DE102006009725A1 - Public code authenticating method, involves producing signature from combination of public code and generated authentication characteristic, and publishing public code, authentication characteristic and produced signature - Google Patents

Abstract

The method involves providing a private code of a certificate authority, and providing a public code and a personal data of a user. An authentication characteristic is generated from the personal data using a hash-algorithm. A signature is produced from a combination of the public code and the generated authentication characteristic, and the private code of the certificate authority is used in the combination. The public code, the authentication characteristic and the produced signature are published. An independent claim is also included for a device for authenticating a public code.

Description

method and apparatus for authenticating a public key

The The present invention relates to a method for authentication a public key and a device for carrying out this method.

A cryptographically secure communication between two jobs - below short referred to as secure communication - can by encrypting the to the transferring Message can be reached. A well-known encryption method is that PGP methods, where PGP stands for "pretty good privacy". The invention, as well as her underlying problem, is described below using a cryptographic secure communication with PGP encryption, but without to limit the invention to it.

at the PGP encryption the message will be first with a key encrypted and to generate a ciphered message. The encrypted message can now over transmits a potentially unsafe communication channel to the addressee become. So that the addressee can decrypt the encrypted message, the encryption key must also be sent to him become. The PGP procedure provides for this, the encryption key as well to encrypt and the encrypted encryption key to the To send addressees. For this purpose, both the addressee and the sender form two communicating with each other Communication participants, each a couple from a private and a public one key to generate. The addressee transmits his public key to the sender or represents the public key in another suitable way to the sender. The sender encoded the encryption key with the public key of the addressee. Thereafter, the transmission of the encrypted encryption key to the addressee together with the public key of the sender. The addressee can now use the encrypted encryption key his private key decrypt.

One potential attacker, d. H. an unauthorized communication participant, can now without too much Difficulties in the possession of the public key of Sender and the public key of the Addressees arrive. However needed he to decrypt the private key of the addressee. In the encryption process It is assumed that the two communication participants Make sure that a third party, eg. As the attacker, no access to her private keys receives. The public key is indeed by means of a function (operator) or an algorithm from the private key generated, the corresponding inverting functional or the associated inverting algorithm to determine the private key from the public Key required but an unmanageable Computational effort. Therefore, it is assumed that the ciphered Message and the encrypted encryption from a third party almost not or at least only with exorbitant high expenditure decoded or can be deciphered.

however exists for the attacker also the possibility to pretend to be a legitimate addressee (man-in-the-middle attack). For this purpose, he himself generates a pair of public and private Key. The public Key transmitted he tells the addressee and suggests to the sender that this public key originated by the authorized addressee. In this case, the Sender in unwanted Way his encrypted message and the associated encrypted encryption to the attacker. The latter would be easily able to decipher the text.

Therefore have been called Certification Authorities, also called Authentication Authorities or Certification Authority (CA), created. These sign a public key of a person together with his personal Data, e.g. The name, the e-mail address, etc. Essentially The certification body calculates a checksum of the Combination of the public key a person and their personal data. This checksum is by a private key the certification authority, the so-called root key, encrypted. There the public key of the Certification Body freely accessible is made possible, it is possible for anyone to read out the checksum. As the private key However, the certification authority is not public, no one can data so encrypt, that with the public key the certification authority could be decrypted again. Should Now someone z. B. the name associated to a public key to change a person, this results in a different checksum. A change the by the private key of the Certification Authority encrypted Checksum is however, for the reasons mentioned above not possible.

For a public key A person only issues a certificate to a certification authority if she knows this person well enough or this Person can identify himself in a suitable manner, eg. B. with a Identity card or similar.

The public key of a person, de personal data and the signature of the certification body are published together. This can be done in generally accessible systems, such. As the Internet, or in intra-corporate networks.

Before a sender sends a message to an addressee, he can by looking up at check the certification authority whether the public known to him key really public key of the desired Addressees corresponds. To do this the personal ones Data for the Senders are freely legible. However, this also allows others the name, the e-mail address and the others personal View data. In particular, you can undesirable Way commercial address collectors read the personal information. Around such an undesirable Collect the data in large scale to prevent was the search possibility in the databases of public key limited. However, such a restriction also proves to be user-unfriendly for those Persons interested in secure communication with each other are.

In front In this background, the present invention has the object underlying public keys together with unique personal information to publish authenticated, being an access to the personal Data not for everyone in public accessible should be.

According to the invention, at least one of these tasks through an authentication process with the Features of claim 1 and / or by a device to run the authentication method with the features of the claim 9 solved.

• – Bereitstellen eines privaten Schlüssels einer Zertifizierungsstelle;
• – Bereitstellen des öffentlichen Schlüssels und persönlicher Daten eines Anwenders;
• – Generieren eines Authentifizierungskennzeichens aus den persönlichen Daten unter Verwendung eines Hash-Algorithmus;
• – Erzeugen einer Signatur durch Bilden einer Kombination aus dem öffentlichen Schlüssel und dem generierten Authentifizierungskennzeichen und Anwenden des privaten Schlüssels der Zertifizierungsstelle auf die Kombination und
• – Veröffentlichen des öffentlichen Schlüssels, des generierten Authentifizierungskennzeichens und der erzeugten Signatur.

Accordingly, a method for authenticating a public key is provided with the following steps, which are not necessarily executable in the order listed:

• - Providing a private key of a certification authority;
• Providing the public key and personal data of a user;
• Generating an authentication tag from the personal data using a hashing algorithm;
• Generating a signature by forming a combination of the public key and the generated authentication tag and applying the private key of the certification authority to the combination and
• Publish the public key, the generated authentication tag and the generated signature.

The Certification authority may, in the context of the method according to the invention a public one Certification Authority, z. A country, an authority or a public be private provider. Likewise, the certification authority may however also be an internal or internal committee.

Of the private keys does not necessarily have to be provided by the certification authority itself but can also be provided by intermediaries which are authorized by the certification body.

The Provide the public Key can by the user himself, by his private and public key self-generated and public key makes known. This is likely usually the most common be encountered case. However, it is also possible that the public key for the User generated by a central point. This can be z. B. in companies and organizations. This may be necessary be when shared private keys are needed.

One Hash algorithm in the sense of the present invention forms the Data on the authentication indicator such that the personal Data is no longer readable in plain text. Furthermore, changes are expected at the personal Data about a noticeable change of the authentication mark. Usually, the data length of the Authentication flag shorter as the length the personal Be data. Preferably, the data length of the authentication mark is through the selected one Hash algorithm set, e.g. Eg 160 bits. In addition, from the authentication mark only at very high cost the personal data can be determined.

The Apply the private key The certification authority on the combination can be up immediately the combination is done. However, it is also possible the combination before to compress, from her a checksum to form or apply a hash algorithm to it and first then the private key apply to the certification body. To a sender usually the contact details such as name, address etc. or in addition the public key an addressee known. He can now use the authentication indicator using the hash algorithm and the generated by him Authentication tag with the published authentication tag compare and thus assure themselves of the public key.

From the published generated authentication marks, however, the personal data can be determined only with considerable effort. An address collector thus makes access to the personal data considerably more difficult.

advantageous Further developments and embodiments of the invention are in the other dependent claims indicated or result from the description in the light of the figures the drawings.

Of the Hash algorithm can be cryptographically secure in one embodiment be. Furthermore, a or several random numbers are attached to the personal data, before the hash algorithm is applied to the data. The random data makes it difficult additionally the reconstruction of the personal Data from the authentication indicator. So a sender the public Verify key but he must also be in possession of this random data. these can him z. B. over a any communication channel supplied by the addressee become.

In an embodiment is provided that the personal Data have at least a single record and at least one of the individual records separated using the hash algorithm into one Signature section is converted. To create the signature the signature sections thus created are hung together. It can but also the personal data as a whole using the hash algorithm in the signature being transformed.

In a particularly preferred embodiment is in the personal Data includes the e-mail address. Furthermore, the name, the postal Address, phone number and / or account number. In particular, it is of interest to use the e-mail address through the hashing algorithm to change, above all, the e-mail address of address collectors searched for and at Spam distributor is resold.

In a training will be a variety of different compilations personal data provided, each of the compilations of an application is assigned and for Each compilation generates an authentication flag is for each authentication tag or the entirety of the authentication tags a signature is generated and each of the authentication marks and the signature is published becomes. this makes possible an addressee for different applications differ a public key to provide. So can for one simple e-mail exchange sufficiently characterizing the e-mail address be while for that called "instant Messaging "the" IM alias "," IM number "and the e-mail address needed become. The corresponding applications are familiar with the respective compilation and have access to the personal Data and can thus the key to verify.

In One embodiment becomes the length the generated signature by the hash algorithm. This has the big advantage especially in the management of databases, that fixed data lengths for the Search algorithms can be used. This speeds up and improves their efficiency.

following the invention is based on an embodiment and the figures in detail explained. In the figures show:

1 a block diagram of an embodiment of the present invention;

2 a flowchart for explaining an embodiment of the method according to the invention; and

3 a flowchart for illustrating a communication between two participants who follow the method 1 and the device according to 1 serve.

In 1 For example, an exemplary topology of a network according to one embodiment of the present invention is shown. A user station A is via a data line 100 connected to a plurality of other user sites B, C. The data line 100 can be provided through an internal network or an external network, such as the Internet. The data transmission can be wired, wireless or optical. Each of the user interfaces A has an input device E. This can be executed in many different ways and is used for creating messages, entering personal data etc .. In the in 1 In the illustrated embodiment, each user interface A, B, C is connected to an individual key generator G. This key generator can be realized by software on a computer unit or by a hardware-based key generator. Furthermore, instead of the illustrated embodiment, a central key generator G for a plurality of user interfaces A, B, C can be provided.

Of the key generator G creates a private key PSA individually for a user interface A and stores it locally in the User interface A in a first memory M1 from. Additionally created the key generator G a public key OSA based on the private key PSA. The public Key OSA is stored in a second memory M2 of the user interface A.

User Interface A now prompts the operator to provide personal information. These include z. As the first name, the last name, a name, the e-mail address, a postal address, a telephone number, an account number or other personal characteristics of the user. In the flowchart of 2 For example, only the name N of the user is asked. This hot Frank Mustermann (S2).

The User interface or a data processing device located therein D applies a predetermined hash function h to the name N (S3). The hash function h is in a protocol for network communication established. For example, this may be the Message Digest Algorithm 5 (MD5). This applied to the name Frank Mustermann results 639d 0c04 06d1 f526 59c2 509b 8c6e 6550 in hexadecimal notation. The application of the MD5 hash function similar to one sounding name, z. B. Bernd Mustermann gives a completely different Hash value H, namely 7df4 c6fc 3e3c 4a61 Odfa 687a 40b7 2711. One of the essential features the hash function h is that with minor changes in the input value, in this case of the name N, a distinctly different hash value H is determined. Another essential feature of the hash function h is that they are only under relatively high Effort is reversible. Other well-known hash function are the SHA-1 Algorithm (secure hash algorithm) and the SHA-256 algorithm.

The User interface A transmitted the hash value H together with the public key of the User's OSA to a central certification authority CS (S4). The Certification Authority CS already has its public key OSCS and her private key PSCS created (S5). First, the certification authority adds CS the transmitted hash value H and the transmitted public key OSA to a date KA together (S6). Afterwards she signs the date KA or the combination KA with their private key PSCS (S7) to get the signature Generate ZA. Usually the signing is done only when the user is facing the Certification Body CS clearly identify, for. B. by personal presence in combination with an identity card. To conclude the hash value H, the public key OSA of the user and the signature of the certification body CS (S8). This can be done, among other things, by providing this data transmit a central database DB become.

The Database DB can be a simple large file or a database system with the possibility of inquiries to ask, for. A SQL database. Although a variety of individuals can access the database DB, they can personal Data, such as For example, do not read the name N in plain text. With a not inconsiderable expense would be a data collector possible, by simply guessing and suitable name databases the name to identify a person. However, this so-called dictionary attack continues assume that the name or other personal information is not unusual Have letter combinations. Such a dictionary attack is likely to be named Frank Mustermann Succeed, as both names are not uncommon. However, with high Probability of a data collector a variety of name combinations test until he guesses the name for the the hash value matches the stored and published hash value. The dictionary attack can be complicated by random character combinations attached to the name become.

One Certificate according to the standard X.509 is composed

• - Version of the certificate
• - Serial number
• - Surname the certification body
• - Validity
• - Certificate holder
• - public key
• - additional information, z. B. Limitations the usability of the key
• - Signature

The personal Data of the user or certificate holder contains among other things the previously executed Records. The personal Data can be combined with each other on a single date and on it the hash function h are applied. It can also be anonymous Certificate, the hash function is disconnected to each individual records applied. In a further variant, different data sets are attached to each other, eg. B. Index, first name, last name, e-mail address, etc., to a new combined Create record. On this combined record is then the Hash value applied.

A single combined record can be included in a certificate. This is sufficient if z. B. verification alone based on the name of the user is sufficient. Since, however, there is usually no unambiguity or can be assumed, it is interesting for many applications, additional personal data to verify the public key to use. However, because these different applications typically have access to different personal information, it may be advantageous to put together a different combination for each of these applications and their respective ones To include combinations in the certificate. For example, for a correspondence with a bank, the account number, bank code and name can be recorded, and the IM alias, the IM name and the e-mail address can be recorded for instant messaging. By using the hash function h, however, the respective personal data are not visible to other applications or users. The individual different combinations can be identified by an anticipated flag, which is given in plain text. However, this is not strictly necessary, but can be anonymously identified solely by specifying an index that a public key owner communicates to the application program.

Referring to the flowchart in FIG 3 Hereinafter, a transmission of a message T from a user B to the previous user A will be described. First, the user B generates his private and public keys PSB, OSB and writes the message T. Subsequently, he encrypts the message T with a cipher key C and one of the many known encryption methods (S10-S12).

Of the User B knows the name N of user A and now wants with him over an encrypted one Channel communicate. He needs it first the public key OSA of user A and must also subsequently ensure that the public he received Key OSA really assigned to user A. In a first step (S13, S14) the user A obtains the public key OSA, a signature ZA and an associated one Hash value H, which the certification authority CS or the database DB provides. additionally the user B obtains the public key OSCS the certification body CS (S15, S16).

Out the signature ZA is using the public key OSCS the certification authority CS the combination KA determined (S17). The combination value KA becomes for one stored following comparison step. In a following, parallel or previously executed Step is from the known name N using the known Hash function h the hash value Ht to be tested is determined (S18). This one can with the compared with the hash value H obtained by the certification authority. If the two hash values H and Ht match, then this is the certificate ZA of the desired person, d. H. the user A, assigned. The following is the hash value Ht with the related public key OSA combined to a test combination Kt. This to be tested Combination Kt becomes with the combination determined in step S17 compared (S20). With agreement of the two combinations KA, Kt is the public key OSA as a key of the user A verified (S21). Below is the user B the encryption key with the public Key OSA of the user A and to an encrypted cipher key Cg encode (S22). Finally a transfer takes place the encrypted message Tg and the encrypted cipher key Cg (S23) to the user A.

Even though the present invention based on a preferred embodiment It will be apparent to those skilled in the art that various changes have been made can be done which are nevertheless within the scope of the invention according to the claims.

Especially can rather than a centrally located database of distributed databases be used. It is also possible instead of a central certification authority, a plurality of authorized ones Bodies to set up by the certification authority CS for signing are authorized. Correspondingly these authorized bodies generate the signatures.

Various process steps can be performed in a different order than they are shown in the embodiment carried out. This applies in particular in 3 the steps S17, S18. These may readily be performed at any other location prior to comparison in step S20. It is also possible to search the database using the current hash value Ht and to obtain the corresponding public key OSA and the signature Z. This is necessary in particular if the public key OSA of the user A is not known to the user B.

Claims (9)

Method for authenticating a public key with the steps: - Provide a private key a certification authority; - Provide the public key and more personal Data of a user; - To generate an authentication mark from the personal Data using a hash algorithm; - Generate a signature Form a combination of the public key and the generated authentication tag and apply the private key the certification authority on the combination and - Publish of public key, of the generated authentication tag and the generated Signature. A method according to claim 1, characterized gekenn records that the hash algorithm is cryptographically secure. Method according to at least one of claims 1 or 2, characterized in that the personal data at least one have individual record and separated at least one of the individual records using the hash algorithm in each case a signature section is converted and created to create the signature Signature sections are hung together. Method according to at least one of claims 1 or 2, characterized in that the personal data as a whole be converted to the signature using the hashing algorithm. Method according to at least one of the preceding Claims, characterized in that the personal data is the e-mail address contain. Method according to at least one of the preceding Claims, characterized in that the personal data is the name, the postal address, telephone number and / or bank account number contain. Method according to at least one of the preceding Claims, characterized in that a plurality of different compilations of personal Data are provided, each of the compilations of a Application is assigned and for each compilation generates an authentication flag, for each Authentication tag or the whole of the authentication tags generates a signature and each of the authentication marks and the signature is published becomes. Method according to at least one of the preceding Claims, characterized in that the length of the generated signature through the hash algorithm is determined. Device for authenticating a public key With at least one user station (A, B, C), a transmitting device and a certification authority (CS), where the user site (A, B, C) for Generating and Providing the Public Key (PSA, OSA) of a user and for entering and providing the personal Data of the user is set up, the transmitting device for transmitting of public key (OSA) and personal information to the certification authority (CS) and the certification authority (CS) for Providing a Private Key (PSCS) to the Certification Authority (CS) and for generating an authentication mark from the transmitted personal data using a hash algorithm, for Generate a signature (ZA) and publish the public key (OSA), the authentication mark (KA) and the signature (ZA) is set up.