Voltage - Identity Based Encryption.

Victor.Duchovni at morganstanley.com Victor.Duchovni at morganstanley.com
Wed Jul 9 10:32:34 EDT 2003

On Mon, 7 Jul 2003, Hack Hawk wrote:

> So what they're saying is that your PRIVATE key is stored on a server
> somewhere on the Internet?!?!

No, this (like Kerberos) works best in a federated model. Each
organization (or group of organizations that trust a common third
party and have mechanisms to authenticate their users to said party) runs
a key server.

The recipient's address together with the organization-wide public key of
the recipient's server (s.P) allow the sender to unilaterally construct a
session key that is only recoverable by recipient's private key which is
derived from the recipient's server secret and the recipient's identity.

The recipient needs to (at least once) authenticate to *his* server and
get his private key.

The server secret "s" (like a KDC master key in Kerberos) yields
*everyone's* private key in the organization in question. Unlike a KDC the
database consists only of a single secret! If a user's key is compromised,
the user needs to change "identities" (email adddreses). If a server key
is compromised, ...

This obviates the need for key exchange between individual users, but
creates a need for a TTP in each participating organization or consortium.

I look at this as a Kerberos alternative with a public/private master key.
Creating a session key does not involve any calls to the KDC because the
KDC public keys are published.

Interactive user principals can avoid storing their keys in persistent
storage, by authenticating each time (the mail client starts),
disconnected users or server applications store secrets in access
controlled storage (analogous to keytabs).

In an AD environment the authentication to the new key server can use the
"real" Kerberos...

Unlike the real Kerberos this does not require (n^2)/2 keys, but it
does require (n^2)/2 key exchanges of n keys, otherwise one gets back to
Verisign style models for server key signing.

Key management does not ever go away! How does one secure the key
management? (Bilaterial diplomatic cases chained to wrists work, but are
difficult on an Internet scale)...

If all server keys are held in write-only tamper-proof hardware, perhaps
server key revocation will be rare and key exchanges might be less

As on online protocol, it resembles Kerberos even more, but perhaps works
better accross organizational boundaries. Each organization periodically
obtains via some secure channel the public keys of their business
partners. These are leveraged to create secure channels between users.

The channels are not server mediated so unlike a VPN or SMTP+TLS, the
crypto is end-to-end with the servers at each site holding a secret that
can compromise every user.

I doubt Voltage.com will be able to sell everyone on a single server for
the whole Internet so the bilateral key management problem does not go
away, it just gets factored into clumps...

Please correct my impression if I got this completely wrong...


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list