, as follows:

  • 1. entity authentication via public-key decryption (§12.5.1). The intended recipient authenticates itself by returning some time-variant value which it alone may produce or recover. This may allow authentication of both the entity and a transferred key.
  • 2. data origin authentication via digital signatures (§12.5.2). Public-key encryption is combined with a digital signature, providing key transport with source identity assurances.

The distinction between entity authentication and data origin authentication is that the former provides a timeliness assurance, whereas the latter need not. Table 12.3 summarizes the protocols presented.

Properties i Protocol

signatures

required^

entity

authentication

number of messages

basic PK encryption (1-pass)

no

no

1

Needham-Schroeder PK

no

mutual

3

encrypting signed keys

yes

data origin onlyf

1

separate signing, encrypting

yes

data origin onlyf

1

signing encrypted keys

yes

data origin onlyf

1

X.509 (2-pass) - timestamps

yes

mutual

2

X.509 (3-pass) - random #’s

yes

mutual

3

Beller-Yacobi (4-pass)

yes

mutual

4

Beller-Yacobi (2-pass)

yes

unilateral

2

Table 12.3: Selected key transport protocols based on public-key encryption. ■(■Unilateral entity authentication may be achieved if timestamps are included.

^Schemes using public keys transported by certificates require signamres for verification thereof, but signamres are not required within protocol messages.

 
Source
< Prev   CONTENTS   Source   Next >