Key escrow

About: Key escrow is a research topic. Over the lifetime, 1162 publications have been published within this topic receiving 19616 citations.

ID-Based Authenticated Multi-party Key Agreement Protocol to Multimedia Applications Systems

Abstract: An ID-based authenticated multi-party key agreement scheme without trusted PKG is proposed in this paper. The proposed scheme is ID-based, but without any assumption of prefixed trust relationship between members, which effectively solves the problem that exists in some existing ID-based key agreement protocols in which a trusted PKG and key escrow is needed. The proposed scheme employs shared password evolvement authentication mechanism, which generates a one-time password for every session key agreement. Our scheme can be applied to multimedia application environment more efficiently because of the low computation and communication cost.

Yaksha: towards reusable security infrastructures

Abstract: In this work we first motivate and introduce the concept of a reusable security infrastructure. Such an infrastructure will be built using a small set of proven security technology primitives and will have a single set of administrative processes, policies, databases and user keys. This single infrastructure, once implemented, will provide multiple security functions such as authentication, digital signatures, key exchange and key escrow by protocol variations. We believe that such reusable security infrastructures are the only cost effective way of implementing security on large public networks like the Internet, or within large organizations. Next we describe the Yaksha security system which is an example of such an infrastructure. Built using an RSA variant as a building block, the system can be used for digital signatures, key exchange and key escrow. It can also be used for authentication, and several authentication protocols are feasible within the infrastructure. We choose to describe an authentication protocol which is an extension of Kerberos. Significantly, it appears that breaking the Yaksha system is equivalent to breaking RSA. The Yaksha system achieves more than just reuse, it provides significant improvements over the state of the art. Its method of achieving digital signatures allows for short user private keys, and provides real time revocation of compromised keys. The extension of Kerberos implemented using the infrastructure removes the vulnerability to catastrophic failure and dictionary attacks inherent in the original Kerberos specification. The method of key escrow Yaksha provides does not require an authority to ever learn a user's long term private secrets and can be used for applications ranging from telephony to e-mail to file storage. Passwords are an important part of any security infrastructure, and we overview and point to some of our results on how to build strong password systems. Finally, we note that the fundamental primitives in the Yaksha infrastructure are powerful, and consequently a Yaksha infrastructure can be extended and reused in a myriad of ways.

A new certificateless signature scheme under enhanced security models

Abstract: In identity-based signatures, the key generation center KGC always knows user private key, and thus, it can always impersonate the user. Certificateless signatures were introduced by Al-Riyami and Paterson to solve this key escrow problem of identity-based signatures in 2003. In certificateless signatures, the private key is determined by neither the user nor the KGC. In 2007, Huang et al. revisited the security models of certificateless signatures. They divided potential adversaries according to their attack power into normal, strong and super adversaries. On the other hand, Au et al. introduced a new attack called malicious-but-passive KGC attack in the same year. In the new attack, KGC that holds the master secret key is assumed malicious at the very beginning of the setup phase of the system. The previous schemes that can be proven secure against malicious-but-passive KGC attack provided only the security against strong adversaries. In this paper, we construct the first certificateless signature scheme that can be proven secure against malicious-but-passive KGC attack of super adversaries. Moreover, our scheme is still secure when the adversary is allowed to obtain valid signatures on the target identity and message. Our construction is based on the hard lattice problems in the random oracle model.Copyright © 2014 John Wiley & Sons, Ltd.

vFAC: Fine-Grained Access Control with Versatility for Cloud Storage

Abstract: In recent years, cloud storage technology has been widely used in many fields such as education, business, medical and more because of its convenience and low cost. With the widespread applications of cloud storage technology, data access control methods become more and more important in cloud-based network. The ciphertext policy attribute-based encryption (CP-ABE) scheme is very suitable for access control of data in cloud storage. However, in many practical scenarios, all attributes of a user cannot be managed by one authority, so many multi-authority CP-ABE schemes have emerged. Moreover, cloud servers are usually semi-trusted, which may leak user information. Aiming at the above problems, we propose a fine-grained access control scheme with versatility for cloud storage based on multi-authority CP-ABE, named vFAC. The proposed vFAC has the features of large universe, no key escrow problem, online/offline mechanism, hidden policy, verifiability and user revocation. Finally, we demonstrate vFAC is static security under the random oracle model. Through the comparison of several existing schemes in terms of features, computational overhead and storage cost, we can draw a conclusion that vFAC is more comprehensive and scalable.

Time-lock puzzle with examinable evidence of unlocking time (Transcript of discussion)

Abstract: Good afternoon. I’ll be sticking to the auditability theme. This is about a protocol which was proposed by Rivest, Shamir and Wagner. It’s a timelock puzzle and to start with I will look at what is a timelock puzzle and what is its use, and then look at the RSW scheme, and then it will be an obvious requirement for auditability, to establish that the puzzle can really be solved within the stated time. Before going into details I look at what the puzzle actually is. It is timedrelease cryptography, which takes a very long time, or any specifiable length of time, to solve. Once it’s solved you then know some bits of crypto. It is based on RSA, and now there is argument about how to name RSA, somebody says it’s the alleged trademark of the cryptography used, so somebody else says it’s secret order, like discrete logarithm, address the problem rather than the inventor’s name. Now the applications of time-release cryptography. Obviously there are several, say a bidder wants to seal a bid for a bidding period, another thing is sending messages to the future, a secret to be read in 50 years’ time, and another thing is key escrow architecture. Key escrow is this thing where there is a requirement to escrow some keys so that they can be recovered, and the danger is vast scale intrusion. So with timed-release cryptography it will take some time to produce a key, although we mustn’t waste a tremendous amount of time, but vast scale penetration becomes infeasible, becomes an individual criminal does not have the resources, so this is an example of a real application. Now look at the RSW scheme. It is based on a secret order to an element. Suppose Alice has a secret to encrypt with a timelock puzzle for t units of time to solve. She generates two big primes p, q and multiplies them to obtain n, and then picks a random session key K and encrypts with this the message M using conventional key cryptography to get CM . Then she encrypts the session key K using RSA, by adding a modulo n to give CK . Here a is a random element and this exponent e is defined as 2 mod φ(n) where t is the number of timesteps needed to solve the puzzle. Since Alice generated p and q she can compute this e easily, whereas without knowing the factorization you cannot compute φ(n). Now CM and a and CK are published, so this triple becomes the timelock puzzle. So if we analyse it we know that to decrypt messageM from CM you need obviously the correct key, assume this, and to decrypt K from CK you need to compute a mod n. Without knowing the factorization of n it seems that the only known way to compute a is by a repeated squaring of a, so that is t multiplications.