111\ / lllll'IIC CL:lt\'l Allllll:\1111{ 295

10.3 ELLIPTIC CURVE ARITHMETIC

Most of the products nnd srnndnrds thnt use public•kcy cryptography fo r e ncryption
and digirnl signatures use RSA. As we have seen, the key length fo r secure RSA
use hns increased o ve r recent yea rs. nnd th is has put a heavie r processing load on
npplications using RSA. This burden has ramificatio ns. espccinlly ror c lec1ronic com•
mc rcc sites that conduct large numbers of secure transactio ns. A compet ing system
challenges RSA: e lliptic curve cryptography (ECC). ECC is sho wing up in standard-
izatio n e ffo rts, including the IE EE P l363 Sta ndard for Public.Ke y Cryptography.
The principal attraction of ECC. compared to RSA. is that it a ppea rs to o ffer
equal security for a far smalle r key size. the reby re ducing processing o verhead. On
the othe r ha nd , ahho ugh the Lheory of ECC has been a round fo r some time. it is
o nly recently that products have begun 10 appe ar and thnt the re hns bee n susrnine d
cryptanalytic inte rest in prob ing for weaknesses. According ly. the confidence leve l
in ECC is no t ye t as high :is that in RSA.
ECC is fundamc ntnlly mo re difficuh 10 e xplain than e ithe r RSA or Diffie•
Hellman. a nd a full mathe matical description is beyond the scope o f this b ook.
11tis sectio n and the next give some backg ro und on elliptic curves a nd ECC. We
begin with n brie f review o f the concept o f abc li an group. Next, we cxn n1inc the
concept o f e lliptic curves defined over the renl numbers. This is followed by a took
at e lliptic curves defined over finite fie lds. Finnlly. we nrc able to examine elliptic
curve cip hers.
The re ade r may wish to review the material on finite fie lds in Chaptc r 4 before
proceeding.

Abelian Groups
Recall fro m Chapte r 4 th at an abelian group G. sometimes de noted by fG, · I, is
a set o f cle ments wi1h n binary opcra1io n. de noted by · . thn1 a ssociates to each
o rde red pair (a, IJ) of c leme n ts in Gan e lement (a· t,) in G. such that the fo llowing
axio ms nrc obeycd :3

(A I) Closure: If ii a nd b belo ng to G. then ii· b is also in G.

(A2) Associati•e:
(AJ) Identity cle mcnl:
(A4) Inverse cle me nt:
(AS) Commutath•e:
ii · (b · c) = (ii· b) · cforall ii. b. c in G .
The re is an c leme nt c in G such that a · e = c · ,, • a
for all a in G.
For each a in G there is nn c lement a' in G such thnt
a •a' = a ' •a • e.
a · b • b · a for nlla,b inG.

A number of public-key ciphers arc based o n the use of an nbclian group.

For example, Diffie•He llman key e xchange invo lves multiplying pairs of nonzero
integers modulo a prime number q. Keys arc gcncra1ed by exponentiation over

11M opcrulor • 15 generic 11nd can rdcr t u 11dch1ion. multiplicu1ion, or 1on1c o ther ma1hcnuitk11I operat ion.

296 ( 11.\lrllit II! OIIIUl l'l"Ull( KlY ( R,·1rJ()SYSll\1\

the group. with expo ncntia1ion de fined as repeated muhiplicatio n. For example.
,,a: mod q
s (a x " x ... x fl) mod q. To attack Diffic-1-fc llmon. 1.he attack.er must

ktimcs
d ctcnninc k given a nnd a": this is the d iscrete logarithm pro blem.
Fo r e lliptic curve cryp tography. an o peration over e lliptic curves. called nddi•
lion. is used. Multiplicntio n is de fine d by re peated additio n. Fo r example.
a X k = (a + a + ... + a)
k times
whe re 1he addition is pe rformed over an e lliptic curve. Cr yptana lysis involves dete r-
mining k gi\1 cn a a nd (a X k) .
An elliptic curn is defined by an equa1io n in two variables wil h coefficients.
For cryp1ogrnphy, the va ria bles nnd coefficie nts arc restricted to cle me nts in a finite
field. which results in the d efinition o f a finite abclian gro up. Before looking 01 this.
we first look at e lliptic cu rves in which the variables nnd coefficie nts nre rcnl num-
bers. This case is perha ps cnsic r to visualize.

Elliptic Curves over Real Nmnben

Elliptic curves arc not ellipses. The y arc so named because they arc d escribed by
cubic equa tions, sim ilar 10 those used fo r calculating the circumfe rence of an e llipse .
In gene ral. cubic e quations for elliptic curves rnke the following form. known as a
\Vcicrstra..~s equation:
I + axy + by • x3 + ex' + dx + e
whe re a. I,, c. ti . e arc real numbers and x an d y take on values in the re al numbc rs.4
Fo r o ur purpose. it is sufficient 10 limit o urselves 10 equatio ns o f 1hc form
/ = .r'+ flx + I, ( 10. 1)

Such e quatio ns arc sa id to be cubic. o r o f degree 3. because the highest

exponent they co ntain is a 3. Also included in the defini1ion of an elliptic curve is n
single cleme nt dcno1cd O nnd called thepoim tit infinity o r the zero poiltl, which we
discuss s ubscqucntJy. To plo1 s uch a curve, we need to cornpulc

y • V.r'+ t1x+b
Fo r give n values o f" a nd b , the plot consists o ( positive and ncga live valuc:1 o f y for
e ach value o f x . Thus, each c un1c is symmetric aboul y == 0. Figure 10.4 shows two
e xamples o f elliptic curves. As you can sec . the formu la some ti mes produces weird-
looking curves.
Now. consider the set o f points E(,,. /J) co nsisting o f all o f 1hc po ints (x. y) that
satisfy Equatio n ( 10.1) together with the c lement 0 . Using a differe nt value o f 1he
pnir (a. b) results inn diffe rent set E(a . b). Using this te rmino logy. the two curves in
Figure 10.4 depict the sets E( - I. 0) nnd E( I. I), rcspccti•ely.

•N01c 1ha1 x .11nd y are true ,·arutbles, which lake o n values. ThU ,sin ronlrul toour d i1cuJSion ofpolyno-
mial n np and fields 1n Oiaptc r 4. whe re x was trca.tcd a, an indeterminate.
 IO.\ / [llll'llC l'Lll.\"l.Alltlll\1l11C 297

: - (l' + Q)

''
'
'''
_, ''
''
' u• + O)

-4

- V' + QI
'
i
''
''
''
''
'
i
''
''
-• (P + QI

- 2 - I
(b) ,.l • .1-'+ x + I
l·iJ:urc.· IIU Example of Elliptic Curves

c, o\f.1.1R1L DL~cRJ11 1m., m .-tzmrno....- It can be shown that a group can be defined
based on the set E(ll. b) for specific values of a and/Jin Equation (10.1), provided
the following condition 1s met:

4113 + 27b2 9' 0 ( I0.2)

To define the group. we must define an operation. called addition and dcn.otcd by
+, for the set E (a. b), where" and b satisfy Equation (10.2). ln geometric tem1s. the
rules for addition can be stated as follows: If three points on an elliptic curve lie on a
straight line. their sum is 0 . From this definition. we can define the rules of addition
over an elliptic curve.

298 l HAl'IH 111 <HIIUt l'LUI ll KLY l'H.Yl'TOSYSlt\.lS

1. 0 serves as the additive identity. Thus O = - 0: for any point Pon the elliptic
curve. P + 0 = P. In what follows. we assume P 7' 0 and Q ,'- 0.
2. The negative of a point Pis the point with the same x coorclinatc but the nega-
tive of the ycoordinatc;that is. if P = (x, y), then - P = (x. - y). Note that these
1wopointscanbcjoinedbyavcr1.ical linc. Notcthat P + (-!') P - P =
0. =
3. To add two points P and Q with different x coordinates. draw a s1rnight line
between them and find the third point of intersection R. It is easily seen that
the re is a unique point R that is the poin1 of intersection (unless lhe line is
tangcnl 10 the curve at either P or Q. in which case we take R P or R Q.= =
respectively). To fomt a group structure. we need to define addition on these
three points: P + Q =
-R.1bat is, we define P + Q to be the mirror image
(with respect to the x axis) of the third point of intersection. Figure 10.4 illus-
trates this construction.
4. The geometric interpretation of the preceding item also applies to tv.o points,
P and - P. with the same x coordinalc. The points arc joined by a vertical line,
which can be ,'lcwcd as also in1ersec1ing the curve at the infinity point. We
therefore have P + (- P) =
0. which is consistent with item (2).
5. To double a point Q , draw the tangent line and find the other point of intcr-
scc1ion S. Then Q + Q = 2Q = -S.
With the preceding list of rules. it can be shown that the set E(t1. b) is an abe-
lian group .

•-tu;1.n1t.-m Dis< RJPIIU"- m A1m1110., In this subsection. we present some results

1hat enable calculation of additions over e lliptic curvcs. 5 For two distinct points,
P = (xr,Yr) and Q =
(xa, YQ), that arc not negatives of each other. the slope of !he
line/ tha1 joins them is d = (yQ - Yr)/ (xQ - xr), There is exactly one other point
where/ intersects the elliptic curve. and that is the negative of the sum of P and Q.
After some algebraic manipulation, we can express the sum R P + Q as =
XR = 6.2 - Xp - XQ ( 10.] )
YR = -yp + a(xp - XR)

We also need to be able 10 add a poin t to itself: P +P = 2P = R. When

Yr # O. the expressions arc

XR 3.ri,-+-
=(- ")' -2.t'p
2yp
( 10.4)
YR 3.r;, + ") (xr -
=( ~ xR) - Yr

Ellip 1ic C u rves over z,

E mp1ic c urve cryplography makes use of elliptic curves in which the variables and
coefficients arc all restricted 10 elemen ts of a finite Cic ld. Two families of elliptic
c urves arc used in cryptographic applications: prime curves over ZP and binary

~ r dcri\-ations of these results.sec [KOBL94) or other mathematical t.rcatmcnts of clliplic curves.

 I .\ ELLll'TIC C:LRVL ARITH,.t LTIC. 299

curves over GF(2'"). For a prime curve over Zp, we use a cubic equation in which
the variables and coefficients all take on values in the set of integers from Othrough
p - l and in which calcuJations arc performed modulo p. For a binary run·e de-
fined over GF(2'"). the variables and coefficients all take on values in GF(2"") and
in calculations arc performed over GF(2'"). [FERN99J points out tha t prime curves
are best for software applications. because the extended bit-fiddling operations
needed by binary curves arc not required: and that binary curves are best for hard-
ware applications. where it takes remarkably few logic gates to create a powerful.
fast cryptosystcm. We examine these two families in this section and the next.
The re is no obvious geometric inte rpretation of elliptic curve aritltmetic over
finite fields. TI1c alge braic interpretation used for elliptic curve arithmetic over real
numbers does readily carry over. and this is the approach we take.
For elliptic curves over Z p, as with real numbers, we limit ourselves to equa -
tions of the fomt of Equation ( 10.l), but in this case with coefficients and variables
li mited to ZP:
/ modp = (x3 + "·' + /,) modp ( 10.S)
For example. Equation (10.5) is satisfied for" = I. b = I. x = 9, y = 7. p = 23:
7 2 mod 23 = (9' + 9 + I ) mod 23
49 mod 23 = 739 mod 23
3 =3
Now consider the set E p(a. b ) consisting of all pairs of integers (x. y) that sat-
isfy Equation (10.5). together with a point at infinity 0. The coefficients a and band
the variables x and y arc all elemenlS of Zp-
For example, let p =
23 and consider the elliptic curve y2 .r3 + x + 1. =
In this case. a = b = l. Note that this equation is the same as that of Figure 10.4b.
The figure shows a continuous curve with aU of the real points that satisfy t.he equation.
For the set E 23(1. 1). we are only interested in the nonnegative integers in the quad -
ran1 from (0. OJ through (p - l , p - I) tha1 satisfy the equation mod p. Table 10.1
lists the points (other than 0) that arc part of E 23( 1. I). Figure 10.5 plots the points
o f E 23 (J. 1); note that the points, with o ne exception. are symmetric about y = 11.5.

Table 10.1 Points (other than 0) on the

Elliptic Curve En( l.l)
(0. 1) (6.4) ( 12, 19)
(0.22) (6.19) (!J. 7)
( I 7) (7 11) ( I~ If;)

( 1. 16) (7. 12) (17.3)

(3. 10) (9. 7) (17.20)
(3, 13) (9.16) (18,3)
(4,0) (11.3) {18. 20)
(5,4) (11.20) (19. 5)
(5, 19) {12. 4) ( 19. 18)

300 CHAl,.(ER IU OlHER PLUI IC:.-KE'r' CllYPTOSYSTl.\lS

22 .-~~~~~~~~~~~~~~~~~~~

21
20 HH-+-+-+-t--1--t--i-HH-+-+-+-t-.....,_i-HH
19 HH-+-+...+--t-+--t-HHIH-+-+-t--t--t--i-HH
18 t-;l-t-1--t--+--+--+-+--t-t-11-t-1--t--+--+--+-+-- -t-1t-1
17 t-;l-t-1--t--+--+--+-+--t-t-11-t-1--t--+--+--+-+--t-t-1t-1
16 .-4t--+-+-+-+--+--+-+-- -t-11-t......-+-+--+--+-+-+-t-1>---<
15
14 >---<1-t-+-+-+--+--+-+-+-t-11-t-+-+-+--+--+-+-+-t-1>---<
13 HH➔-+-+-t--t--t--i-HH-+-+-+-t--t--t--i-HH
12 HH-+-+-+-t-....-t--i-HH-+-+-+-t--t--t--i-HH
' II
10 f---<1-t......-+-+--+--+-+-+-t-11-t-+-+-+--+--+-+-+-t-1>---<

. ~~~-~~~~~~~~~~~~~~~~

0 I 2 J .t S 6 7 8 9 10 11 12 13 14 JS 16 17 18 19 20 21 22

Figure l0.5 The Elliptic Curve En(l. I)

It can be shown that a finite abelian group can be defined based on the set
Ep(ll, b) provided that (x3 + ax + b) modp has no repeated factors. This is equiva-
lent to the condition
(4a' + 27b2) mod p ,' 0 mod p ( 10.6)
Note that Equation (10.6) has the same form as Equation (10.2).
The rules for addition over Ep(ll. b ). correspond to the algebraic technique de-
scribed for e lliptic curves defined over reo.1 numbers. For nll points P , Q E E p(o. b):

I . P + 0 = P.
2. If P =
(x,.y,). then P + (x,,-y,) =
0 . The poin1 (x,.-y,) is the ne ga-
tive or P. deno1cd as - P. For example. in £ 2'(1. 1). for P =
( 13. 7), we have
- P = ( 13, - 7). B ui - 7 mod 23 = 16. Therefore. - P = (13. 16), w hich is also
in £,,(1, I).
3. If P = (x,.y,) and Q = (x11.y11) wil h P ,. -Q. then R = P + Q = (-'••YR)
is determined by the following rules:

xR = (A2 - xr - xQ) mod p

Y• = (A(xr - x.) - Yr) mod p
 111.3 / El..L.IPTIC CURVE ARITH.\lETIL 301

where

Yo - Yr) modp if P ,. Q

A= !( XQ - Xp

3ri + ") modp tf p =Q

(
2yr
4. Multiplication is defined as re peated addition; for example. 4P =
p + p + p + P.
For example, let P = (3, JO) and Q = (9. 7) in £ 23( I. I). Then
A= (7 ~9
1
:)mod 23
3
= ( ~ ) mod 23 = ( ~ I ) mod 23 = II
xR = ( 112 - 3 - 9) mod 23 = 109 mod 23 = 17
YR = ( 11 (3 - 17) - I0)mod 23 = - 164mod 23 = 20
SoP + Q = ( 17. 20). Tofind2P,
A = ( 3(23')X +10 1) mod 23 = ( 2-)
20
mod 23 = ( .!.) mod 23 = 6
4
The last step in the preced ing equation invo lves taking the multiplicative in-
verse o f 4 in 2 23• This can be done using the extended Euclidean algorithm defined
in Section 4 .4. T o confirm. note that (6 x 4) mod 23 = 24 mod 23 = I.
xR = (6 2 - 3 - 3) mod 23 = 30 mod 23 = 7
YR = (6(3 - 7) - 10) mod 23 = (- 34) mod 23 = 12
and 2 P = (7. 12).
For determining the security of vario us e lliptic curve ciphers. it is of some in-
terest to know the numbe r of points in a finite abelian group d efined over an e lliptic
c urve. In the case of the finite group Er(a, b). the n umber of points N is bounded by
p + I - 2Vp ,s N s p + I + 2Vp
No te that the number of points in Ep(a. 1,) is approximately equal to the numbe r of
clements in Zp, namely p clements.

Elliptic C urves over GF(2'")

Recall from Chapter 4 that a finite field GF(2"') consists o f clements, logethcr zn
with addition and multiplication operations that can be defined over polynomials.
Fo r elliptic curves over GF(2"'). we use a cubic e quation in which the variables and
coefficie nts all take o n values in GF(2'") for some number m and in which calcula-
tions are pe rformed using the rules of arithmetic in GF('t").
It turns o ut that the fom1 of cubic equation appropriate for cryptographic ap-
plications for elliptic curves is somewhat different for GF(2111) than for ZP. lbe form is
y'+ .ry= x3 + a.r' + b ( 10.7)

302 CHAl'TLR IU / OTHER PLtltlC•KEY CRYPTOSY\TE.MS

Tahir 10.2 Points (other than 0) o n the

Elliptic Ctm•e Er (l . 1)

(O. I) <x'.l> (g9.g!l)

(I.,') ( r, gll) (gLD, g)
( l.gll) (g'.g•) (g'°.,. )
(g',,') (g' .gu) (glJ, 0)

(g'.g") <.,' .g'°) (gu, gn)

where it is understood that the variables x and y a nd the coefficients ti and b arc cle-
me nts or GF(2'") and that calculations are performed in G F(2'").
Now conside r the set Er (o, b) consisting of all pairs of integers (.t, y) that sat-
isfy Equation ( 10.7). together with a point at in finity 0.
Fo r example, let us use the finite field GF(Z') with the irreducible polynomial
/(:r) = .r4 + x + I. This yields a generato r g thal satisfies /(g) = 0 with a value o f
g~ = g + I. or in binary, g = 0010. We can develop the powers o f gas follows.

g0 = 0001 l = 0011 gs = 0101 g 12 = 1111

g 1 = 0010 g' = OllO g' = 10!0 glJ = 1101
g' = OHIO g' = 1100 g lO = 011 1 g 1~ = 1001
g' = 1000 g7 = 1011 g 11 = (110 g" = 0001
Fo r example. g5 = (g')(g) = (g + l)(g) = g2 + g = 0110.
Now consider the elliptic curve y2 + xy = x3 + g 4.r2- + I. In this case, a = g4
and /J = g0 = I. One point that satisfies this equation is (t. g3):
(g' )' + (i')(i') = (g' )' + (g')(g' )' + I
g' + c' = c" + c" + 1
I 100 + 0l01 = 0001 + l001 + 0001
1001 = 1001
Table 10.2 lists the points (other than 0) that are part of E r (g'. 1). Figure 10.6 plots
the poims of E ~(g"'. I ).
It can be shown tha t a finite abclian g ro up can be defined based on the set
Ei-(o. b). provided that b ,' 0. The rules for additio n can be slated as follows. Fo r
all points P, Q E £,.(a, b):
1. P + O = P.
?. If I' = (xr. Yr). then P + (xr, xr + )'1•) = 0. llte point (xr, xr + Yr) is the
ncgati\'C of P. which is denoted as - P.
3. If P = (xr,Yr) and Q = (x0 . y0 ) with I' ,' - Q and I' ,' Q. then
R = P + Q = (xR, YR) is d etermined by the following rules:
XR = ). + ). + Xp + .t'Q + 0
2

YR = A(Xp + XR) + x. + Yr
 10 -l / ULll'lll Cl,'ll\'1- CR Yi'HlGIL\11IIY 303

I " H-+-+-+--+--+--+-+-+-H-+-+-+---<
, " t-HH--+-t--t--t--t-+-t-HH--+--i
81! H--+--+-t--t--t--t--1-t-HH--+-t---<
, " H--+--+-t--+--t--t--1-t-H--+--+-t---<
r '° H-+-+-+--+--+--+-+-O-H-+-+-+---<
r' H-+-+-+--+--+--+-+-+-H-+-+-+---<
r' H--+-+-t--t-+-t--1-t-H--+--+-t---<
r' H--+--+-t--t--t--t--1-t-H--+--+-t---<
1• t-HH--+-t--t--+--t-+-t-HH--+--i
1' H-+-+-+--+--+--+-+-+-1-i-+-+-+---<
,• H--+--+-t--t--+--t--1-t-H--+--+-t---<
1 ' H-+-+-+---+--+--+-+-+-1-i-+-+-+---<
r' H-+-+-+--+--+--+-+-+-H-+-+-+---<
g >-<-+-+-+--+--+--+-+-+->-<-+-+-+---<
t ,_.._._.__.__..__._...__._.._,_.._._.__.__.
I 8 f ,, ,4 ,' , . t? s' l 810 &' 11 , ' 2 &" 8 u 0

l·i~ure 10.6 The Elliptic Curve Ei4 (g". l)

where
A = YCI + Yr
XQ + Xp

4. If P = (.<p.yp) then R = 2P = (xR-YR) is d etcm,inc d by the following rules:

XR = ).2 + A + a
YR = XJ, + (A + l )xR
where

A = :rp + ~
Xp

10.4 ELLIPTIC CURVE CRYPTOGRAPHY

The addition ope ratio n in ECC is the coun1crpart o r modular multiplicatio n in

RSA. and multiple additio n is the counterpart of modular expo nentiation. To fom1
a cryptographic system us ing ellip tic curves. we need to find a .. hard problem" cor•
responding to factoring the product of two primes or taking the discrete logarithm.
Consider the equation Q =
kP where Q. P E Er(11. b) and k < p. It is rela•
tively easy to calculate Q given k and P. but it is lrnrd to de termine k given Q and P.
l11is is called the discrete logarithm problem fo r e lliptic c urves.
We give a n example taken from the Cc rticom We b site (www.ccrticom
.com). Consider 1he group E v (9.17). This is the group defined by 1he eq ua tion
=
y' mod 23 (.r' + 9x + 17) mod 23. Wha t isthediscrcte logarithmk of Q = (4. 5)
10 the base P = (16. 5)? The brute-force method is to compute muhipl cs of P until

304 UIAl'tlll 10 OIIHR l•LHIIC-1,;l.Y CtlY1"1OSYS1l:\1S

Q is found. Thus.
P = ( 16.5):2P = (20.20):3P = ( 14. 14): 4f' = ( 19.20):5P = ( 13. 10):
6P = (7. 3): 7P = (8. 7): 8P = ( 12. 17): 9/' = (4. 5)
Because 9P =(4. 5) = Q. the discrete loga rithm Q (4. 5) 10 the base =
P = (16. 5) is k = 9. In a rea l application. k would be so lnrge as to make 1hc b ru1c-
force approach infeasible.
In 1he remainder of 1hls sec1lon. we show two approaches 10 ECC 1ha1 give the
flavor o f this 1cchniquc.

Analog o f Diffie-Hellman Key Exchange

Key exchange using e lliptic cun1cs can be done in the following manner. Firs! pick
a large integer f/, which is eithe r a prime number /J or an integer of the fom1 2'".
and e lliptic curve parameters a and b for Equation (10.5) o r Equation ( 10.7). "lltis
defines the e lliptic gro up of points Eq(tl. b). Next. pick a base poillf G (x1, Y1) in =
£,,(a. t,) whose order is a very large value " · The order II of a point G on an elliptic
curve is the sma llest positive integer 11 s uch that ,rG =
0 and G arc parameters of
the cryptosystc m known 10 all participants.
A key excha nge be1wccn users A and B can be accomplished as follows
( Figure 10.7).
I. A selects an integer"-" less tha n 11 . This is A 's priva1e key. A the n gcnern1es a
public key PA = ""'
X G; the public key is a point in Eq(ll, b).
2. B similarly selects n private key " sand computes a public key P8 ,
3. A generates 1h e secre t key k =
''A X P8 . B generates 1hc secre1 key
k =
ns X PA.
111c two calculations in step 3 produce the same result because
11,. X 1'8 = ""' x (11H x G) = 118 X ( 11,. X G) = 11 8 X P,1
To break this scheme. an attacker would need to be able to compute k given G
and kG. which is assumed to be hnrd.
As an examplc,6 rnkc p a 2 1 I: Ep(0.- 4). which is equivale nt to the curve
y' - x1 - 4: and G =
(2. 2). O ne can calculate that 240G • 0 . A ·s private key
is"• = 12 1. so A·s public key is PA = 12 1(2.2) = (115.48). B's private key is
11 8 = 203, so 0 ·s public key is 203(2. 3) u ( 130,203). The s hared secret key is
)2)( )30, 203) • 203( ) )5, 48) C ( )6). 69),
No te that 1hc sccrc1 key is a pair or numbers. 1r this key is to be used as a scs•
sion key for conventional encryption. the n a single number must be generated . We
could simply use the x coordinates or some simple function of the .r coordi nate .

Ellip tic Curve Encryprion/Decryp1ion

Severn! approaches 10 encryptio n/decrypt.ion using elliptic curves have been una•
lyzcd in the literature. In this subsection. we look at perhaps the simplest. The firs t
task in this system is 10 encode the plnintcxt message m 10 be sent as an (x.y) point /~".

"Provided b)' Ed Schader o r Soni■ Oam UnwcrJll)'.

 In.& 11111'1 I( l UR \'I < Fl Yl1 fO(;ll.\l 1IIY 305

Global Public- E~mt.nls

E,(n.b) elliptic curve with pnmmc1ers u. h. :ind q. where q is a

prime or un integer or the form 2'11
G point on elliptic curve whose order is lnrgc vulue 11

User A Key Gr.ncradon

Sekel private 11,4
Cakulntc public P ,4

User B Key GHualion

Select private ,1 8 ,,,, < "
Calculutc public Pa f'11 • "s X G

Cakuladoa of Scc:rcl Key by User A

K • t1,4 X P 11

Calc:ulalioa of Secrcl Key by User B

K - ,,,, X PA

1-1,turt' 10.7 ECC Dimc-Mellmnn Key Exchange

It is the point P,,. 1ha1 will be encrypted as a ciphe rtcxt and subscqucn1ly decrypted.
No te thnt we canno t simply e ncode the message as the x or y coordinntc of a point.
because not all such coordinntcs a rc in Eq(a. /J): for example, sec Table 10. 1. Again,
there arc several approaches to this encoding. which we will not address here. but
sufncc il to say that lhc rc urc rcln1.ivcly s traigh tforwnrd 1cchniqucs thnt con be used .
As with 1hc key exchange system. nn encryption/decryp1io n syste m requires n
point G and an elliptic gro up E11(t1. b) as parameters. Each user A sclcc1s a private
key""' a nd ge ne rates a public key l',1 • 11,4 X G.
To encrypt a nd send a message P,,. to B. A chooses n rnndom positive integer k
and produces the ciphc rtcxt C'" consisting of the pair o f points:
Cm - lkG. Pm + kP•}
No1c thm A has used B's public key Pn, To decrypt 1he ciphe rtcxt. 8 multiplies 1he
first poinl in the p.iir by B's private key a nd subtracts the result fro m the second point:
Pm + kPH - flH(kG) - f'm + k(t1BG) - " •(kG) - Pm
A has moskcd I.he message P,,. by adding kP11 to it. Nobody but A knows the
value of k. so even tho ugh P,, is a public key, nobod y can remove th e mask k/'11•
However. A also includes a "cl ue," which is e no ugh 10 re move the mask if o ne

306 <JIAl'Tlllln <Hllllll1LIH1l h.l't'(RYPIOSYS11\1S

Tahir IIU Comparable Key Sizes in Terms of Computnlionnl Effort

for Cryp1annlysi, (N IST SP-80().57)
Symmtlrk Kty Dlllk•llt U-n, Dlgllol RSA ECC
Algorilhm.~ Sigaallare Algorilhm (slie or n in blo) (modul,u slu In blU)
L• 1024
80 102,1 160-22!
N• 160
/. • 2018 224--255
112 2048
N• 224
L • 3072
12.'l 3072 2..<6-3.'I.I
N • 256
/. • 7680
192 7680 384-511
N • 384
, •• 15,360
256 15.360 5 12...
N • 512
No,.-.• t • size of public key, N • 5ize of privn1c key

knows the private key "B· For an attacker to recover the message. the attacker
would hnve to compute k g ive n G and kG. which is assumed to be lrnrd.
Let us consider n si mple example. The global public elcmen1s arc q = 257:
Eq(ll. b) • E257(0. - 4). whic h is eq uivale n t to the curve x3 - 4: and G • l =
(2. 2). Bob"s priva1e key is "• -
10 1. and his public key is P 8 - 11 8 G 101(2. 2) =
• ( 197. 167). Alice wishes to send a mcssogc to Bob that is encoded in !he clliplic
point Pm =
( 112. 26). Alice chooses random integer k = 4 1 nnd compules kG •
41(2. 2) • ( 136, 128). kP8 - 41 (197. 167) - (68. 84) a nd f',. + kf'8 - (112. 26)
=
+ (68. 84) (246. 174). Alice sends 1he c ipher1c x1 C., - (C1. C2) 1(136. 128). =
(246. 174)110 Bob. Bob receives 1he ciphe r1ex1 and co mpu1cs C2 - 118 C 1 =
(246. 174) - 10 1( 136. 128) • (246. 174) - (68. 84) - ( I 12. 26).

Security of Elliptic Curve Cryptography

TI1c securily of ECC depend s o n ho w difficull it is 10 dctem1ine k give n kP a nd P.
TI1is is referred to as 1hc elliptic curve logarithm problem. 111c fastest known tech-
nique for taking the elliptic curve logaril hm is known as the Pollard rho me thod.
Table 10.3. from NIST SPS00-57 (Recommemlt1ti011 for Key Mt11wgeme11t- Pt1r1 I:
Geneml, July 2012). compnrcs vario us algorithms by showing comparable key sizes
in 1c rms of computational effort for cryptan alysis. As can be seen. a considerably
smaller key si.7.c can be used for ECC compared to RSA. Furthcm1ore, fo r equal
key le ngths. Lhc computational effort required for ECC a nd RSA is compnrnblc
(JUR l97). Thus. the re is n computationa l advantage to using ECC with a sho rte r
key le ngth than o comparably secure RSA.

10.5 PSEUDORANDOM NUMBER GENERATION BASED

ON AN ASYMMETRIC CIPHER

We noted in Chapter 7 th at because a symmc1ric block cipher produces an appar-

e ntly random output, it can serve as the basis of o pscudorandom number generator
( PRNG). Similarly. on asymmetric encryption algorithm produces apparently random
 Ill l"iHJl>CJltANPOM NLi\HU, lt t,ENlH.\Jl(1~ 307

ou1put and can be used to build a PRNG. Because asymmetric algorithms are typically
much slower lhnn symmetric algorithms. asymmelric nlgorilhms a.r e not used 10 gener-
ate open-ended PRNG bi1 streams. Rather. the asymmetric approach is useful Cor crcnt-
ing n pscudorandom function (PRF) for generating u short pscudorandom bit sequence.
In this section. we examine two PRNG designs based on pscudorondom functions.

PRNG Based on RSA

For a surticient key length, the RSA algorithm is considered secure and is n good
candidate to Conn the basis or n PRNG. Such n PRNG. known ns the Micali-Schnorr
PRNG IM ICA91J, is recommended in t he ANSI standard X9.82 (Raudom Numbtr
Ge11ermio11) and in the ISO Slandnrd 18031 (R"ndom IJII Genumwn).
The PRNG is illustrated in Figure 10.8. As can be seen. this PRNG has much the
snmc s tructure as the output feedback (OFB) mode used as a PRNG (sec Figure 7.4b
nnd the portion or Figure 6.6n enclosed with n dashed box). In this cnsc. the encryption
ulgorithm is RSA rather than a symmetric block cipher. Also. a portion or the output
is fed back to the next iteration o r 1hc encryption algorithm and the remainder of the
outpul is used as pscudornndom bilS. The motivntion for 1his separation of the outpul
into two distinct parts is so thal the pscudorandom bits from one stage do not provide
input to 1he next stage. 111is separation should contribute to forward unpredictability.
We can define t he PRNG us follows.

Sclup =
Sclccl p. </ p rimes: 11 ,,q:¢(11) =
(p - l)(q - I). Select• such
that gcd(e. ,J,(11)) - I. These arc the standard RSA setup selections
(see Figure 9.5). In addition. let N a ilog, 11J + I (the bitlength o r 11).
Select ,. k such thnt , + k :a N.
Seed Select a random seed -GJ of bitleng1h ,.
Gene rate Generate a pseudorandom sequence or length k X musing the loop
ror i from I to m do
y, • ,f/- 1mod II
=
x1 r most significant bits or y1
=
z, k least significan t b its of y,
Output The o utputscqucncc is,1 llz,11... 11 z...

Sttd • .r1
ff, r. r. k ff. r. r, k ff, r.r, k

Enttypt
1J•.rfmodff

z 1 a rmost ZJ • rmost .r, • rmMI

M1nlrtcanl bil!S d,e.nilia.nl bil!S Ainirannt hilt

:1 • k trm-1 :z ■ k lniit : , ■ t lt:1151

lignifkant bits 5lgnintanl bllo! 11,:nifltlml bil!S

Viiurc IOJt Micnli-Schnorr Pscudorondom Bit Gcncrntor

30 8 tllAl'IIRIII OJlltRl 1 LUll( Kl\'(R'\'l"IOSYSIIMS

lltc parameters 11. ,. e. and k arc selected 10 satisfy the followi ng six
requirements.

11is chosen as the product or two primes to

l. II ... '"'
have the cryptographic strength required
or RSA.
2. I < e < </,(11): gcd (e, ,J, (11)) = I Ensures that the mappings-s' mod II is
I to I.
3. re ~ 2N Ensures that the exponentiation requires a
full modular reduction.
4. r .?!: 2 strength Protects againsl a cryptographic auacks .
5. k. r arc multiples o r 8 An implementation convenience.
6.k ~ 8:r+k = N All bits arc used.

The variable srrength in requirement 4 is defined in NIST SP 800-00 as fol-

lows: A number associated with the amount or work ( that is, the number or opera-
tions) required to break a cryptographic algorithm or system: n security strength
is specified in bi1s and is n specific value from the set (112. 128. 192. 256) for this
Recommendation. The amount of work needed is 2f'"'-"""·
There is clearly a tradcoff between rand k. Because RSA is compu1a1ionally
intensive compared 10 a block cipher, we would like 10 generate as many pseudo-
random bits per iteration as possible and 1hcrcforc would like a large value of k.
l=lowcvcr. for cryptogrnphic strength, we would liker to be as large as possible.
For example, if~ 3 and N = =
1024. then we have the inequalit y 3, > 1024.
yielding a minimum required size for r or 683 bits. For r set to that size.
k == 341 bits arc generated for each exponentiat ion (each RSA encr yption).
In this case. each expone ntiation requi res only one modular sq uaring or a
683-bit number nnd one modulnr multiplication. That is. we need only calculate
(x, x (x/ mod 11)) mod 11.

PRNG Based on Elliptic Cun·• Cryptography

In this subsection. we bricny sumnmrizc n technique developed by the U.S. Nat ional
Security Agency (NSA) known as dual elliptic cun,c PRNG ( DEC PRNG). This
technique is recommended in NIST S P 800-90. the ANSI standard X9.82. and the
ISO standard 18031. There has been some controversy regarding both the security
and efficiency or this algorithm compared to other alternatives (e.g .. see ISCHO06).
IBROW07j).
[SCI-ICX>61 summarizes the algorithm as follows: Let P and Q be two known
points o n a given e lliptic curve. The seed of the DEC PRNG is a random integer
s0 E {0, I .... , #E(GF(p)) - IJ, where # E(GF(p)) denotes the number or points
on lhe curve. Let x denote a function that gives the x-coordinate of a poi nt of
the curve. Let lsb1(s) d enote the i least significant bits of an integers. The DEC
PRNG transforms the seed into the pseudorandom sequence o r length 240k. k > O.
as follows.
 Ill KLY IUl.1\1.S, JU.Vil.\\' (JUlSIIO'.';S, ,\:"t.l> l'llOULLMS 309
for i =1 to k do
Set B1 x(S1- 1 P)
Set r,. lsb240 (x (s1 Ol)
end f or
Return r 1 , ••• ,-I"k

Given the security concerns expressed for this PRNG. the only motivation for
its use would be that it is used in a system that already implements ECC but docs
not implement any other symmetric, asymmetric. or hash cryptographic algorithm
that could be used to build a PRNG.

10.6 RECOMMENDED READING

A q uite readable treatment of elliptic curve cryptography is IROSI99J: 1he emphasis is on

sohware implementation. Anot her readable. but rigorous. book is jl·IANKW). There are
also good but more concise descriptions in [KUMA98), [S11N06),and (KOBL94]. Two inter-
esting survey trc0tmcnts arc IFERN99) and (JURl97].

FERN99 Fernandes. A. ··Elliptic Curve Cryptography."' Dr. Dobb's Jo11mal, December

1999.
HANK04 Hankerson. D.: Menezes. A.; and Vanstone. S. Guid~ 10 Elliptic C11r11~
Cryptogropl1_v. New York: Springer. 2004.
J URJ97 JuriJiic. A., and Menezes. A. "'Elliptic Cur\'es and Cryptography." Dr. Dobb's
Joumal.April 1991
KOBL94 Koblitz, N. A Course in N11mbt'r Theory oml Cryptography. New York:
Springcr-Verlag.1994.
KU MA.98 Kumanduri. R.. and Romero. C. Numb~rTht!ory will, Computu Applicmions.
Upper Saddle River.NJ: Prentice Hall.1998.
R0S199 Rosing, M. lmplmm11i,1g Elliptic C11n1e Cryptography. GreecnwK:h. CT:
Manning Pub lications. 1999.
STIN06 Stinson. D. Cryptography: Theory and Practiu_ Boca Raton. FL: C RC Press.
2006.

10.7 KEY TERMS, REVIEW QUESTIONS, AND PROBLEMS

Key Tcnns

abeli3.n group elliptic curve Micali-Schnorr

binary cur\'e elliptic cur\'e arithmetic prime curve
cubic equation elliptic curve cryptography primitive root
Diffie-HeUmnn key exchange finite field zero point
discrete logMithm man-in-the-middle attack

310 CHAPlLll IO / OTHl::R Pt.:UUt KEY CllYPTOS\ STE..\1S

Review Questions
IU.I Brieny explain Diffie-Hellman key exchange.
l0.2 What is an elliptic curYc?
IO.J What is the zero point of an elliptic cu1Yc?
IU.-1 What is the sum of three points on an elliptic curve lhat lie on a straight line'}

Problenu
ID.I Users A and B use the Diffie-Hellman key exchange technique with a common prime
q = 11 and a primitive root o = 7.
L If user A has pri\'ate key X,4 = 5, what is A's public key Y,41
h. If user 8 has private key XB = 12. what is B's public key YB?
c. What is the shared secret key?
IU.2 Consider a Diffie-Hellman scheme with a common prime q = 11 and a primiti\'e roo1
()/ = 2.
L Show that 2 is a primitive root of 11.
b. If user A has public key Y,4 = 9. what is A's private key X,4?
c. If user B has public key YB= 3. what is the secret key K shared with A?
IO.J In the Diffie-Hellman protocol. each participant selects a secret number x and sends
the other panidpani a' mod q for some public number a. What would happen if the
participants sent each other x" for some public number a ins1ead? Give at least one
method Alice and Bob could use to agree on a key. Can Eve break you r system with-
out finding the secret numbers? Can Eve ftnd the secret numbers?
IOA This problem illustrates the point that the Diffie-Hellman protocol is not secure with-
out the step where you take the modulus: i.e. !he .. Indiscrete Log Problem~ is nol a
hard problem! You are Eve and have captured Alice and Bob and imprisoned the m.
You overhear the following dialog.

Bob: Oh. let's not bother with the prime in the Diffic-Hcllman protocol. it
wiU make things easier.
Alice: Okay. but we still need a base a to raise things 10. How about a = 3'}
Bob: All right. then my result is 27.
AJitt: And mine is 243.

What is Bob's private key XB and Alice·s pri,•ate key X,4? What is their secret com-
bined key? (Don'I forget to show your work.)
l0.5 Section 10.1 describes a man in the middle attack on th e O iffie H ellman key ex
change protocol in which the adversary generates two public-private key pairs for the
attack. Could the same attack be accomplished with one pair? Explain.
l0.6 Consider an Elgamal scheme with a common prime q = 1l and a primitive root
a = 7.
L If B has public key YB = 3 and A choose the random integer k = 2. "'hat is the
ciphertext of M = 30?
h. IJ A now chooses a diJrerent value of k so that the encoding or M = 30 is
C = (59. Ci). what is the integer C 1?
l0.7 RuJe (5) for doing arithmetic in elliptic curves m·er real numbers states that to double
a point Q2• draw the tangent line and ftnd the other point of intersection S. Then
Q + Q = 2Q = -S. lfthe tangent line is not vertical. there will be exactly one point
of intersection. Howe\'er. suppose the tangent line is vertica l? In 1h01 case, what is the
value 2Q? What is the value 3Q?
418 c·H.\.f'lLR _. KLY MANALL"-11:.NI o\Nll l)ISIRJUL,IH):\I

No Singhalese, whe1her man or womtm, would ve11111re ow of the house witho111

a bunch of keys in his hand, for without such t1 talisman Ire would fear that some
devil might wke ml,,amage of Iris weak state IO slip into hiJ· body.
- The Golden Bough. Sir James George Frazer
..Suppose that Cadogan West wished lo make Iris way into tire building af1er hours;
Ju,. wo,,/d need 1/rree keys. wo uld Ire 1101. befort tire could ret1c/r 1he papers?"

,.,,. ..
.. Yes, lie would. Tire key of tltt! outer door, the key of tire office, and the key of the

- The Advemu re of the Bruce-Parti11gto11 Pla11J, Sir Arthur Conan Doyle

LEARNING OBJECTIVES
After studying this chapte r, you should be able to:
Discuss the concept of a key hierarchy.
Understa nd the issues involved in using asymmetric encryption to djstrib-
ute symmetric keys.
Present an overview of approaches to public-key distribution and analyze
the risks involved in various approaches.
List and explain the clements in an X.509 certificate.
Present an overview of public-key infrastructure concepts.

The topics of cryptographic key management and cryptographic key distribution arc
complex, involving cryptographic. protocol, and managemen1 considerations. The pur-
pose of this chapter is to give the reader a feel for the issues involved and a broad sur-
vey of Lhc various aspects of key management and distribution. For more informal.ion,
the place to start is the three-volume NIST SP 800-57, followed by the recommended
readings listed al the end of this chapter.

14.1 SYMMETRIC KEY DISTRIBUTION USING

SYMMETRIC ENCRYPTION

For symmetric encryption to work, the two parties lo an exchange must share the
same key. and that key must be protected from access by others. Furthermore. fre-
quent key changes arc usually desirable to limit the amount of data compromised if
an attacker learns Lhc key. Therefore. Lhe strength of any cryptographic system rests
with the kry dis1ributio11 technique. a term that refers to the means of delivering a
key to two parties who wish lo exchange data without allowing others to sec the key.

1-U SY\1\tUlllC. KEY DISTRIULTION us1,G SY\1\.tETRI(. ENl RYPTlO:'\ 4 19

For two parties A and 8 . key distribution can be achieved in a number of ways. as
follows:
I. A can select a key and physically deliver it to 8 .
?. A third party can select the key and physically deliver it to A and 8.
3. lf A and 8 have previously and recently used a key.one party cnn transmit the
new key to the other, encrypted u.i.ing the old key.
..t. If A and 8 each has an encrypted connection to a third party C. C can deliver
a key on the encrypted Links to A and 8 .
Options I and 2 call for manual delivery of a key. For link encryption. this
is a reasonable requirement, because each link e ncryption device is going to be
exchanging data only with its part.ncr on the other end of the link. However. for
end-to -e nd encryption over a network. manual delivery is awkward. l.n a d istrib-
uted system. any given host or terminal may need 10 engage in exchanges with
many other hosts and terminals over time. Thus. each device needs a number o f
keys supplied dynamically. The problem is especially difficult in a wide-area dis•
tributed system.
The scale of the problem depends on the number of communicating pairs that
must be supponed. l.f end-to-end encryption is done at a network or LP level. then
a key is needed for each pair of hosts on the network that wish to communicate.
Thus. if there are N hosts. the number of required keys is (N(N - l)J/2. lf encr)'p·
tion is done at the application level, then a key is needed for every pair of users
or processes that require communica tion. T hus. a network may have hundreds of
hosts but lhousands of users and processes. Figure 14.1 illustrates the magnitude of
Lhe- key distribution task for end-10-cnd encryption. 1 A network using node-level
encryption with HXlO nodes would conceivably need to distribute as man y as half a
million keys. If that same network supported 10.000 applications. then as many as
50 million keys may be required for application-level encryption.
Returning to our list. option 3 is a possibility for either link encryption or end-
to-end encryption, but if an a ttacker ever succeeds in gaining access to one key. then
all subseq uent keys will be revealed. F unhermorc. the initial distribution of poten-
tially millions of keys still must be made.
For end-to-end encryption, some variation on option 4 has been widely
adopted. In t.his sch eme. a key distribut ion cen ter is responsible for d istribu1ing
keys to pairs of users (hosts. processes. applications) as needed. Each user must
share a unique key with the key distribution center for purposes of key distribution.
The use of a key distribution center is based on the use of a hierarchy of keys.
At a minimum. two levels of keys are used (Figu re 14.2). Communication between
end systems is encrypted using a temporary key. often referred to as a session key.
Typically. the session key is used for the duration of a logical connection. such as a
frame relay connection or transport connection. and then discarded. Each session
key is obtained from the key distribution cen ter over the same networking facilities

1Note that this figure uses a log-log scale. .so tha1 a linear graph inctica1cs upone.n1ial gro"-1.h. A basic
~VX'w of log scales is in the rrn1.lh n:lrcsher document at the Compuu:r Science Stucknt Resource Site at
WiUiamStallinp.comlStudentSuppon.html
420 CHAPTER 1-1 / KEY MANAGE.\1.£NT AND DISTRIBUTION

!
i
z. 101 1,-----11-------c, '- - - - + - - - - - - - - - - - 1

1Cf 1,------11-- /- - - - - - - - - - + - - - - - - - - - - - - - - t

to' to' to'

NumM r of t>ndpoinll
t·i~re U.I Number of Keys Required to Support Arbilrary Connectio ns
between Endpoints

... ------ ..

Dam (~~HHHI)
........... .....
~':"

Scnion l:eys C,yptog,, phk

protection

M:istt>rlr.:cys
l
....-----
___ _...
□□ J
Non-c:rypiogruphic-
protm mn
Fi1tun• 1-'.2 The Use o f a Key Hierar chy

14 I 'iY.\1MlllllC KEY l>ISIRIHUllON USI~(; SY.\1\\ETRI( E.."'iC:RYl''lJON 421

used for end-user communication. Accordingly, sessio n keys are transmitted in

encrypted form~ using a masle r key that is shared by Lhe key distrib utio n cenlc r and
an e nd syste m or use r.
Fo r each e nd system or user. there i.s a unique master key tha t it shares with
the key distributio n cente r. Of course. these maste r keys must be distributed in some
fashion. However, the scale of the problem is vastly reduced . I.f there a rc N e ntities
that wish to communicate in pairs. then. as was me ntio ned. as many as IN(N - l}}/2
sessio n keys a rc needed at any one time. Howeve r. only N maste r keys a re required.
o ne for each e ntity. Thus. maste r keys can be distributed in some non-cryptographic
way. s uch as physical delivery.

A Ke)· Distribution Scenario

The key distribution concept can be d eployed in a numbe r o f ways. A typical
scena rio is illus trntcd in Figu.rc 14.3. which is based o n a figure in [POPE79]. The
scenario assumes that each user shares a uniq ue maste r key with the key distrib u-
tion center (KDC).
Let us assum e that user A wishes to establish a logical connection with B a nd
requires a o ne-time session key to protect the d ata transmitted over the connec1ion.
A has a master key, Ka, known o nly to itself and the KOC: similarly, B s hares the
master key Kb with the KOC. The following steps occur.
I. A issues a request to the KOC for a session key to protect a logical connectio n
to B. The message incl udes the ide ntity of A and B and a unique identifier.
N 1• for this transaction. which we refer to as a no nce. The nonce may be a

Kry Oh~ribution
Ct>ntu ( KDC) l nhlaior A R~ponder B

1
"''
d istrihlltion
l ft'pli

I· ij.!urr 14..l Key Distribu1ion Scena rio

422 UIAl'TLR 1-1 KEY MAN:\GEMLNT \ND l)JSJRIULrrlO~

Limestamp. a counter, or a random number: the minimum requireme nt is that

it differs wilh each request. Also. to prevent masquerade. it sho uld be difficult
for an o pponent to guess lhe nonce. Thus, a rando m number is a gocxl choice
for a nonce.
2. The KOC responds wilh a message encrypted using Ka, TI,us, A is the only one
who can s uccessfully read the message. and A knows 1hat it o riginated at Lhe
K.DC. The message includes two ilems inte nded for A:
The one-lime session key, K,, to be used fo r the sessio n
• The original requcsl message, including lhe no nce, 10 enable A to malch
1hi1- re.1-pon1-e wirh rhe apprnprfare rcqucs1
Thus. A can verify that its o riginal req uest was no t ahered before receptio n by
Lhc KDC and. because of 1hc nonce. 1ha1 this is not a replny of some previous
request
In addilion. the message includes two items intended for B:
• The one-time session key, K1 , to be used for the sessio n
• An identifier of A (e.g., its network address). /DA
These las1 two items are encrypted with Kb (the maste r key that the KOC
shares wilh B).111cy arc to be sent to 8 to establish 1hc connectio n and prove
A's identity.
3. A stores the session key for use in the upcoming session and forwards to B
the information that originated at the KDC for B. namely. £(K•.IK,II ID,I).
Because this informa1ion is encrypted wi1h Kb, ii is pro1cctcd from eaves-
dropping. B now knows 1he session key (K,.). knows tha1 the other parly is A
(from /DA)• and knows lhnt the infommtion originated nt lite KOC (because it
is encrypted using Kb).
At this point. a session key has been securely delivered to A and 8, and they
may begin their protected exchange. l-lowever. two additional steps are desirable:
-'· Using lhe newly minted session key for e ncryption. B sends n nonce, Nz. 10 A.
5. Also. using KJ, A responds with f(Nz). where f is a function 1hat performs
some Lransfomtation o n N2 (e.g., adding o ne).
These steps assure B that 1he original message i1 received (step 3) was not a replay.
No te that the actual key distribution involves only ste ps I thro ugh 3, bu1 that
steps 4 and 5. ns well as step 3. perform nn authentication function.

H ierarch ical KC)' Conlro l

It is no1 necessary to limit the key dis1ribu1ion func1io n 10 n single KDC. Indeed. ror
very large networks. ii may not be prac1ica l 10 do so. As an alternative. a hierarchy
or KDCs can be estnblishcd. For example. 1here can be local KDCs. each respon-
sible for a small domain of the overall internetwork, such as a single LAN or n single
building. For communicalion among e ntities within the same local do main. the local
KDC is responsible for key distribution, If two entities in different domains desire a
shared key, the n the corresponding local KDCs can communicate through a global

14 I S\'\IMl 1 Ill( Kl-\' lllSTlllUUI l(lN U"il~(; S\'.\t\.ll Jlll( 1-.N<:llYl'I l()!\i 423

KOC. In this case. any one of the three K.DCs involved can actually select the key.
1l1e hierarchical concept can be extend ed 10 three or even more layers, depending
o n the size of lhe user population and the geographic scope of the internetwork.
A hierarchical scheme minimizes the effort involved in master key dist.ribu-
Lion, because most mas1er keys arc 1hosc shared by a local KDC with its local enti-
ties. Furthermo re. such a scheme limits the damage of a fault y or subverted KDC 10
i1s local area only.

Session Key Lifetirne

The mo re frequently session keys arc exchanged, the mo re secure they arc, because
the oppo nent has less ciphcrtext to work with for any given session key. On the
other hand. the distribution of session keys delays the start of any exchange a nd
places a burden o n nclwo rk capacity. A security manager must try to balance these
competing consider.alions in determining the lifetime of a particular session key.
For connection-oriented protocols. o ne obvious cho ice is to use the same ses-
sion key for the length of time that the connection is o pen. using a new session key
for each new session. If a logical conncc1io n has a very long lifc1ime. then ii would
be prudent to change the session key periodically. perhaps every time the PDU
(protocol data unit) sequence number cycles.
Fo r a connec1ionless pro tocol, such as a 1ran.sactio n•oricn1ed protoool. there
is no explicit connectio n initintio n or terminatio n. Thus. i1 is no t obvious how often
o ne needs to change the session key. The most secure npproilch is to use n ne w ses-
sion key for each exchange. However. Lhis negates o ne of t.he principal benefits o r
connectionless protocols. which is minimum overhead and delay for each transac-
tion. A better slratcgy is 10 use a given session key for a certain fixed period o nly or
for a certain number of 1ransac1ions.

A Transparent Key Control Sch eme

The approach suggested in Figure 14.3 hos many variatio ns, o ne of which is
described in this subsectio n. The scheme (Fig ure 14.4) is useful for providing end•
to-end e ncryption al 11 network or transport level in a way tha1 is lrnnspare nt 10
lhc end users. The approach assumes that oommunicnt ion makes use of a connec-
tion-oriented e nd-to-end protocol. such as TCP. The no teworthy clement of this
approach is a session security modu le (SSM). which mo.y consist of func1ionali1y at
o ne protocol layer. that pcrfom1s end-to-end encryptio n and obtains session keys
o n behalf of its host or terminal.
The steps in\•olvcd in establishing a connection arc shown in Figure 14.4. When
o ne host wishes to set up a connection to another hos1, it transmits u connection-
request packet (step 1). The SSM saves 1h01 packet and applies 10 the KOC for pcnnis-
sion to establish the connection (step 2). The communicalion between the SSM and
the KDC is encrypted using a master key shored only by this SSM and the KDC. If the
KDC approves the connection request, it gcnera1cs 11te session key and delivers it to
the two appropriate SSMs. using a unique permanent key for each SSM (step 3). The
requesting SSM con now release the connectio n request packet. and n connection is
set up between the 1wo end systems (s1ep 4). All user data exchanged between the two
end systems arc encrypted by Lhcir respective SSMs using the o ne-time session key.
424 01 \I'll R 1-' / Kl\' MAN.\C,l ~ti NI \Nil l>IS t RIUL 110:"lil

Key
d istr ibution
center
I. lloi.1 ~nd,i p loK'kN t'TqUl'Slln1t C'(lfUM't"llon.
l. Stturity k ni« buffrn1 packt1: asks
KUC for 5tf.SM>n key.
J. KDC dlstribulu sa,lon 1,;c-)' to bolh hosts.
'- Buffr:ml 1,adcd 1.111nsml11td.

(Appllcat~)

d§) .-·:.-·
:0: .
: ......
Ne1work

"
------- ------- ----- -······ 0 ····--··
HOST

• 1!;!:ur~ U.4 Au1omn1ic Key Dis1ribu1ion for Connection-Oriented Protocol

The automated key distribution approach provides 1hc ncxibility and dynamic
chnrncteristics needed to allow n number of terminnl users to access a number of
hosts and for the hosts 10 exchange dotn with each 01hcr.

Decentralized Key Control

111c use of a key dis1ribution center imposes the rcquircmen1 thut the KOC re trus1ed
and be protected from subversion. This requirement can be avoided if key distribu-
tion is fully decentralized. Although full decen1rnli1.mion is not practical for larger
networks using symmetric encryption only. it may be useful within a locnl context.
A dccen1 rnlizcd approach requires thn1 ench end system be nble to commu-
nicate in n secure manner with oll potential pnn ncr end systems for purposes o r

1,t I / \Y.\1Mf 1 Ill( KJ Y lllStlllHUt ION U\I~(, \Y."l.tMJ Jill( I NUt.YlrJJO!'. 425

lnil: lor

~
~ ( l )IIJ,,,IIN1 ~

(2)E(KM, IK,IIID, 11108 11r

: : ?
~v
~ (J)E(K,.f(N2l)
I·1i=urr: 14.~ O cccn1rnlizcd K.cy Ois1rib u1ion

session key distribution. Thus, there may need 10 be as many as 111(11 - l) J/2 master
keys for a conl'igurntion with II end systems.
A session key ma y be established wi1h the following sequence or steps
( Figure 14.5).
I. A issues a request to B for a session key and includes a nonce. N,.
?. B responds with n message that is encrypted using the shared master key. The
response includes the session key selected by B. nn identifier of 8 . the vuluc
f(N1), and nno1hcr no nce. N2•
.t Using the new session key. A returns f(N2) to 8 .
1l1us. although euch node must maintain at most (11 - I) maste r keys. as many
session keys as required may be generated and used. Because the messages trans•
fcrred using the master key arc sho rt. cryptanalysis is di((icult. As before. session
keys ure used for only a limited time to protect them.

Controlling Key Usage

111c concept of a key hierarchy and the use of automated key distribution techniques
greatly reduce the numbe r of keys tha1 must be manually m.1naged and distributed.
It also may be desirable to impose some conlro l on the way in which nutonrntically
distributed keys arc used. For ex.ample. in addition to separating master keys from
session keys, we may wish to define different types o r session keys on the basis of
use. such as
Data-encrypting key, for general communication across n network
PIN-encrypting key. for personal identification numbers (PI Ns) used in elec-
tronic funds transfer and point.or-sale applications
File~cncrypting key, for encrypting files stored in publicly accessible locations
To illustrate 1hc value of scpurnting keys by type. consider the risk that a mas-
ter key is imported as n data-encrypting key into a device. Nonnnlly. the master key
is physically secured within the cryptographic hardware o f the key distribution cen-
ter and or the end systems. Session keys encrypted with this master key arc available
10 application programs. as are the data encrypted with such session keys. However,
if a master key is treated as a session key, ii may be possible for an unauthorized
application to obtain plaintext of session keys encrypted with that master key.
426 l'JIAl'l l R 14 KlY MANAC ,I \UN I \NU DIS I Rllll I ION

lllus. it may be desira ble to institute controls in sys1c ms that limit !he ways
in whicl1 keys nre used. bnscd o n characte ristics associa ted with those keys. One
simple pion is 10 associate a tag with each key ([JO NE82); sec a lso {DAVl89)). 111c
proposed technique is for use with DES and makes use o f the extra 8 bits in each
64. bit DES key. Thal is. the eight no n.key bits o rdinarily reserved fo r pari1y check•
ing form the key tag. The bits have the following interpre tation:
One bit indicates whe ther the key is n sessio n key or a master key.
• One bit indicates whe ther 1hc key can be used for e ncryption.
• O ne bit indicates whe ther the key can be used for decrypti on.
• 1l1c remaining bits are spares for future use.
Because the tag is embedded in the key. ii is e ncrypted alo ng with the key when that
key is di s1ribu1cd, 1hus providing pro tcc1ion. The drawbacks of this scheme a rc
I. 1l1e tag length is limited to 8 bits, limiting i1s nexibility rmd functionality.
2. Beca use the tag is no t 1rnnsmiued in clear fo rm, ii can be used only a t the
point of decryptio n. limiting the ways in which key use can be controlled.
A mo re ncxiblc sche me. refe rred to as the control vec1or. is described in
(MATY9 1a a nd bj. In this scheme. each sessio n key has an associate d control vecto r
consisling of a number o f fie lds that specify the uses ond restrictions for that session
kcy. 1l1e length o f the contro l vector mny vnry.
1l1e contro l vector is c ryptographically coupled with the key at the time o f
key generation a t the KOC. The coupling a nd decoupling processes a rc illustrated
in Figure 14.6. As a first step. the contro l vecto r is passed thro ugh a hash function
that pro duces a value whose le ngth is equal 10 the encryption key le ng1h. N ash
functio ns arc discussed in detail in Chapter 11. In esse nce. a hash function maps
values from o larger range into a smaller range with a reasonably uniform spread.
1l1us. for example, if numbe rs in the rnngc I to 100 a rc hashed into numbers in the
range I to 10, approximately 10% o r the source values s hould map into et1ch of the
ta rget values.
TI1e hash value is then XO Red wilh the mns1er key 10 produce an output that
is used as the key input for e ncrypting the sessio n key. Thus.
Mash value = // = h(CV)
Key input • Km® II
Ciphcrtext = E([Km (i) /i]. K:,)

whe re K,n is the m aste r key a nd KJ is the sessio n key. The sessio n key is recovered
in plaintext by the reverse operation:

D ( IKm (i) //], E(IKm (i) //], K,))

When a sessio n key is delivered to a user from the KDC. it is accompanied by

the control vecto r in clear form.111e sessio n key can be recovered o nly by using both
the maste r key that the user sha res with the KOC and the cont rol vecto r. Thus. the
linkage between the sessio n key and its contro l vecto r is maintained .

~2 s,·M.l\1lllllt Kl't' l>IS(RIHUlJ<lN U\IN(; ~SY.1\1\U JRI( lNt'RYl"ll()N 427

Control Master Sc.ssion Control Mnster Encrypted

,·octor key key vector key session key

.....,
l'tahMn l
....
Clphmot

t:nc:rypdon l>taypdon
f'unnion t' unnlun

Encry pted Session key

session key

(a) Control n c tor encryption (b) Control n ~ctor decrypllon

l-'iguc 14.6 Control Vector Encryption and Decryption

Use o f the control vector has two ad vantages over use o f an 8-bit tag. First. there
is no restriction on length of the contro l vector. whic h enables arbitrarily complex con-
1rols to be imposed on key use. Second. 1hc con1rol vcc1o r is available in clear fom1 at
all stages or operation.1110s. control of key use can be exercised in multiple locatio ns.

14.2 SYMMETRIC KEY DISTRIBUTION USING

ASYMMETRIC ENCRYPTION

Because of the inefficiency of public•key cryptosystc ms. they a rc alrnos1 never used
for the direct encryptio n o f sizable block o f data. but arc limited to relatively small
blocks. One ur the 1110:,1 impurlant m,es uf a public-key c ryptusy:,tc m is to c m;rypt
secre t ke ys for distribution. We sec many specific e xa mples o r this in Part Five.
He rc. we discuss general principles and typical approaches.

Silnple Secret Key Distributio n

An e xtre mely simple scheme was put forwa rd by Merkle {MERK79], as illustrated in
Figure 14.7. If A wishes to communicate with 8 , 1hc following procedure is e mployed:
I. A gene rates a public/private ke y pair {PU11 , PR.,) and transmits a message to B
consisting of PU. and an ide ntifie r of A . 1D11 •
?. B ge ne rat es a secre t key. K,. and transmits it to A . which is encry pted with A ·s
public key.
(A
x==mmom,~ •)
428 < IIAl'llJl l--1 / KLY MANA(il-.MLNI •\ND l>ISIJ.1.IUL,llON

(?JE(PU~ K,) _ _ _ >

1-i~urt 14.7 Simple Use or Public-Key Encryption to Establish a Session Key

3. A computes D(PR0 , E(PU•• KJ)) to recover lhc secret key. Because o nly A
can decrypt lhe message. only A and B will know Lhe identity or KJ.
4. A discards PU• and PR. and 8 discards PU•.
A and B can now securely communica1e using conventional e ncryption an d
the session key KJ. Al the completion or the exchan ge. both A and B discard KJ.
Despite its simplicity. this is an attractive protocol. No keys exist before lhc start of
the communication and none exist after the completion of communication. Thus,
the risk of compromise of the keys is minimal. At the same time, the communication
is secure from eavesdropping.
The protocol depicted in Figure 14.7 is insecure against an advcr.mry wh o
can intercept messages and then either relay the intercepted message or substitute
anolher message (sec Figure 1.3c), Such an a ttack is known as a man-in -l he-middlc
altack IR IVES4). We saw this type of attack in Chapter IO (Figure 10.2). In the
present case. if an adversary, D , has control of the intervening communication chan-
nel. then D can compromise the communication in the following fash ion wilhout
being detecte d (Figure 14.8).
I . A generates a public/private key pair IPU0 , PR0 ) and transmi ts a message
intended for B consisting of PU0 and an idenlifier of A , /DA.
?. D intercepts the message. creates its own public/private key pair jPUd, PR.11
and transmits PU1 /DA to 8 .
3. B generates a secret key. K1 • and transmits E(PU.,. K1 ).
4. D inlerccpts the message and learns K., by computing D(PRJ. E(PU11 • KJ)).
:i. D transmits E(PU0 • K,) to A.
The result is that both A and B know KJ and arc unaware that KJ h as also been
revealed to D. A and 8 can now exchange messages using K,. D no longer actively
in terferes with t.be communications channel but simply eavesdrops. Knowing K1 , Scan
decrypt all messages, and both A and 8 arc unaware of the problem. Thus. this sim-
ple protocol is only useful in an environment where t.he only threat is eavesdropping.

Secret Key Distribution with Confidentiality

and Authea6catioa
Figure 14.9, based on an approach suggested in INEED78), provides protection
against both active and passive attacks. \Ve begin at a point when it is assumed that
A and 8 have exchanged public keys by one of the schemes described subsequently
in this chapter. Then the following steps occur.

1.-.2 1 SYMMbllU< KlY l>TSTlllUUTION LSINC. :\SY\11\1Lllllt' ENC:llYl'Jl0!'. 429

~
"L-,
Alice
~ ~ Da rlh llob

Priulr kry PR,4.

Publil'keyPU,4.
J,
PUA, DA

Priulr kryPRI)
Publk key PUo
t~

PUn,mA

Pri,,.lr key l'R11

Publk key PU11
Scud kry K1

K,•
Of,PRn, F.iPUn, Kl))

AliCI'. Bob. aod

Darlhshlll'l'K/
=j
F1i,rre U.8 Anolher Man-in-lhe-Middle Attack

I I JE(PU.,. (N,IIID,4])~

- - - - - (2)E(PU.. fN1I I N z l ) ~

Respoode
B

(J)E(PU• N~ ~

(4) E(.PU.,. Et.PR•. K,))

ti~urf: U.9 Public-Key Distribution or Secret Keys

430 CH:\PTE.ll U KE\' MA.NAGl.MEN"I •\!'ID DISTIUUl.;TI0:"'1;

1. A uses s·s public key to encrypt a message to B containing an identifier of

A(IDA) and a nonce (N1). which is used to identify this transaction uniquely.
2. B sends a message to A cnc.rypted with PU,, and containing A's nonce (N1) as
well as a new nonce generated by B (NJ. Because only B could have decrypted
message (I). the presence of N 1 in message (2) assures A that the correspon-
dent is B.
3. A rclurns N2• encrypted using B's public key. to assure B that its correspon•
dent is A.
4. A selects a secret key Ks and sends M =
E(PU,,. E(PRu, K.i)) to 8. Encryption
of this message with B's public key ensures that only B can read it: e11cryption
with A ·s private key ensures that only A could have sent it.
5. B computes D(PU., D(PR,,, M)) to recover the secret key.
The result is that this scheme ensures both confidentiality and authentication
in the exchange of a secret key.

A Hybrid Scheme
Ye t another way to use publjc-key encryption to distribute secret keys is a hybrid
approach in use on lBM mainframes [LE93]. This scheme retains the use of a key
distribution center ( KOC) that shares a secret master key with each user and dis-
tributes secret session keys encrypted with the master key. A public-key scheme is
used to distribute the master keys. The following rationale is provided for using this
three•level approach:
• Perforrua.n ce: There a re many applications. especiall y transaction-oriented
applicatjons, in which the session keys change frequently. Distribution of ses-
sion keys by public-key encryption could degrade overall system perfom1ance
be.cause of the relatively high compu1ational load of public-key encryption
and decryption. With a three-level hierarchy. public.key encryption is used
only occasionally lo update the master key between a user and the KOC.
• Backward compatibility: The hybrid scheme is easily overlaid on an existing
KOC scheme with minimal disruption or software changes.
The addition of a public•key layer prO\-ides a secure. efficient means of dis•
tributing master keys. This is an advantage in a configuration in which a single KO C
serves a widely distributed set o f users.

14.3 DISTRIBUTION OF PUBLIC KEYS

Several techniques have been proposed for the distribution of p ublic keys. Virtually
all these proposals can be grouped into the following general schemes:
Public announcement
Publicly available directory
Public-key authority
Public•key cenificates

u 3 / l)JSTJllllliTIO!\'. or PUBLIC. KEYS 431

f"igur~ J.&.UI Uncontrolled Public+Key Disiribution

Public Announcement of Public Keys

On the face of it. the point of public-key encryption is that the public key is public.
Thus. if there is some broadly accepted public-key algorithm. such as RSA. any partic-
ipant can send his or her public key to any other participant or broadcast the key to the
community at large (Figure 14.10). For example, because of the growing popularity of
PGP (pretty good privacy. discussed in Chapter 19). which makes use of RSA, many
PGP users have adopted the practice of appending their p ublic key 10 messages that
they send to public forums. such as USENET newsgroups and Internet mailing lists.
Although this approach is convenient. it has a major weakness. Anyone can
forge such a public announcement. T hat is, some user could pretend to be user A
and send a public key to another participant or broadc,ast such a public key. Until
such time as user A discovers the forgery and a lens other participants. the forger is
able to read all encrypted messages intended for A and can use the forged keys for
authentication (see Figure 9.3).

Publicly Available Directory

A grea ter degree of security can be achieved by maintaining a publicly available
dynamic directory of public keys. Main1enance and distribution of the public
directory would have to be the responsibiljty of some trusted entity or organization
( Figure 14.11 ). Such a scheme would include the following elements:
I. 111c aulho..-ity maintains a directory with a jnamc, public key) e n try for each
pan.icipant.
2. Each participant registers a public key with the directory au thority.
Registration would have to be in person or by some form of secure authenti-
cated communication.
3. A participant may replace the existing key with a new one at any time. either
because of the desire to replace a public key that has already been used for a
large amount of data, or because the corresponding private key has been com-
promised in some way.
4. Participants could also access the directory electronically. For this purpose.
secure. authenticated communication from the authority to the parttcipant is
mandatory.
432 CH:\JYfUl 1-l t KEY MANALEMENT AND rns·t RlllLrl IOS

PuhhC'•key
directory

Fi~urt' 14.11 Public-Key Publication

This sche me is clearly mo re secure than individual public announce ments

but s till has vulne rabilities, Lf an adversa ry succeed s in obtaining o r computing the
private key of the directo ry authority. the adve rsary could authoritalivc ly pass out
counte rfeit public keys and subseque ntly impersonate any participant and eaves-
d rop on messages sent to a ny participant. Anolhe r way to a chieve the same e nd is
for the adve rsary to tampe r wil h t.hc records kept by the aulhority.

Public-Ke)' Authority
Stronger sccuri1y for public-k ey distributio n can b e achieved by p roviding
tighte r contro l over the d istributio n o f public keys from th e directory, A ty pical
scenario is illustrated in Fig ure 14. 12. which is based on a figure in IPOPE79J.
A s before, the sce nario assumes that a ce ntral autho rity ma in tains a dynamic
directory of public keys of aH pa rticipants. In addition. e ach participant reliably
kno ws a pu blic key for the autho rity. with o nly 1hc authority kno wing the corre-
spo nding priva te key. The following ste ps ( matc hed by numbe r to Figure 14. 12)
occur.
I. A sends a timesta mped messa ge to 1he public-key autho rity c oruaining a
request for the curre nt public key of B.
2. The authority respo nds with a message that is e ncrypte d us ing 1hc autho r-
ity's private key. PR-,uuh· Thus. A is able lo decrypt the message using the
autho rity's public key. The refore, A is assured lhnt the message origina1cd
with the authority. The message includes the following:
B's public key, PUb, which A can use 10 encrypt messages destined for B
1l1e original request used 10 enable A 10 match this respo nse with the cor-
responding e arlie r req ue st and 10 verify that the origina l request was no t
alte red before receptio n by the autho rity
The o riginal timestamp g iven so A can d ete rmine thal this is nol an o ld
message fro m the a ulho rity containing a key o the r th an B's current
public key

I .. J DIS I lllULTJ 1or-.: or PUHL!( KEYS 433

PubUC'• k~y
l.nitiatorA Authority Rtspoodr:r B

t
( I ) Requo:1 UT1

(1) E(PR_.,. {PUa I RcqUCj:I II TtJ)

(J)E(PU I ID ON))

(4) R«jucs:t nTi

(5) E(PR..i., IPU11 II Rcque~t II T2l>

fit:-urt" 14.1? Public-Key Distribution Scen ario

3. A sto res B's public key a nd also uses it to e ncrypt a message to B containing
an ide ntifie r o f A (/DA) and a nonce (N1) . which is used 10 ident ify this trans-
action uniquely.
4. 5. B re trieves A ·s p ublic key fro m the a utho rit y in the same ma nner as A
retrieved B's public key.
At this point. public keys have been securely d e livered 10 A and B. and !hey
may begin their pro1ected exchange. Mo we ve r, two additional steps arc d esirable:
6. B sends a message to A encrypte d with PU11 a nd contai ning A 's nonce (N1)
as well as a new no nce gene rated b y B (N2). Because o nly B could have
decrypted message (3). the presence of N1 in message (6) assures A that the
correspondent is B.
7. A re turns N 2 , which is e ncrypted using B's pub lic key. to assure B 1hat its
correspondent is A.
llms. n totnl of sc"cn messages arc required. 1-lowcvcr, the ini1ial five mes-
sages need be used o nly infrequently because bo th A and B can save the o ther's
public key fo r future use- a tech nique known as caching. Pe riodically. a user sho uld
request fresh copies of the public keys of its corresponde nts to e ns ure currency.

Public-Key Certificates
1l1c scenario o f Figure 14.12 is a11rnc1ive, yet ii has some drawbacks. The public-key
autho rity could be somewhat of n bottle neck in the syste m, for a use r muSl appeal
to the a utho rity for a pub lic key fo r every o the r user that it wishes to contact. As
before. the directo ry o f n ames and public keys maintained by the a uthorily is vul•
nerable to tampering.
434 lll.'\Pl lR 1-4 K[Y 1\1.'\N.~(,D,UNT AND DISlRIULJH):\.

An allemative approach. first suggested by Kohnfelder [KOHN78J. is to use

certificales that can be used by participants to exchange keys witho ut contacting a
public•key authority, in a way that is as reliable as ir the keys were obtained directly
from n public-key authority. In essence. a certificate consists or a public key, an
identifier of the key owner. and the whole block signed by n trusted thi rd party.
Typically. lhe third party is n certificate authority. such as n government agency o r a
financial institutio n. that is trusted by the user communi1y. A user can present his o r
her public key to the authority in a secure manner and obtain a certificate. The user
can then publish the certifica1e. Anyone needing this user's public key can obtain
the certificate and verify that it is valid by way of the auached trusted signawre.
A participant can also convey its key information to another by transmitting its
ccrtiricatc, 01h cr pa r ticipants can , c rify that the ccrtiricatc w11s crcutcd by the
1

authority. We can place the following requirements on this scheme:

I. Any participant can read a certificate to determine the name and public key or
the certificate's owner.
2. Any par1icipan1 can verify thnt 1hc ccr1ifica1e originaled fro m the certificate
authority and is not counterfeit.
3. Only the certificate nu1hori1y can cren1e nnd updalc cenifica1es.
TI1ese requirements nre satisfied by the original proposnl in fKOHN78J. Denning
IDENN83J added the following additional requirement:
4. Any participant can verify the currency of the certificate.
A certificate scheme is illustrnted in Figure 14.13. Each pnrticipan1 applies
to the certificate au1hority. supplying a public key and requesting a ccnificn1e.
Application must be in person or by some form of secure authenticated communi•
cation. For par1icipant A. the authori1y provides a ccr1ifica1e of the form
c, - E(PR, .,h, ITII ID; II PU.I)
where PR■uth is the private key used by the au thori1y and Tis a timcstamp. A may
then pass this certificate on 10 any other participant, who reads and verifies the cer•
tificntc as follows:
D(PU,.,h, c,) = D(PU,.,h, E(J'R..... [T[[ ID,[[ PV.I)) = (Tl[ID, IIPV. )
1l1e recipient uses the authority's public key. PU1 u,h• to decrypt the certificate.
Because the ccnificnte is readable only using the authority's public kcy. 1his verifies
that the certificate came fro m the certificate authority. The c le ments ID,1. and PUa
provide the recipient with the name nnd public key or the certificate's ho lder. The
umcstamp T validates the currency o l the cenihcatc. The llmestamp counters lhe
following scenario. A"s private key is learned by an adversary. A gcneralcs a new
private/public key pair and applies 10 the certificate authority for a new ccnificn1e.
Meanwhile. the adversary replays the old certificate to B. H 8 then encrypts mes-
sages using the compromised o ld public key, the ndversnry can read those messages.
In this context. 1he compromise of a privaie key is comparable to the loss of n
credit card. 1l1e owner cancels the credit card number b ut is at risk until all possible
communicnnts are awnre thn l 1he o ld credit card is obsolete. Thus. th e I in1esrnmp

!.44/X liO'H IH.111·1(:\IIS 435

Certlfica1e
~ Authority ~

1/ /
PU. /

c,.,,,,_ ,,,,m,,ru.11
"--

"-._
c,,.,,,,_ ,,,~
Pll,

A B

(•) ObtalnlnJt ttr11fln1tH from CA

A B

( b) ..~thlln~ina C'tnifltlllH

l-1iurt 14.. B Exchange o( Public-Key Certificates

serves as something like on expirn1ion date. 1r n certificate is sufficiently old, ii is

assumed to be expired.
One scheme has become univcrsnlly accepted for fomrnlling public-key cc r•
tificates: the X.509 standard. X .509 ccrtifica1es arc used in mos! network security
applications. including IP security. transport layer security (TLS). nnd S/MIME. all
of which arc discussed in Pa rt Five. X.509 is examined in detail in 1he next section.

14.4 X.509 CERTIFICATES

ITU.'f recommendation X.509 is part of 1hc X.500 series of recommend ations that
define :i directory service. The directory is, in effect. a server or distributed set
of servers that maintains a database of information about use rs. The information
includes a mapping from user name 10 network address. as well as other n11ribu1es
and information about the users.
X.509 defines n framework for the provision of authe nticntion services by the
X.500 directory to its users. The directory may serve as a repository of public-key
certificates of the type discussed in Section 14.3. Each certificate contains the public
key of a user and is signed with Lhe private key of a trusted certification authority.
In addition. X.509 defines nltern.:itive nuthe111ication protocols based on 1hc use of
public-key ccnificntcs.