1. Field of the Invention
The present invention relates to a security method using an electronic signature, and more particularly, to a security method using an electronic signature, which effectively authenticates a signature through a mediator and guarantees a forward security.
2. Description of the Related Art
A security system is typically associated with an authentication system and a data encryption system. Although there exists other systems, the encryption system is generally classified into a secret key (referred to as ‘symmetric key’) system and a public key (referred to as ‘asymmetric key’) system. The secret key system, namely, the symmetric key system, uses the same key for encryption and decryption. In the secret key system, it is necessary to keep the secrecy of a key in such a manner that only rightful persons know and possess a common secret key.
In general, a public key based encryption scheme is widely used to perform an electronic signature. Such an encryption scheme uses a pair of keys where one is public so that anyone may use it, whereas a private person keeps the other secretly. The former is referred to as ‘public key’, whereas the latter is referred to as ‘secret key’.
The secret key is a key that a private person should sign to have it through a storage medium having a secret security function. In contrast to this, the public key is a key used when a verifier verifies a signature.
Here, there is a problem in judging whether or not a verified public key is valid. To solve the problem, a certificate authority (CA) issues a public key certificate verifying the validity.
The public key certificate contains a public key, a valid period and a signature of the CA. The CA authenticates a validity of the public key during a descried valid period.
However, there may occur a case that even a certificate normally issued by the CA is revoked. In order to check the occurrence of the above-mentioned case, a signature verifier should always confirm whether or not a corresponding certificate has been revoked. There are problems in that the signature verifier should verify such a certificate revocation list (CRL) every time. For example, with regard to mobile communication, because the signature verifier uses a bandwidth to transmit data, transmission of the CRL requires great expense.
During a valid period, although a public key certificate is revoked at any time, since the time when the public key certificate is registered on the CRL coincides with an update time of a system, a deviation of a revocation time occurs.
A mediated Rivest, Shamir, and Adelman (mRSA) digital signature scheme was suggested to solve such an economical problem and a confirmation problem of a certificate revocation.
FIG. 1 is a view that illustrates a conventional security method in an mRSA scheme. With reference to FIG. 1, in the mRSA scheme, a semi-trusted party (SEM) 30 is adopted as a mediator for mediating an authentication of a public key although the mRSA scheme is inferior to a CA 10 with respect to reliability.
In the mRSA scheme, the authority party 10 generates a secret key d and a public key e. The secret key d is divided into a user key du to be used in the user terminal device 20 and a computation key ds to be used in the semi-trusted party 30. That is, the d, du, and ds have a relation satisfying the condition of d=du+ds. Only when two secret key pieces are present, a secret key to be used in an original signature is effected. When a user terminal device 20 wants to sign a signature, the user terminal 20 calculates and transmits a message hash value h to the SEM 30. Assuming that H is an appropriate hash function, h=H (m).
Next, the SEM 30 confirms whether or not a certificate used in the user terminal device 20 has been revoked. Only when the certificate has not been revoked, the SEM 30 performs a calculation operation. The SEM 30 signs m at a transmitted hash value h using ds to calculate and transmit a signature value PSx≡hd, mod n of the SEM 30 side to the user terminal device 20.
The user terminal device 20 generates a signature and confirms a validity of the generated signature based on a signature value PSu≡hd mod n of a user side calculated using du and PSs from the SEM 30.
That is, the user terminal device 20 calculates h′≡PSe≡(PSs*PSu)e mod n. When h′ is identical with h, the user terminal device 20 regards and uses PS (=PSs*PSu mod n) as a valid signature.
On the other hand, besides the aforementioned mRSA scheme, a forward security becomes an issue in a general electronic signature generating and verifying scheme. For example, in a case where a certificate was revoked in 2000, when a user wants to forge a document written in 1999, it is recognized as a valid public key certificate prior to a point of the revocation. Accordingly, a verifier cannot judge the validity of the document. A forward security can prevent such a problem.
In the aforementioned mRSA scheme, there are no ways to prevent all used secret keys ds and du from being exposed. So as to solve such a problem, a weak forward secure mRSA scheme has been suggested. Here, the ‘weak’ means that a forward security problem may be solved when only one of ds and du composed of a secret key is exposed.
However, the SEM is not perfectly reliable, the ds is a key having a possibility to be exposed. In a case that an attacker of a system acquires ds during a period i, when the person conspires with a malicious user, they may easily acquire a necessary signature.
As a result, once ds is exposed, since a necessary signature is able to be acquired through a conspiracy of the attacker and the user, the system is exposed in a defenseless state that causes the forward security not to be effective.