Abstract
This paper makes simple observation on security of the networked cryptographic device resilient to capture that was developed to protect user’s private keys by software-only techniques. That scheme provided valuable features for secure generation of digital signatures or decryption of messages in a way of retaining a password-protected private key in a user-controlled device. The key idea was to exploit network connectivity rather than tamper-resistance of the device for securing the private key in software. However, we have found a few weak points that are not negligible in some sense. It was difficult to protect the private key in software even with provable security. So, we will describe such difficulties and provide possible solutions in this paper. Also the networked cryptographic devices will be augmented in that fashion.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
M. Bellare and R. Sandhu, “The security of practical two-party RSA signature schemes,” Manuscript, 2001.
S. Bellovin and M. Merrit, “Encrypted key exchange: Password-based protocols secure against dictionary attacks,” In Proceedings of the IEEE Symposium on Security and Privacy, pp.72–84, 1992.
S. Brands, Rethinking public key infrastructures and digital certificates, The MIT Press, p.11 and pp.219–224, 2000.
W. Ford and B. Kaliski, “Server-assisted generation of a strong secret from a password,” In Proceedings of the International Workshops on the Enabling Technologies: Infr astructure for Collaborative Enterprise, IEEE, June 2000
R. Ganesan, “Yaksha: Augmenting Kerberos with public key cryptography,” In Proceedings of the ISOC Network and Distributed System Security Symposium, February 1995.
L. Gong, M. Lomas, R. Needham, and J. Saltzer, “Protecting poorly chosen secrets from guessing attacks,” IEEE Journal on Selected Areas in Communications, vol.11, no.5, pp.648–656, June 1993.
D. Hoover, B. Kausik, “Software smart cards via cryptographic camouflage,” In Proceedings of the IEEE Symposium on Security and Privacy, 1999, http://www.arcot.com.
D. Jablon, “Password authentication using multiple servers,” LNCS 2020: Topics in Cryptology-CT-RSA 2001, Springer Verlag, pp.344–360, 2001.
T. Kwon, “Impersonation attacks on software-only two-factor authentication schemes,” IEEE Communications Letters, Vol.6, Iss.8, August 2002.
P. MacKenzie and M. Reiter, “Networked cryptographic devices resilient to capture,” In Proceedings of the IEEE Symposium on Security and Privacy, 2001, a full and updated version is DIMACS Technical Report 2001-19, May 2001.
R. Morris and K. Thompson, “Password security: a case history,” Communications of the ACM, vol.22, no.11, pp.584–597, 1979.
R. Perlman and C. Kaufman, “Secure password-based protocol for downloading a private key,” In Proceedings of the ISOC Network and Distributed System Security Symposium, February 1999.
PKCS #1, “RSA cryptography standard,” RSA Laboratories Technical Note, Version 2.0, 1998.
PKCS #5, “Password-based encryption standard,” RSA Laboratories Technical Note, Version 2.0, 1999.
R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol.21, pp.120–126, 1978.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kwon, T. (2002). On the Difficulty of Protecting Private Keys in Software. In: Chan, A.H., Gligor, V. (eds) Information Security. ISC 2002. Lecture Notes in Computer Science, vol 2433. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45811-5_2
Download citation
DOI: https://doi.org/10.1007/3-540-45811-5_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44270-7
Online ISBN: 978-3-540-45811-1
eBook Packages: Springer Book Archive