Скачать презентацию Optimal Mail Certificates in Mail Payment Applications Leon Скачать презентацию Optimal Mail Certificates in Mail Payment Applications Leon

9818ec62c780805f6b2fee48d4d8e06d.ppt

  • Количество слайдов: 28

Optimal Mail Certificates in Mail Payment Applications Leon Pintsov Pitney Bowes 2 nd CACR Optimal Mail Certificates in Mail Payment Applications Leon Pintsov Pitney Bowes 2 nd CACR Information Security Workshop 31 March 1999 1

Talk outline n n n n Mail pre-payment application and Digital Postage Marks DPM Talk outline n n n n Mail pre-payment application and Digital Postage Marks DPM requirements /optimality criteria Choices Elliptic Curves Signatures and Certificates Optimal Mail Certificates DPM generation and Verification Comparisons and conclusion Pitney Bowes LAP 2

Mail Communication System Postal sorting and delivery system Sender Receiver Pitney Bowes LAP 3 Mail Communication System Postal sorting and delivery system Sender Receiver Pitney Bowes LAP 3

Mail Item - Information-Based Payment Evidence-Digital Postage Mark (DPM) Pitney Bowes 35 Waterview Dr Mail Item - Information-Based Payment Evidence-Digital Postage Mark (DPM) Pitney Bowes 35 Waterview Dr Shelton CT 06484 Master. Card International 2000 Purchase Street Purchase, NY 10577 -2509 Pitney Bowes LAP 4

Mail Item - DPM Generation to network Pitney Bowes 35 Waterview Dr Shelton CT Mail Item - DPM Generation to network Pitney Bowes 35 Waterview Dr Shelton CT 06484 Master. Card International 2000 Purchase Street Purchase, NY 10577 -2509 Computer Pitney Bowes Printer LAP 5

Mail Item - DPM Verification Pitney Bowes 35 Waterview Dr Shelton CT 06484 Master. Mail Item - DPM Verification Pitney Bowes 35 Waterview Dr Shelton CT 06484 Master. Card International Scanner Pitney Bowes LAP 6

DPM Content and Data Representation n Plaintext – Protected Data – Other Data n DPM Content and Data Representation n Plaintext – Protected Data – Other Data n n n Ciphertext (Cryptographic Integrity Validation Code or CIVC) Error Correction Code Data Representation – Machine Readable – Human readable Pitney Bowes LAP 7

DPM Security Cryptographic Integrity Validation Code (signature with appendix) Plain Text Data Pitney Bowes DPM Security Cryptographic Integrity Validation Code (signature with appendix) Plain Text Data Pitney Bowes CIVC LAP 8

DPM generation n n Obtain Protected Data (PD) – Postage Amount – Mail Item DPM generation n n Obtain Protected Data (PD) – Postage Amount – Mail Item ID – Date – Other Compute M = h(PD) [hash of Protected Data] Obtain mailer’s Private Key K Compute CIVC = Cryptotransformation. K (M) Format and print PD and CIVC Pitney Bowes LAP 9

DPM verification n n n Scan and interpret DPM Obtain plain text Protected Data DPM verification n n n Scan and interpret DPM Obtain plain text Protected Data PD 1 Compute M 1 = h(PD 1) Obtain mailer’s Public Key PK Compute M = Cryptotransformation. PK (CIVC) Accept DPM if M = M 1 Pitney Bowes LAP 10

Requirements /optimization criteria n n CIVC cryptanalytic strength (e. g. > 280) Size (CIVC) Requirements /optimization criteria n n CIVC cryptanalytic strength (e. g. > 280) Size (CIVC) should be minimal CIVC generation and verification algorithms performance should match performance of fastest mail generation and processing equipment – generation at least 10 CIVC per second – verification at least 20 CIVC per second DPM should contain all information required for verification including verification key Pitney Bowes LAP 11

Requirements /optimization criteria (2) n n n Verifier should be able to verify several Requirements /optimization criteria (2) n n n Verifier should be able to verify several possible restrictions based on DPM information (e. g. restricted privilege to print value above certain threshold) CIVC size inflation due to improvements in computing power should be minimal (i. e. cryptanalytic strength per bit of CIVC should be maximal) Combined cost of generating and processing mail should be minimal (including the cost of maintaining required infrastructure) Pitney Bowes LAP 12

Design Choices n n Asymmetric key schemes for CIVC – with or without certificate Design Choices n n Asymmetric key schemes for CIVC – with or without certificate in the DPM – signatures schemes • with appendix • with message recovery Symmetric key schemes for CIVC – MAC – Truncation Data representation – 2 -D Barcode (Data. Matrix, PDF 417) Verification and key management infrastructure Pitney Bowes LAP 13

Elliptic Curve Cryptographic Scheme n n Elliptic curves can be defined over any finite Elliptic Curve Cryptographic Scheme n n Elliptic curves can be defined over any finite field Fq where q is a prime number or a power of a prime number. When elliptic curves are applied to cryptography, standards bodies (e. g. IEEE, ANSI, ISO) have restricted q to a prime or a power of 2. Pitney Bowes LAP 14

Point Addition (x 2, y 2) (x 1, y 1) Pitney Bowes (x 3, Point Addition (x 2, y 2) (x 1, y 1) Pitney Bowes (x 3, y 3) LAP 15

Point Doubling (x 1, y 1) (x 3, y 3) = 2 (x 1, Point Doubling (x 1, y 1) (x 3, y 3) = 2 (x 1, y 1) Pitney Bowes LAP 16

Point Multiplication n Point multiplication is a fundamental operation performed on an elliptic curve Point Multiplication n Point multiplication is a fundamental operation performed on an elliptic curve during execution of a cryptographic protocol k. P = P +P + …+ P k summands Pitney Bowes LAP 17

Elliptic Logarithm Problem n n Given E(Fq), a point P and a point Q=k. Elliptic Logarithm Problem n n Given E(Fq), a point P and a point Q=k. P, determine k Systemwide Parameters: – E(Fq) is an elliptic curve with total number of points N – P is a point on E of order n (n divides N) – n > 2160 Pitney Bowes LAP 18

Optimal Mail Certificates Set Up n n Postal CA has a private key c, Optimal Mail Certificates Set Up n n Postal CA has a private key c, c is a positive integer such that c < n and a public key b = c. P Mailer A with identity IA (IA generated by Postal CA) computes its private and public key: – A generates random integer k. A, computes k. AP and sends point k. AP to Postal CA n Postal CA does the following: – generates a random integer c. A, 0 < c. A < n, and computes A = k. AP + c. AP. – computes f = H ( A || IA), where H is a hash function such as SHA-1 – computes m. A = cf + c. A mod n. – sends A, m. A, and IA to mailer A Pitney Bowes LAP 19

Optimal Mail Certificates Set Up n Mailer A computes his private key a: a Optimal Mail Certificates Set Up n Mailer A computes his private key a: a = m. A + k. A mod n = cf + k. A + c. A mod n and his public key QA: QA =a. P = cf. P + A Note: 1. a is a function of IA, A , c , k. A and c. A 2. QA is a function of public parameters only Pitney Bowes LAP 20

Optimal Mail Certificate n n Quantity A is called Optimal Mail Certificate (or OMC) Optimal Mail Certificate n n Quantity A is called Optimal Mail Certificate (or OMC) and is a function of two random numbers independently generated by mailer (mailing system) and Postal certification authority. A is imprinted within DPM and serves as an input to computation of the CIVC verification key QA (together with the public key b of Postal CA, mailer’s identity IA and hash value H ( A || IA)). Pitney Bowes LAP 21

EC El. Gamal signature with message recovery Generation n Mailer A wants to generate EC El. Gamal signature with message recovery Generation n Mailer A wants to generate DPM with CIVC and send it to Post P: – Format Protected Data into message m – Generate random positive integer k < n and compute K = k. P – Format K into key L suitable to be a key for a good symmetric encryption algorithm SKE – Compute e = SKEL (m) – Compute d = H(e || IA) – Compute s = ad +k (mod n), – (s, e) is the signature. (s, e) = CIVC Pitney Bowes LAP 22

EC El. Gamal signature with message recovery Verification n Postal DPM verification operations: – EC El. Gamal signature with message recovery Verification n Postal DPM verification operations: – – Scan DPM and obtain IA, (s, e), A Compute verification key QA Compute d = H (e || IA) Compute R = s. P - d QA and format R into symmetric key X – Compute M = SKE-1 X (e) – Check redundancy of M and accept DPM if M has required redundancy Pitney Bowes LAP 23

Comments on OMC n n OMC public key authentication can be integrated with ECC Comments on OMC n n OMC public key authentication can be integrated with ECC El. Gamal or ECDSA signature generation to achieve computational efficiencies Size of OMC is the size of the point on the curve that is [OMC] = 20 bytes Pitney Bowes LAP 24

Comparison (DPM size) Pitney Bowes LAP 25 Comparison (DPM size) Pitney Bowes LAP 25

IBIP DPM without certificate IBIP DPM with certificate Pitney Bowes Symmetric key OCR DPM IBIP DPM without certificate IBIP DPM with certificate Pitney Bowes Symmetric key OCR DPM LAP 26

Comparison (Computational Efficiency) t is time to generate ECDSA, u is time to verify Comparison (Computational Efficiency) t is time to generate ECDSA, u is time to verify ECDSA, T is time to retrieve and verify traditional certificate Pitney Bowes LAP 27

Conclusion n Optimal Mail Certificates deliver very significant advantages for verification process and infrastructure Conclusion n Optimal Mail Certificates deliver very significant advantages for verification process and infrastructure compared to other known methods Optimal Mail Certificates can be particularly effective in combination with ECC El. Gamal signature with message recovery OMC in combination with ECC El. Gamal with message recovery deliver the best known combination of critical system parameters Pitney Bowes LAP 28