(1) Field of the Invention
The present invention relates to the use of cryptographic systems for authentication, and, more particularly, to methods and systems using the Naccache-Stern Cryptosystem for group authentication in accordance with a prescribed rule or policy (“rule/policy”) statement formulated as a Boolean Expression that authorizes access to a protected resource or performance of a restricted operation governed by the prescribed rule/policy statement by authenticated groups.
(2) Description of Related Art
The use of cryptographic systems to protect the security of information is well known in the art. These cryptographic systems involve an encryption algorithm and key to convert cleartext/plaintext into ciphertext (encryption), which can then be transmitted over any secure or insecure communications links, and a decryption algorithm and key for reconverting received ciphertext to cleartext/plaintext. Such cryptographic systems can either be symmetric, i.e., each entity has a copy of a common secret key, or asymmetric, i.e., only one entity possesses a private key, but the associated public key is made readily accessible to others, e.g., the public at large.
Traditional cryptographic systems have typically relied upon the common secret key system (symmetric cryptography) for the encryption and decryption of information transmitted over non-secure communications networks. There are distinct drawbacks to the use of symmetric cryptographic systems—perhaps the largest of which is the secure distribution of the common secret key(s) to intended recipient(s), particularly where the recipient audience is large. Another drawback is that if any copy of the common secret key is discovered or intercepted by an unintended entity, the confidentiality and authentication capability of the symmetric cryptographic system is effectively compromised, and new common secret keys would need to be generated and copies distributed to users.
In asymmetric or public key cryptography, the public and private keys are created simultaneously using the same algorithm. The private key is securely held by the entity that needs to decrypt data and/or authenticate its identity while the public key is made generally accessible to the public, e.g., as part of a digital certificate posted on a web site. Any entity can encrypt a message or document using the entity's public key so that only the entity possessing the private key can decrypt the message or document. The public key cryptographic system can also be used for entity authentication, i.e., the positive identification of one entity by another. For this scenario, the entity holding the private key uses it to transmit an encrypted signature, which is decrypted by the receiving entity using the corresponding public key. Successful decryption using the public key demonstrates the possession of the associated private key by the sender of the signature, and, therefore, the identity of the sender.
In a similar manner, public key cryptographic systems such as the Rivest-Shamir-Adleman (RSA) public key cryptographic system can be used for group authentication. There are many contexts in which a prescribed rule/policy defines one or more groups, wherein each group can be made up of one or more entities, that are authorized access to a protected resource and/or to perform a particular restricted function, task, action, transaction, or operation (collectively “operation”). For example, supervisory control and security concerns may dictate a prescribed rule/policy in connection with access to and use of any restricted facility and/or resources, e.g., a computer center's resources (the operation) that dictates that there must always be at least two employees, at least one of whom must be a manager, before access and use of the computer centers' resources is authorized. This rule/policy can be formulated as a Boolean Expression as follows (wherein MEi designates a managerial employee and NMEj designates a non-managerial employee:(ME1 AND ME2)OR ((ME1 OR ME2)AND (NME3 OR NME4))An inherent condition of the foregoing rule/policy is that non-managerial employees alone are not authorized to access and use the computer center's resources.
By way of further example, three applications {A1, A2, A3} resident on an integrated circuit card, e.g., a smart card, may be subject to a prescribed security rule/policy that states that only A1 and A2 in combination, or A1 and A3 in combination, can be used for transactions. This rule/policy is formulated as a Boolean Expression as follows:(A1 AND A2)OR (A1 AND A3)Conditions inherent in the foregoing rule are that A2 and A3 cannot be used in combination for transactions, nor can A1, A2, or A3 be used for transactions singly (or for that matter in combination with any other applications resident on the integrated circuit card).
Prior to any group being authorized to perform an operation in accordance with a prescribed rule/policy, the entity or entities comprising any group established in accordance with the prescribed rule/policy must be individually authenticated to confirm the identity of such entity or entities. To do otherwise would render the prescribed rule/policy a non sequitur. Group authentication, therefore, entails authenticating individual entities using a public key cryptographic system to confirm the identity of such individual entities, determining whether authenticated individual entities alone or in combination comprise a group or groups defined by a prescribed rule/policy, and authorizing any authenticated group satisfying the rule/policy to perform or implement the operation governed by the prescribed rule or policy. Thus, a Group Authentication protocol not only involves “authentication”, but concomitantly “authorizes” the implementation of a specific operation in the context of a prescribed rule/policy.
As disclosed above, it is known in the art to authenticate individual entities using a cryptographic system such as RSA. In accordance with such use, a verification entity would issue a random challenge as cleartext to such individual entities. Each individual entity would encrypt the random challenge as ciphertext using the individual entity's private key and provide such ciphertext to the verification entity. The verification entity would decrypt the ciphertext response of the individual entities using the corresponding public keys, thereby individually authenticating such entities. The verification entity would then correlate such authenticated entities against a prescribed rule or policy document, e.g., a look-up table, that establishes the one or more groups that are authorized to perform a specific operation in accordance with the prescribed rule/policy to determine whether the authenticated entities as a group comprise such an established group or groups, and, if so, authorizes such group or groups to perform the operation. This approach is disadvantageous inasmuch as the individual identities of the entities comprising the one or more groups are revealed to the verification entity such that a record exists of the specific entities comprising the one or more groups that are authorized to perform a specific operation. Further, the verification entity is in possession of the prescribed rule/policy document, which increases the likelihood that prescribed rule/policy will be compromised since the verification entity is presumed not to be a trusted entity. In addition, this scenario requires public-private key pairs for each entity, which significantly increases the computational workload and storage requirements imposed on the cryptographic system.
It is also known in the art to split a private key among the entities comprising one or more groups established in accordance with a prescribed rule/policy statement that is authorized to perform the specific operation governed by such prescribed rule/policy statement. The entities comprising such groups reconstruct the private key during the authentication process and the reconstructed private key is used by the verification entity to authorize entities comprising any authenticated group satisfying the rule/policy to perform an operation governed by the prescribed rule/policy statement. While this private key splitting technique is advantageous in that entities comprising any particular group are never individually identified during the authentication process, this technique is disadvantageous in that the private key is reconstructed during the authentication process such that the reconstructed private key is subject to compromise. As a general rule, any verification entity should be considered a non-trusted party in the context of an authentication process. Therefore, another disadvantage to the private key splitting technique is that the verification entity has access to the reconstructed private key during the authentication process, which increases the possibility that the reconstructed private key will be compromised.
A need exists to provide methods and systems for group authentication using public key cryptography in conjunction with a prescribed rule/policy statement that authorizes implementation or performance of an operation governed by the prescribed rule/policy by any authenticated group without identifying any entity comprising any such authenticated group, without revealing prescribed rules and policy statements, and without exposing private key material.