It is known from the state of the art to provide an access to specific resources via a network only upon messages on which a secret key operation was performed. Such a secret key operation can be in particular signing the message digitally with a secret key or decrypting a received encrypted message based on a secret key. For example, bank account payment transactions or the purchase of rights for a piece of digital content may be enabled on-line with digitally signed messages.
Methods for generating digital signatures on messages in a distributed manner are proposed for example in the document “Networked cryptographic devices resilient to capture” in Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 12-25, May 2001, by P. MacKenzie and M. K. Reiter. The presented methods are aimed at minimizing the impact of stolen devices by using a network server. They are based more specifically on function sharing between a device and a network server, e.g. on sharing a secret RSA signing key. For sharing a secret RSA (Rivest, Shamir and Adelman encryption) signing key d available at a device, the device provides a half-key d2 to an untrusted server. Whenever needed, the device can recover the complementary half-key d1 by asking the user to enter a password. The half-keys d1 and d2 satisfy the relation d=d1+d2(mod (N)), where N=pq is the RSA modulus, where p and q are different secret prime numbers available at the device, and where (N)=(p−1)(q−1). After the initialization process, the secret values d, p and q will be deleted at the device. The user can then generate a signature on a message m by requesting a partial signature md2(mod N) from the server. Thereafter, the device can compute the entire signature based on the generated second half-key d1 according to the equation md=md1*md2(mod N).
It is an underlying assumption of this method that there is only one device that uses the authorizations granted with a key pair d1, d2.
In some situations it might be desirable, however, to be able to use specific resources from several devices and/or by several users. An owner of a bank account which can be accessed on-line might wish to be able to access the account via several devices, for instance via a small mobile phone and a larger PDA (personal digital assistant). An owner of such a bank account might further wish to allow another person to access the account for a limited time at least to a limited extent.
A general approach for enabling a sharing of authorization is to define an authorization domain consisting of several personal devices. The authorization for a service is then granted to the domain, rather than to a specific device. A device is allowed access to the service if its membership in the authorization domain can be verified.
A more specific approach for enabling the use of resources from several devices has been proposed by the IETF sacred working group in “http://www.ietf.org/html.charters/sacred-charter.html”.
The IETF proposal aims at allowing users to utilize different user devices from which their authorizations can be used. To this end, two approaches are presented.
In the first approach, a user is enabled to create his/her credentials on one device and to securely upload them to a credential server. Thereafter, the user may download these credentials from the credential server to any device and use them there. The download process is controlled by an authentication of the user to the credential server. The authentication can be based in particular on passwords, since the user is not required to possess any personal device.
This first approach has the disadvantage that the credential server is an attractive point for attack. Further, depending on the details of the protocol, the credential server itself may have to be trusted to a high degree. For example, if the credentials are stored on the server encrypted with the user's password, the server will be able to mount a dictionary attack to recover the credentials. Moreover, in order to share the same resources among different users, the user to whom the credentials belong has either to enter his/her password personally to the device of another user, which is usually not possible, or to impart the password, which is usually not desired, since the password might be used also for other applications.
In the second approach presented by IETF, credentials are transferred directly from one user device to another user device. This approach has the disadvantage that it implies that a complete transfer of the credentials from one device to another is performed. That is, after the transfer, the credentials will not be usable in the original device any more. This prevents concurrent sharing of authorizations.
In both approaches, the devices receiving the credentials also have to be trusted to a large extent, since they receive the credentials in plain text. There is no transparent way to control what a client could do with the credentials, and it is not possible to revoke the authorizations granted to a client device. Thus, a partial sharing of authorization is not possible.