商業性金鑰恢復與金鑰託管機制之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：6

、訪客IP：18.118.200.86

姓名

張明聖(Ming-Shen Chang ) 查詢紙本館藏

畢業系所

資訊工程研究所

論文名稱

商業性金鑰恢復與金鑰託管機制之研究
(The Research on Commercial Key Recovery and Key Escrow Mechanisms)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ AES資料加密標準之實體密碼分析研究
★ 電子競標系統之研究	★ 針對堆疊滿溢攻擊之動態程式區段保護機制
★ 通用型數域篩選因數分解法之參數探討	★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器
★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究	★ 遮罩保護機制防禦差分能量攻擊之研究
★ AES資料加密標準之能量密碼分析研究	★ 小額電子付費系統之設計與密碼分析
★ 公平電子現金系統之研究	★ RSA公開金鑰系統之實體密碼分析研究
★ 保護行動代理人所收集資料之研究	★ 選擇密文攻擊法之研究與實作

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

近年來，金鑰恢復 (Key recovery) 在密碼相關研究領域裡逐漸成為一
熱絡討論的議題。此議題起源於1992 年Micali 所提出"公正之公開金鑰密碼系統"(Fair public key cryptosystem)。但是引起廣泛的注意與探討則是在隔年 (1993 年) 美國政府計劃發展一套託管加密標準及金鑰託管系統(Escrow Encryption Standard / Key Escrow System)。在本論文裡，將會提出一新型態之商業性金鑰恢復機制以及一具有時效性之金鑰託管系統。
密碼理論的使用主要目的是為了保障資料的機密性及相關個人隱私權的保護，透過加密器的運用，使用者可以將資料轉換成安全的密文。而金鑰在整個加密/解密過程裡扮演一關鍵性的角色。因此，將金鑰妥善保管並確保其可用性是絕對必要的，這也是金鑰恢復機制所要達到的目的。直至目前為止，已有許多的金鑰恢復機制被發表於文獻上，在論文的第二章，將會針對幾個文獻上著名的金鑰恢復系統進行回顧。
而在論文的第三章裡，將會提出一全新之商業性金鑰恢復機制。其不同於文獻上其他金鑰恢復系統之特點，主要是在於金鑰恢復機構 (Key
Recovery Agent) 並不允許得知使用者所欲恢復的金鑰。另一方面，高效率的金鑰恢復服務以及高度可行性(實用性)亦是此金鑰恢復機制的兩個
重要特性。除此之外，本章也將介紹一些在文獻上具實用價值之密碼應用
並且和本論文所提出之金鑰恢復機制整合，提供有效率之金鑰恢復服務。
本論文的第二個主題是關於發展一具時效性之金鑰託管系統。所謂"具時效性"即是將政府機構合法監聽的權力限定在某一個特定的時間期限內。政府合法監聽機構 (Law Enforcement Agent, LEA) 無法從合法獲得
的使用者秘密金鑰去猜測使用者其他時限的金鑰，進行非法監聽。在論文
的第四章裡，將會提出一符合具時效性定義之金鑰託管系統

摘要(英)

Recently, key recovery has become a popular issue of cryptographic research. The problem of key recovery was first
considered in 1992 by Micali. Subsequently, key recovery received much attention and was widely discussed because of the notions of Escrow Encryption Standard and Key Escrow System developed by the U.S. government. In this thesis, a new type of commercial key recovery scheme and a key escrow scheme with limited time span are developed.
A major motivation of using cryptography comes from the requirement of protecting confidentiality and privacy. The keys employed in a cryptography play the most important role in the above requirement. Hence, it should be protected carefully and should ensure high usability. Key recovery mechanisms can chieve
this goal. Up to now, a lot of related works can be found in the literature. In Chapter 2, a brief review of these schemes are given.
In Chapter 3, a new type of commercial key recovery mechanism is
developed in which it is emphasized that a key recovery agent is not permitted to learn any sensitive keys. Efficiency and practicability are two of the most important features in the proposed key recovery system. Also, we illustrate some possible cryptographic applications based on this commercial key recovery environment.
Another topic considered in this thesis is the key escrow system with limited time span. The concept of limited time span is to restrict the authority of wiretapping within a specific time instance. It should disable a LEA to recover any previous or following private keys of a user. In Chapter 4, a genuine key escrow scheme with limited time span is proposed.

關鍵字(中)

★ 商業性金鑰恢復
★ 機密性
★ 金鑰託管
★ 隱私權

關鍵字(英)

★ Commercial key recovery
★ Confidentiality
★ Key escrow
★ Privacy

論文目次

1 Introduction 1
1.1 Motivation of Research ................................1
1.2 Overview of the Thesis ................................4
2 Review of Commercial Key Recovery and Key Escrow Mechanisms 6
2.1 Key Recovery Techniques ...............................6
2.1.1 Key escrow technique ..............................7
2.1.2 Key encapsulation technique .......................8
2.2 Key Recovery Model ....................................9
2.2.1 A general model for key recovery systems ..........9
2.2.2 Some possible configurations of key recovery model .11
2.3 Famous Key Recovery Schemes ..........................13
2.3.1 Bellare-Goldwasser verifiable partial key escrow ...13
2.3.2 Bell Labs key recovery ...........................15
2.3.3 IBM secure key recovery ..........................16
2.3.4 Burmester-Desmedt-Seberry equitable key escrow .....17
2.3.5 Viswanathan-Boyd-Dawson publicly verifiable
equitable key escrow .............................19
2.3.6 Viswanathan-Boyd-Dawson strong binding for software
key escrow .......................................20
2.3.7 Nieto-Viswanathan-Boyd-Dawson key recovery system
for commercial environment .......................21
3 A New Commercial Key Recovery Scheme 25
3.1 Brief Review of the Bell Labs Key Recovery Scheme ....26
3.1.1 The protocol .....................................26
3.1.2 Some remarks on the Bell Labs protocol ...........27
3.2 The Model of Practical Key Recovery ..................27
3.3 The Proposed Key Recovery Scheme - KRS-1 .............29
3.3.1 The protocol of KRS-1 ............................29
3.3.2 Security analysis of the KRS-1 protocol ..........30
3.4 The Proposed Key Recovery Scheme - KRS-2 .............31
3.4.1 The protocol of KRS-2 ............................32
3.4.2 Security analysis of the KRS-2 protocol ..........33
3.5 Related Application ..................................34
3.5.1 Boneh-Lipton revocable backup system .............34
3.6 Summary ..............................................35
4 Improved Key Escrow Scheme with Limited Time Span 38
4.1 Brief Review and Research Motivation .................38
4.2 Proposed Scheme ......................................39
4.2.1 Set-up phase .....................................39
4.2.2 Registration and escrow phase ....................39
4.2.3 Key update phase .................................40
4.2.4 Key recovery phase ...............................41
4.3 Security Analysis ....................................42
4.4 Summary ..............................................44
5 Conclusions 47
5.1 Brief Review of Main Contributions ...................47
5.2 Further Research Topics and Directions ...............48
A Proof of Equality of Discrete Logarithms with a Composite
modulus 50
A.0.1 The protocol .......................................50

參考文獻

[1] M. Burmester, Y. Desmedt, and J. SE. Berry,
'Equitable key escrow with limited time span (or, How to
enforce time expiration cryptographically),' In Advanced
in Cryptology - Asiacrypt'98, Springer-Verlag,
Lecture Notes in Computer Science, LNCS 1514, pp.380--391,
1998.
[2] C. Boyd, 'Enforcing traceability in software,'
In Conference on Computer and Communication Security
- First International Conference, ICICS'97,
pp. 398--408, Springer-Verlag, 1997
[3] D. Boneh and R.J. Lipton, 'A Revocable Backup System,' 6th
USENIX Security Symposium, San Jose, CA, pp. 91--96, 22--25
July, 1996.
[4] M. Bellare and S. Goldwasser, 'Verifiable partial key
escrow,' In Proceedings of the Fourth Annual Conference on
Computer and Communications Security, ACM, 1996.
[5] M. Blaze, 'Protocol failure in the escrowed encryption
standard,' Proc. of 2nd ACM Conference on Computer and
Communications Security, ACM Press, New York, pp.59--67,
1994.
[6] T. Beth, H. Knobloch, M. Otten, G.J. Simmons, and P.
Wichmann, 'Towards acceptable key escrow system,' Proc.
of 2nd ACM Conference on Computer and Communications
Security, ACM Press, New York, pp.51--58, 1994.
[7] D.M. Balenson, C.M. Ellison, S.B. Lipner, and S.T. Walker,
'A new approach to software key escrow,' TISR #520,
Trusted Information Systems, 1994.
[8] Chien-Yuan Chen, Wei-Bin Lee, and Chin-Chen Chang,
'A software key escrow system suitable for
broadcasting,' In T.L. Hwang and A.K. Lenstra (eds), Proc
of the 1998 International Computer Symposium -- Workshop on
Cryptology and Information Security, Tainan, pp. 155--158,
17--19 December, 1998.
[9] R. Cramer, I. Damgard and B. Schoenmakers, 'Proofs of
partial knowledge and simplified design of witness hiding
protocols,' Advances in Cryptology - Crypto94 Proceedings,
Lecture Notes in Computer Science Vol. 839, Y. Desmedt
ed., Springer-Verlag, 1994.
[10] D.E. Denning and D.K. Branstad, 'A taxonomy for key
recovery encryption systems,' available at
http://www.cosc.georgetown.edu/~denning/crypto/taxonomy.html
[11] D.E. Denning and D.K. Branstad, 'A taxonomy for key
escrow encryption systems,'
Commun. ACM, vol.39, no.3, pp.34--40, 1996.
[12] D.E. Denning, 'Key Escrow Encryption -- the third
paradigm,' Computer Security Journal, vol.11, no.1, pp.43-
-52, 1995.
[13] Yvo Desmedt, 'Securing traceability of
ciphertexts: Towards a secure software key escrow
system,' In L.C. Guillou and J.-J. Quisquater (eds.),
Advances in Cryptology -- EUROCRYPT,'95, vol 921 of
Lecture Notes in Computer Science, pp. 147--157, Springer-
Verlag, 1995.
[14] D.E. Denning and M. Smid, 'Key escrowing today,' IEEE
Communication Magazine, pp.58--68, September 1994.
[15] D.E. Denning, 'The US key escrow encryption technology,'
Computer Communication Magazine, vol.17, no.7, pp.453--
457, July 1994.
[16] W. Diffie and M.E. Hellman, "New directions in
cryptography,' IEEE Trans. on Inform. Theory, vol.IT-22,
pp.644--654, 1976.
[17] T. ElGamal, 'A public key cryptosystem and a signature
scheme based on discrete logarithms,' IEEE Trans. on
Inform. Theory, vol.31, no.4, pp.469--472, July 1985.
[18] Yair Frankel and Moti Yung, 'Escrow encryption
systems visited: Attacks, analysis and designs,' In
D. Coppersmith (ed.), Advances in
Cryptology -- CRYPTO,'95, vol 963 of Lecture Notes in
Computer Science, pp. 222--235, Springer-Verlag, 1995.
[19] R. Gennaro, P. Karger, S.Matyas, M. Peyravian, A.
Roginsky, D. Safford, M. Willet, and N. Zunic, 'Two-phase
cryptographic key recovery system,'
Computers and Security, no.16, pp. 681--506, 1997
[20] R. Ganesan, 'The Yaksha security system,' Commun. ACM,
vol.39, no.3, pp.55--60, 1996.
[21] P. Horster, M. Michels, and H. Petersen, 'A new key
escrow system with active investigator,' Proc. of
Securicom '95, April 1995. Also available from
University of Technology Chemnitz茂wickau, Department of
Computer Science, Theoretical Computer Science and
Information Security Technical Report: TR-95-4,
April 1995.
[22] M. Joye and S.M. Yen, 'Generation and Release of Secrets
Using One-way Cross-trees,' Proc. of the 1998
International Computer Symposium, Workshop and
Cryptography and Information Security, Tainan,
Taiwan, R.O.C., pp.23--28, 17--19 December, 1998.
[23] S.J. Kim, J.Y. Kim, B.C. Kim and D.H. Won,
'Base conversion attack on strong binded key escrow of
IWSEC'99,' Submitted for publications, 28 February, 2001
[24] Lars R. Knudsen and Torben P. Pedersen, 'On the
difficulty of software key escrow,' In U. Maurer (ed.),
Advances in Cryptology -- EUROCRYPT,'96, vol. 1070 of
Lecture Notes in Computer Science, pp. 237--244, Springer-
Verlag, 1996.
[25] W. Mao, 'Publicly verifiable partial key escrow,' In T.
Han, T. Okamoto, and S. Qing, editors, Information and
Communications Security, Springer-Verlag, Lecture Notes in
Computer Science, pp.409--413, 1997.
[26] M. Mambo and E. Okamoto,
'Proxy cryptosystems : Delegation of the power to decrypt
ciphertexts,' In IEICE Trans. Fundamentals, volume E80-A,
January 1997.
[27] M. Mambo K. Usuda and E. Okamoto,
'Proxy cryptosystems : Delegation of the power to sign
message,' In IEICE Trans. Fundamentals, volume E79-A,
September 1996.
[28] D.P. Maher, 'Crypto backup and key escrow,' Commun. ACM,
vol.39, no.3, pp.48--53, 1996.
[29] S. Micali, 'Fair public-key cryptosystems,'
Advanced in Cryptology - Crypto'92, Spring-Verlag,
Lecture Notes in Computer Science, LNCS 740, pp.113--138,
1992.
[30] J. Nieto, K. Viswanathan, C. Boyd, and E. Dawson,
'Key recovery system for the commercial environment,'
In Australasian Conference for Information Security and
Privacy, ACISP'2000, pp. 149--162. Lecture Notes in
Computer Science, Springer-Verlag, 2000.
[31] NIST, Govt. of U.S.A.,
'Requirements for key recovery products,'
Report of the Technical Advisory Committee to develop a
federal information processing standard for federal key
management infrastructure, November 1998,
available at http://csrc.nist.gov/keyrecovey/.
[32] NIST, 'SKIPJECK and KEA algorithm specifications,'
Version 2.0, 29 May, 1998.
[33] J. Nechvatel, 'A public-key-based key escrow system,'
Journal of Systems Software, vol.35, pp.73--83, 1996.
[34] FIPS 180-1, 'Secure Hash Standard,' NIST, US Department
of Commerce, Washington D.C., April 1995.
[35] NIST, 'Escrowed Encryption Standard,' FIPS PUB 185, 1994.
[36] T. Pedersen, 'Non-interactive and information theoretic
secure verifiable secret sharing,' Advances in
Cryptology - Crypto91 Proceedings, Lecture Notes in
Computer Science Vol. 576, J. Feigenbaum ed., Springer-
Verlag, 1991.
[37] R.L. Rivest, 'The MD5 message digest algorithm,' RFC
1321, April 1992.
[38] R.L. Rivest, A. Shamir, and L. Adleman, 'A method for
obtaining digital signatures and public-key
cryptosystem,' Commun. of ACM, vol.21, no.2,
pp.120--126, 1978.
[39] A. de Solages and J. Traore,
'An efficient fair off-line electronic cash system with
extensions to checks and wallets with observers,'
In Financial Cryptography'98, pp.1--15, 1998
[40] M. Stadler, 'Publicly verifiable secret sharing,' In U.
Maurer, editor, Advances in Cryptology - EUROCRYPT'96,
Spring-Verlag, Lecture Notes in Computer Science,
pp.190--199, 1996.
[41] A. Shamir, 'Partial key escrow : a new approach
to software key escrow,' Private communication
made at Crypto 95, August 1995, also presented at
Key escrow conference, Washington, D.C., 15 September, 1995
[42] K. Viswanathan, C. Boyd, E. Dawson,
'Publicly verifiable key escrow with limited time span,'
In Information Security and Privacy, ACISP'99,
Lecture Notes in Computer Science, Springer-Verlag, 1999.
[43] K. Viswanathan, C. Boyd, E. Dawson,
'Strong binding for software key escrow,'
In International Workshop on Security, IWSEC'99. IEEE
Press, 1999.
[44] S.T. Walker, S.B. Lipner, C.M. Ellison, and D.M. Balenson,
'Commercial key recovery,' Commun. ACM, vol.39, no.3,
pp.41--47, 1996.
[45] S.T. Walker, S.B. Lipner, C.M. Ellison, D.K. Branstad, and
D.M. Balenson, 'Commercial key escrow: Something for
everyone, now and for the future,' TISR #541, Trusted
Information Systems, 16 April, 1995.

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2001-7-1

推文