to the contents of the standard TLS protocol messages: (i) inclusion of the client’s identity in session_id; and (ii) replacement of a signed temporary RSA or a Diffie- Hellman ephemeral key with an encrypted random string in ServerKeyExchange. These modifications only require small adjustments to data fields of the current TLS protocol specification. Hence, the advantages that changes (i) and (ii) could bring seem to outweigh any implementation issues that they may cause.
One limitation of our proposed protocol is the need for pre-distribution of the server’s system parameters. Otherwise, a man-in-the-middle attack similar to Patel’s attack on Protocol 7 is possible. In this attack, the attacker can impersonate S to A by inserting his own set of system parameters and substituting {STA}P WA with a ran-
dom string RA. A would then use her password to recover a value STA0 from RA. When A replies with his chosen pre-master secret encrypted under the identifier ID0
A = AkSkP WAkSTA0, for each candidate password P WA0, the attacker now de- crypts RAusing P W0
A to obtain a value STA0, and then uses STA0 to derive a private key corresponding to the identifier ID0
A= AkSkP WA0kSTA0. Subsequently, the server recovers a pre-master secret and computes a ClientFinished value. The guessed password can then be verified by comparing the ClientFinished value that S com- puted with the ClientFinished value that A sent to S. If they match, then the guessed password is a correct one.
6.7
Application in MyProxy
It is not uncommon that many users within the grid community fail to take the neces- sary precautions to protect their machines such as installing the latest vulnerability patches and updating the virus definition lists on their machines. This may lead to partial or complete control of the machines by a remote attacker who exploits vulnerabilities found on the machines. Even if the users do care about patching vulnerabilities, it may not be difficult for the attacker to install trojan horses on the users’ computers. This may well explain why many grid implementations have incorporated the MyProxy system to securely store and protect users’ long-term credentials.
6.8 Summary
identity-based cryptographic primitives will already be in place. A user can access the MyProxy server to retrieve her long-term credential by using a password-based TLS protocol. We note that there also exist trojans or keystroke loggers that can track and steal user passwords. Luckily, there are also countermeasures against this kind of attack such as the use of one-time passwords and virtual keyboards4.
From a more general perspective, our ID-SPK/TLS protocol seems to be a good can- didate for a password-based, authenticated key agreement protocol used in identity- based cryptographic schemes for delivering private keys. The protocol aligns nicely with the certificate-free property of the schemes, unlike the common proposal of us- ing the certificate-based TLS protocol for private key distribution, such as in [164].
6.8
Summary
We studied the history of secret public key protocols and discussed some known problems with these protocols. We explored some interesting properties of identity- based cryptography which form the basis of our proposed identity-based secret public key protocols. These properties also allow us to convert a conventional identity-based encryption scheme and a standard identity-based signature scheme (with message recovery) into their secret public key equivalents.
We presented three-party and two-party identity-based secret public key protocols for key exchange. Our heuristic security analyses show that the protocols appear to be secure against off-line password guessing attacks and undetectable on-line password guessing attacks, and provide forward secrecy. Then we combined the new properties from identity-based secret public keys and the techniques used in constructing the identity-based secret public key protocols, and showed that secret public keys can support the use of passwords in the TLS handshake protocol in a very natural way.
4A virtual keyboard is one of the latest technologies used to combat stealing of passwords through keystroke loggers. It is a keyboard displayed as a pop-up window on the user’s desktop. The user must use his mouse to input his password. The order of the characters on the virtual keyboard is normally unpredictable.
Chapter 7
Conclusions
Contents
7.1 Concluding Remarks . . . 165 7.2 Suggestions for Future Work . . . 168
This chapter summarises the thesis and gives some concluding remarks which reflect the problems that we have studied and the results that we have achieved. We also give suggestions for future work in this area.
7.1
Concluding Remarks
The development of grid computing and identity-based cryptography are amongst today’s most important technical innovations in the field of computer science and cryptology. As we have described in Chapter 2, security issues in grid applications are numerous due to complex grid properties such as heterogeneity, scalability and adaptability. One of the unique security requirements for grid applications is the use of short-term or proxy credentials to achieve single sign-on, delegation and other security services. These are made possible through the combined use of standard X.509 and proxy certificates, supported by PKI.
In this thesis, we studied the application of some identity-based cryptographic schemes presented in Chapter 3, in designing security infrastructures for grid ap- plications. The main focus has been on simplifying current PKI-based security architectures which make extensive use of certificates for supporting grid security services. We addressed issues related to certificate and public key management, such
7.1 Concluding Remarks
as certification and verification of public keys, and distribution of certificates, which cause extra overheads to and potentially limit the scalability of grid applications. It is natural to consider the application of IBC to grid security because of its attractive properties, such as being certificate-free and using small key sizes, which may well match the requirements of grid computing. The properties of IBC, in turn, are likely to result in a more lightweight security architecture than the certificate-based PKI approach. We presented our findings that pertain to the use of IBC for constructing IKIG in Chapter 4. Our results show that even though the PKI-based GSI is work- able, it is still far from lightweight in terms of the network bandwidth requirement. On the other hand, IKIG, which makes use of identity-based techniques, consumes minimal communication bandwidth. The significant saving in message sizes in IKIG augurs well for the on-going transition from transport-level to message-level security based on web services. In addition, we observed that identity-based public keys can be used in a very natural way to support various grid security services, such as mu- tual authentication and delegation. However, one limitation is that IKIG inherits the key escrow property that plagues identity-based cryptographic schemes. Despite that, the drawback may not pose a major problem since the use of the MyProxy system technically also introduces a key escrow facility. Both IKIG and GSI with the MyProxy plug-in require strong trust relationships to be in place between users and the relevant trusted third parties.
There may be circumstances where key escrow is not desirable for grid applications. In Chapter 5, we proposed DKIG as a solution that not only removes key escrow, but that also eliminates the requirement for short-term private key distribution from a PKG/TA to its users. In our DKIG proposal, each user publishes a fixed IBC parameter set through a standard X.509 certificate. The parameter set can be used by the user to manage his proxy credentials by acting as his own PKG. This simple technique appears to be cleaner than the use of threshold cryptographic or secret sharing techniques that we highlighted in Chapter 5. Our research findings show that, even though the communication costs in DKIG are higher than in IKIG, they are still relatively low compared to those of the GSI. We have also shown that the computational overhead in DKIG is increased as compared to IKIG, due to the increased number of pairing computations. We foresee that further improvements in the speed of pairing computations are likely to be made with the discovery of new algorithmic techniques. This is especially so, considering that pairing-based
7.1 Concluding Remarks
cryptography is still at a relatively young age. On the other hand, we remark that since certificates are used for users’ long-term credentials in DKIG, identity-based techniques are applicable only to the users’ proxy credentials. The benefits that the identity-based techniques could offer are therefore limited to the user level.
In Chapter 6, we extended our study of the application aspects of IBC to secret public keys. The concept of secret public keys has historically been employed in password-based authentication protocols. However, the use of more conventional secret public keys such as RSA and Diffie-Hellman keys can allow various number theoretic attacks and this concept was thus thought to be unworkable. In this thesis, we explored and introduced new properties of identity-based secret public keys. In the IBC setting, a secret public key can be computed based on a random string. This technique appears to offer a clean and natural way of removing any predictable structure in the secret public key. By using identity-based techniques, we designed a TLS-like identity-based secret public key protocol. This protocol allows passwords to be tied directly to the establishment of secure TLS channels. Furthermore, our protocol requires only relatively small changes to the message contents of the current TLS handshake protocol, and is only based on the use of easy-to-remember user passwords. These advantages seem to make our approach a sensible and practical improvement over the design of the current authentication protocol that MyProxy employs.
We have highlighted some of the fundamental issues in the PKI-based GSI. Some identity-based solutions aimed at resolving these issues have been proposed. In conclusion, we believe that a security infrastructure designed using identity-based techniques has more advantages than disadvantages as compared to the PKI-based GSI. Our identity-based approach offers more flexibility in terms of key usage and management than the more conventional PKI approach. There are some useful security features that seem to be provided only by identity-based cryptographic schemes, for example, generation of public keys on-the-fly and binding of a policy or password to a public key. More importantly, identity-based techniques offer a more natural and clean way of delivering various grid security services. We expect that the identity-based concepts and techniques presented in this thesis may well be useful in other applications. These may include, for example, P2P systems, ad hoc network environments, and distributed systems in which it is desirable to use and