Documente Academic
Documente Profesional
Documente Cultură
key or to sign a message which can then be responsible for ensuring that the correct key
verified with the public key. is bound to the certificate, as well as
ensuring the certificate content.
The main difference between the two
Registration authority (RA): The RA is
variants of asymmetric cryptography that
responsible for ensuring that the user who
we focus on here is in the generation of the
receives the certificate is a legitimate user
keys. In traditional asymmetric
within the system. The functionality of the
mechanisms, which underpin most PKI
CA and RA is sometimes carried out by a
products on the market today, the key pair
single entity.
is generated from random information that
Certificate storage: In most systems,
is unrelated to the method identifying that
certificates (as well as update information
key pair within the system. As such, there is
such as certificate revocation lists) are
a requirement for a certificate to bind the
stored in a CA-managed database.
public key to its particular use.
Software: For the certificates to be of
In contrast, the key pair in an ID-PKC use, the software that is going to use the
environment is generated explicitly from certificates needs to be aware of what the
data that is of relevance to the usage of the certificate content represents within the
key. For example, a user’s encryption and scope of the system security policy.
decryption keys may be derived from their Policies and procedures: Although the
identity within the system in which they are core of a PKI is mainly technical, there is,
to be used. by necessity, a strong requirement for
We expand our review of PKI and ID- ensuring that the mechanisms are used
PKC in Subsections 2.1 and 2.2, respectively. correctly. The certificate policy (CP) and
We conclude our technological overview in certification practice statements (CPS)
Subsection 2.3 with a discussion of how the define the how the certificates are generated
security policies that make use of these keys and managed. They also define the role of
can reflect the underlying technology. the certificates within the broader security
architecture.
2.1. Public key infrastructures In a traditional PKI, one can choose
Public key infrastructures (PKIs) are where the key pair is generated. The keys
currently the primary means of deploying can either be generated by the CA for the
asymmetric cryptography. In this paper, client or the client can generate the keys for
when discussing PKIs we are referring to itself and provide a copy of the public key
infrastructures that support the deployment to the CA to certify. The choice of
of traditional asymmetric cryptographic mechanism will largely be dictated by the
algorithms, such as RSA [2]. Because of the security policy of the system. It will also be
inherent public nature of the encryption or influenced by the key usage. If a signature
verification keys, the integrity of the public key is likely to be used to support non-
keys is usually protected with a certificate. repudiation, then it is better that the key is
The PKI is the infrastructure that supports generated by the client. In the case of a
the management of keys and certificates.
decryption key that is used to keep
As well as the keys and certificates, the company information confidential, it might
core components of a PKI are: be prudent to have the CA generate (or have
Certificate authority (CA): The CA is the access to) the key so that there is always a
entity that generates the certificates. It is means of recovering encrypted information.
Kenneth G. Paterson & Geraint Price A comparison between traditional PKIs and identity-based cryptography
the key pair prior to the public key’s use. 3 Architectural issues
For example, A might use information it ID-PKC was introduced as a means of
thinks is valid to generate a public key for circumventing the difficulties associated
B, but the information A uses could either with certificate management within PKIs.
relate to the wrong B or be completely This has led to a difference in the way the
invalid in the eyes of the TA. two proposed mechanisms are architected.
In this section we briefly look at the way in
2.3. Policy interaction which this might affect the choices that are
In closing the discussion in this section made when deciding between the two as a
we will outline what we see as one of the security architecture.
main questions to be answered when
deciding whether a system should use PKI In the following list, we outline the
or ID-PKC as its cryptographic mechanism. architectural issues as we see them:
This is: how do the security policies of the • On first inspection, there appears to be
communicating parties interact with those a potential for ID-PKC to develop more
of either the CA or the TA? lightweight implementations at the client
end. This is due to the lack of a
As mentioned previously, because the requirement for storing separate
TA is explicitly in charge of the generation certification, identification and keying
of the private keys in an ID-PKC system, it information. Provided that the authenticity
can verify its security policy each time it of such information could be verified, this
hands out a new private key to a client. In could be useful for scenarios such as mobile
the case of the CA in a PKI, the policy is systems, where knowing the identity of the
verified at the time of certification, but it other contact point in an interaction could
is generally left up to the client encrypting be enough to generate keying information
the information to verify the certificate on the fly.
content in the light of its own security • It would appear that a PKI would be
policy. the implementation of choice in a widely
distributed system. The ability of clients to
While neither of these design principles
generate their own key pairs to be certified
is strict — we could, for example, mimic
by a CA that need not be directly in their
the requirement to always fetch a new key
security domains could provide benefits in
from a TA within a PKI — the way in which
some scenarios. For example, the use of
the information flows through the system is
third-party CAs to certify SSL server keys
an important consideration when deciding
would be difficult to replace using ID-PKC.
which mechanism to use.
The key escrow facility inherent in ID-PKC
Expanding on the example given above, it would probably not sit well with a
would seem more natural to implement an corporation that wishes to secure its
ID-PKC for short-term keys where the Internet gateway using an SSL-enabled
policy at the TA might change regularly. server.
Conversely, it would seem sensible to use a • Within systems where the security is
PKI either in a widely distributed heavily centralised (i.e. where all users must
environment or in an environment where trust the CA/TA explicitly anyway), there
the individual policy of each client plays a doesn’t seem to be a great deal of difference
significant role in the policy of the system between PKI and ID-PKC. The choice of
as a whole. which mechanism to implement is likely to
Kenneth G. Paterson & Geraint Price A comparison between traditional PKIs and identity-based cryptography
come down to how the protocols that use way in which they manage keys. We
those mechanisms fit in the wider separate our discussion into three topics:
architecture of the system. This is similar to generation of public keys, generation of
the situation where there is often little to private keys, and revocation of keys.
choose between a symmetric and an
When discussing the generation of keys
asymmetric system in applications where
we concentrate on the following four
non-repudiation is not a concern.
questions: Who generates the keys? When
• In distributed systems where it is
are the keys generated? Where are the keys
difficult to manage a revocation mechanism
generated? and How are the keys generated?
(e.g. mobile systems), one way in which
PKIs aim to deal with the problem is to use
4.1. Generation of public keys
short-lived certificates. This might be
In this section we look at the generation
addressed more efficiently using ID-PKC, as
of the public halves of the key pairs and
the system would only require partial
how that might affect the design of a
synchrony for the sender to generate a
security service built on top of them.
currently valid key for the recipient.
• One of the proposed benefits of PKIs is In terms of the questions that we ask
that they can be organised into hierarchies with regard to key generation, here are the
that reflect the internal structure of a large differences between public key generation in
organisation or group of organisations. the two schemes:
While this might seem to provide an • Within a PKI, the public key is
advantage for PKIs, recent work by Gentry generated at the same time as the private
and Silverberg [5] develops mechanisms for key. This limits the creation of the public
implementing similar hierarchies in an ID- key to either the CA or the client. Within an
PKC context. ID-PKC, the public key can be generated by
• An area where PKI seems to have a any client within the system. Moreover, the
distinct advantage over ID-PKC is in the public key can be chosen by any client in
consequences of the compromise of the the system. It is then incumbent on the
CA/TA. While the compromise of a CA is other party to obtain the matching private
disastrous to the future secure running of the key from the TA; this is the essence of
system, if the system has been designed identifier-based PKC.
carefully then all past encrypted traffic is still • Within a PKI, the keys are generated
secure. If the TA within an ID-PKC system is prior to the issuance of a certificate. The
compromised and the master secret revealed, validity of the binding between the public
by the very fact that the attacker now knows and private keys should be checked by the
the secret from which all keys are derived, CA before issuing the certificate. Within an
the attacker can now decrypt all previously ID-PKC, because of the separation between
encrypted information. The same would be generation of private and public keys, a
true of signature keys. As a result, any public key can be generated at a different
signature on a document that had not been time to the private key, and hence also at a
independently time-stamped could be called different time to the validation of the
into question. issuance of the private key.
• Within a PKI, the public key is either
4 Key management generated at the CA or by a process which
In this section, we analyse the differences the client deems to be trustworthy. In an ID-
between PKI and ID-PKC by examining the PKC, the public key is generated at the site
Kenneth G. Paterson & Geraint Price A comparison between traditional PKIs and identity-based cryptography
implementation for digital signatures that also be used. If a long-term key is used,
might want to offer non-repudiation. Boneh there seems to be little difference between
and Franklin [4] have proposed a means of the two schemes. The main difference
circumventing the escrow problem by using comes to light when we consider the
multiple TAs and threshold cryptography. creation of session-oriented private keys
Collusion between independent TAs would whose release is managed by the TA, as in
then be required for a copy of the private the work of Chen et al [6].
key to be generated.
Signature
While the notion of who generates and
For ID-PKC, the private key is generated
controls the key is of interest to those in the
by the TA and given to the client. Because
academic community, it is also becoming an
signature schemes should normally uniquely
important issue for those running signature
identify the creator of the signature, the
applications. The EU Directive on
inherent key escrow in ID-PKC makes it a
Electronic Signatures [7] states that a key
less attractive choice. For PKI, the key is
that is used as an Advanced Electronic
generated by either the CA or the client.
Signature should be under the sole control
This ability to choose who generates the
of the individual named in the qualified
private key offers PKI an advantage in terms
certificate.
of flexibility over ID-PKC. A proposed
Before entering further into the benefit of ID-PKC over PKI — the
discussion of the relative merits between separation between the public and private
PKI and ID-PKC in this area, we note that key generation — does not immediately
our discussion in Section 6 outlines recent appear to be of use here, as we discussed in
research that could potentially be used to Subsection 4.1.
overcome the drawbacks of private key
We now discuss some of the issues raised
generation in ID-PKC schemes.
when analysing the differences between the
We now analyse the differences in private management of keys in ID-PKC and PKI:
key generation for ID-PKC and PKI. We do • It would appear that, in an ID-PKC
this by separately considering encryption implementation, the TA needs to retain a
and signatures. database of every ID to which a key has
been issued under the current system
Encryption parameters. Otherwise, there is potential
For ID-PKC, the private key needs to be for the following scenario to arise. A key
provided to the decrypting party by the TA. could be generated, used, and either
Whether this key will be fresh for this revoked or removed at the end of its natural
particular session/message depends on life-cycle. At some point in the future,
whether the client generating the ciphertext another client could request a key with the
used a long-term or a short-term public key. same ID, perhaps with a legitimate reason
This is a policy decision that is influenced (e.g. the users share a common name). The
by the system security policy in conjunction two users will now share the same
with the policy of the client carrying out public/private key pair. At first glance it
the encryption. For PKI, the public would appear that a similar problem was
encryption key that is used is usually the inherent in PKI, in that the same ID could
client’s long-term key bound to their be certified, but there is a difference. In ID-
certificate, although a short-term key could PKC, because of the inherent link between
ID and public key, the keys will actually be an identity for which the TA will not release
the same. In a PKI implementation, the keys the corresponding private key. This could
are generated separately and usually using leave the intended recipient unable to read
some client-controlled randomness. This vital information, or result in the need for
means that the keys will almost certainly be manual intervention and override. Such
different, even if the identities are the same. intervention may not be convenient if, say,
• A related issue is raised if we consider the private key generation is done in a
the standard ID-PKC solution to the above hardware security module.
problem. This is to include, as part of the
4.3. Revocation
identity, additional detail such as date of
Revocation is one of the main difficulties
birth, position in the organisation etc. The
faced by implementers of PKIs. While ID-
more worried one is about duplication
PKC does not have a certificate per se, the
within the system, the more the content of
issue of how to manage the
the identity starts to mirror the content of
identity/identifier relevant to a particular
the certificate in a PKI. Where does this
public key has so far received very little
leave us? The client must now contend
attention. This problem is analogous to the
with two issues when generating another
problem of certificate management in a
client’s public key. What is the correct form
PKI. In this section we will argue that
in which the identity should be created?
revocation could potentially become as
What is the content of each field type, such
great a concern for ID-PKC as it currently is
that the TA will give the corresponding
for PKI.
private key to the correct recipient? By
going down this path, we end up with a Here are the three main issues that we
similar set of standards problems that are see for revocation in ID-PKC:
faced by the implementors of PKIs. How • As mentioned in the previous section,
does a client know what each field in an keeping track of identities that have been
identifier is meant to represent? There issued within the system is a potential
must be agreement between problem for key management. Because of
communicating parties and the TA. Thus, the strong link between keys and identities
we note that removing the certificate from in ID-PKC, revoking a public key requires
the system does not solve all the problems the revocation of the associated identifier.
that are of relevance to certificate This problem is acute if the identifier is one
management. that could be inconvenient to change (such
• Both previous points are specific as an e-mail address). But these are precisely
problems that are encountered when we the identifiers that are easily predicted by
realise that, in ID-PKC, the public keys and the entity that is attempting to
the identity are inexorably linked. In a PKI independently generate a valid key for an
the separation is clear. Whether this is intended recipient. This suggests that less
considered a benefit or a drawback can only predictable identifiers would need to be
be resolved when it is considered in the light employed. For example, the inclusion of
of a particular application. issue numbers in identifiers is conceptually
• There is a potential safety issue when simple, but leads to identifiers that are
considering the generation of public keys in difficult to predict. So, in actual
an ID-PKC scheme. Because it is the client implementations, it is likely that more
that chooses the identity to be used to complex identifiers, built on top of a
generate the public key, they could choose client’s identity, will provide the input to the
Kenneth G. Paterson & Geraint Price A comparison between traditional PKIs and identity-based cryptography
key generation function. This means that Boneh and Franklin’s model of revocation is
there is likely to be a higher degree of that it requires an independent secure
complexity in the part of the system that channel between the channel and the TA for
manages those identifiers than might appear the transportation of the fresh keying
at first sight. This is related to the issue material. In a traditional PKI, the
about form and content of identifiers that registration, key generation and
was noted in Subsection 4.2. certification procedures should be among
• Because of the inherent binding the most heavily guarded. Applying this
between identifier and key in ID-PKC, there same level of security daily in an ID-PKC
is a potential drawback in terms of re- could make the process inherently difficult
certification. At a recent PKI workshop, we to manage.
saw a demonstration for a product that To put it more succinctly, revocation in a
separated the storage of private key and PKI requires reliable and timely distribution
certificate. The private key was stored on a of authenticated information. Revocation in
smart-card, while the certificate was stored an ID-PKC, using the methods discussed
on the hard drive. This allowed the here, requires the reliable and timely
organisation to change the certificate distribution of confidential information.
content through re-certification without
needing to go through the more expensive
procedure of issuing the clients with a new
5 Rights management
In this section we analyse the differences
private key. An exact replica would be
in the manner in which rights are handled
impossible to achieve in an ID-PKC system.
in PKIs and ID-PKC systems. The term
• When considering the issue of
rights in this discussion encompasses
revocation, Boneh and Franklin [4]
anything that the possession of a key
proposed merging the date with the client’s
and/or related certificate/identifier allows
identity to provide the identifier for the key
the client to do. For example, a right could
(e.g. the string ‘Alice,12MAR2003’ could
be ‘The right to view confidential report
provide the input for the key generation
X’ or ‘A, being a purchase manager, can
function). The argument provided is that
sign orders up to a value of $10 000’. As
the re-issuance of keys on a per time basis
such, we use the term in as neutral a form
obviates the need for a revocation
as possible, to highlight the fact that rights
mechanism. This mechanism raises a few
represent any extension of the services that
problems. If we force all legitimate users to
encryption and signature algorithms
request fresh keys every day (or even every
provide.
hour, if a finer degree of control is needed),
then it forces the TA to be on-line for a We separate our discussion here into the
greater proportion of the time and may issues surrounding the generation and
significantly increase the TA workload. The verification of these rights.
ability to remove the need for an on-line
server is one of the benefits of using 5.1. Rights generation
asymmetric cryptography in the first place. In this subsection we introduce the basic
It could be argued that having an OCSP or means by which rights are represented in
CRL server in a PKI has the same each approach and how these
drawback. This is not necessarily true: a representations are generated. We split our
CRL can be distributed by a server that is discussion into two parts: one concerning
not the root CA. Another problem with rights implemented using signatures; the
other concerning rights implemented using decrypt can be either implicit or explicit.
encryption. For example, Alice may know Bob
personally and thus be willing to use the
Signature encryption key in Bob’s certificate — this
PKI may be the case when using e-mail security
In PKI, the signing key is usually bound software. Alternatively, Alice might want to
to an identity. Depending on the system see Bob’s credentials as a line-manager
policy, the right to sign is either implicit in before passing on an encrypted version of
the verifier knowing who the signing party the payroll file. In both cases, the right to
is, or it is explicit through a binding to an decrypt is generated when the identity
authorisation mechanism. The certificate or authorisation token is
authorisation mechanism could be a more generated.
traditional access control list, a separate ID-PKC
privilege management infrastructure (PMI),
As with PKIs, the right to decrypt can be
or contained in the client’s identity
generated at the same time as the private key,
certificate. The right to sign for a particular
in advance of the decryption. One of the
purpose is assessed either by the CA when
proposed benefits of using ID-PKC is that
generating the identity certificate or by the
the public encryption key can be generated
authority in charge of the separate
by the party that is encrypting the data in
authorisation infrastructure.
advance of the corresponding private key
ID-PKC having been generated. If used in this
In an ID-based scheme, it would appear manner, the right to decrypt is effectively
that the same principles apply. The popular generated when the client that is encrypting
choice for a signature creation key is likely the message generates the public key. But the
to be some variant of the signing party’s subsequent verification of that right does not
identity. The right to sign is likely to be happen until the TA generates the
either implicitly recognised between signer corresponding private key, which may
and verifier or more explicitly contained in happen at some point in the future.
an additional mechanism, similar to those
discussed above for PKIs. Again, the right to 5.2. Rights verification
sign will be assessed at the time of the We now turn our attention to how the
signature key’s creation or when the identity verification of rights might take place. Our
is bound to the associated authentication goal in this section is to understand how the
mechanism. means by which these rights are verified
affects the design of the system. To achieve
Encryption this, we keep our discussion at a generic
PKI level and develop our argument by the
Traditionally, PKIs have primarily been analysis of the following three factors for
associated with authentication rather than signatures and encryption:
authorisation (SPKI [8] being the notable Who: Who is capable of carrying out the
exception). In most commercial PKI verification?
systems, the identity certificate is used to When: When is the verification carried
authenticate the client to a separate out in relation to the right generation?
authorisation infrastructure. As in the above Where: Is there a physical or logical
discussion on signatures, the right to relationship between generation and
Kenneth G. Paterson & Geraint Price A comparison between traditional PKIs and identity-based cryptography
verification that might affect the security Where: Because of the nature of a
policy? traditional public key and its associated
certificate, the verification could be
We note that, in an attempt to keep our
conducted at a logically or physically
analysis as broad as possible, we describe
remote site to the signature. This is
the most logical means of implementing the
considered to be one of the great strengths
rights verification functions.
of public key cryptography.
Signature ID-PKC
We separate the analysis of PKI and ID- Who: In a similar manner to PKI, anyone
PKC systems. with access to the public key corresponding
PKI to the private key can verify the signature. As
Who: In the case of signature mentioned previously, this does not
verification, anyone who can use the public necessarily imply that they can accurately
key associated with the signature key can verify the right associated with that
verify the signature. This does not signature. This will depend on the security
necessarily mean that they will be able to policy of the system and the parties involved.
accurately verify the associated rights that If the right is implicit, then it is the security
may be bound to the public key through a policy of the relying party that governs the
certificate. One of the influencing factors right. If the right is explicit, then the relying
would be whether the verification of the party needs to be able to process the
right to sign was implicit, in the sense that associated authorisation structure.
A knows B, or explicit, through some other When: The timing of the verification is
mechanism. likely to be similar to a PKI. The
When: The verification occurs when the verification of the right to sign will happen
client verifying the signature carries out the when the signature is checked by the relying
signature validation. In terms of time, this party.
could potentially be far removed from the Where: Once again, there is the potential
time that the signature was created. This for the signature to be verified somewhere
flexibility in separation is potentially both a that is logically and physically remote from
benefit and a drawback. If the signature is the signing party.
created on a document that may need to be
verified multiple times by multiple parties, Encryption
then this is a benefit. If, on the other hand, Again, we analyse potential PKI and ID-
the signing party’s right to sign may be PKC systems separately.
brought into question in the future, then
PKI
there is an argument for re-validating the
right to sign as close as possible to the time Who: Who verifies the right to decrypt
at which the signature is created. An will depend on how the system is built. If
example where this might present a problem the PKI is set up with an encryption key in
would be a signature system that provided the certificate, then it is likely to be the
non-repudiation. If a signature on a client encrypting the data. If the PKI is only
particular document was generated at used as an authentication front-end to a
roughly the same time that a revocation was separate authorisation mechanism, then it is
issued, then determining the true order of likely to be the policy monitor for the
events could be difficult. authorisation mechanism.
When: If the verification is carried out by would happen at the TA, who is a trusted
the client encrypting the message, then right server within the security domain.
is likely to be verified when the encrypted
We now discusses some of the main
message is being generated. This might
issues raised by our analysis in this and the
happen at a time that could realistically be
previous sections.
far ahead of when the recipient decrypts the
• There is a relationship between the
message. There is a danger here that the
management of rights and the revocation
original right may have expired or have been
issues as discussed in subsection 4.3. When
revoked in the meantime. If there is a
you use a right (e.g. to verify a signature,
monitor controlling access to the data, then
encrypt a document to a colleague), then
the right should be checked as the data is
you need to know at that point whether the
being released to the recipient.
right has been revoked or not. It is this
Where: If the right is being checked —
verification of the right to carry out a task
implicitly or explicitly — by the encrypting
that poses one of the problems in
party, then this happens in a place that is
implementing a PKI. With ID-PKC, the act
potentially logically remote from the
of rights verification can be bound closely
recipient. In the case of an access monitor,
(both in terms of time and space) to point
then the location is likely to be carefully
at which the verification is carried out. This
chosen to be within the same logical or
is carried out through the use of client-
physical security domain as the recipient.
chosen short-term keys with the recipient
ID-PKC having to retrieve the associated private keys
Who: In a similar manner to PKI, who from the TA. While discussing the future of
does the verification will depend on how PKI, Gutmann [9] recommends a similar
the system is implemented. If the binding when implementing a PKI. At first
encryption key is generated from the user’s glance, it would appear that such strong
long-term secret key, then it is likely to be binding between verification and CA/TA, if
the client encrypting the message. If the required, can be carried out more cleanly in
client is allowed to control the generation of an ID-PKC implementation.
the public key according to their security • There are scenarios where the right to
policy — as proposed by Chen et al [6] — decrypt, in a PKI system, is only generated
then the verification of the right to decrypt and assessed immediately prior to
is carried out by the TA that generates the decryption, rather than when encryption
private key for the recipient. takes place. This results in a mechanism
When: If the client encrypting the that is very similar to one that proponents
message uses a long-term key, then the right of ID-PKC claim to be a benefit of their
approach. An example of such a system
to decrypt is verified at the point of
might be an encrypted file store on a server.
encryption. If the key is a sender-chosen key
A client wishing to access the encrypted
generated specifically for that encryption,
material asks a monitor for read rights. The
then the rights verification should happen at
right might then be generated on-the-fly as
the point at which the TA hands out the
part of the rights verification process.
decryption key to the recipient.
Where: As in the case of the PKI, if the These two points highlight the fact that
encrypting party carries out the verification, both PKI and ID-PKC systems ultimately
this could potentially be anywhere. If the work in a similar manner. It would appear
key is chosen by the sending client, then this that ID-PKC lends itself naturally to
Kenneth G. Paterson & Geraint Price A comparison between traditional PKIs and identity-based cryptography
Kenneth G. Paterson & Geraint Price A comparison between traditional PKIs and identity-based cryptography
separates ID-PKC from PKI. Our initial [4] D Boneh and M Franklin, 2001. Identity-based
judgement, admittedly made in the context encryption from the Weil pairing, Advances in
of little or no commercial deployment of Cryptology – CRYPTO 2001 (ed J Kilian), volume 2139
ID-PKC systems, is that there is very little to of LNCS, pages 213-229. Springer-Verlag.
separate the two. Perhaps the important [5] C Gentry and A Silverberg, 2002. Hierarchical ID-
input when deciding whether to adopt PKI based cryptography, Advances in Cryptology –
or ID-PKC is the different way in which the ASIACRYPT 2002 (ed Y Zheng), volume 2501 of LNCS,
two technologies naturally generate and pages 548-566. Springer-Verlag.
verify rights and keys. [6] L Chen, K Harrison, D Soldera and N P Smart, 2002.
Applications of multiple trust authorities in pairing based
As with symmetric and asymmetric cryptosystems, Infrastructure Security, International
cryptography, the deciding factors when Conference, InfraSec, (ed G I Davida, Y Frankel and O
choosing between PKI and ID-PKC are Rees), volume 2437 of LNCS, pages 260-275. Springer-
likely to be environmental. This influence of Verlag.
the constraints surrounding the [7] EU Directive 1999/93/EC of the European Parliament
implementations are likely to be greater, and of the Council on a Community framework for
given that there doesn’t seem to be such a electronic signatures, December 1999:
strong separating factor such as the ability http://europa.eu.int/eur-lex/pri/en/oj/dat/2000/l_013/
l_01320000119en00%120020.pdf
to provide non-repudiation is between
symmetric and asymmetric cryptography. [8] C Ellison, September 1999. SPKI requirements, IETF
RFC 2692: http://www.ietf.org/rfc/rfc2692.txt
References [9] P Gutmann, 2002. PKI: It’s not dead, just resting. IEEE
[1] W Diffie and M Hellman, 1976. New directions in Computer 35(8):41-49.
cryptography, IEEE Transactions on Information Theory,
[10] C Gentry, 2003. Certificate-based
IT-22(6):644-654.
encryption and the certificate revocation problem,
[2] R L Rivest, A Shamir and L Adleman, February 1978. Advances in Cryptology – EUROCRYPT 2003 (ed E
A method for obtaining digital signatures and public-key Biham), volume 2656 of LNCS, pages 272-293.
cryptosystems, Communications of the A.C.M., Springer-Verlag.
21(2):120-126.
[11] S S Al-Riyami and K G Paterson, 2003.
[3] A Shamir, 1984. Identity-based cryptosystems and Certificateless public key cryptography, Proceedings of
signature schemes. Advances in Cryptology – CRYPTO Asiacrypt 2003, Lecture Notes in Computer Science (to
’84, volume 196 of LNCS, pages 47-53. Springer-Verlag. appear).