Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2002: Information Security pp 17–31Cite as

On the Difficulty of Protecting Private Keys in Software

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2433))

Abstract

This paper makes simple observation on security of the networked cryptographic device resilient to capture that was developed to protect user’s private keys by software-only techniques. That scheme provided valuable features for secure generation of digital signatures or decryption of messages in a way of retaining a password-protected private key in a user-controlled device. The key idea was to exploit network connectivity rather than tamper-resistance of the device for securing the private key in software. However, we have found a few weak points that are not negligible in some sense. It was difficult to protect the private key in software even with provable security. So, we will describe such difficulties and provide possible solutions in this paper. Also the networked cryptographic devices will be augmented in that fashion.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. Bellare and R. Sandhu, “The security of practical two-party RSA signature schemes,” Manuscript, 2001.

    Google Scholar 

  2. S. Bellovin and M. Merrit, “Encrypted key exchange: Password-based protocols secure against dictionary attacks,” In Proceedings of the IEEE Symposium on Security and Privacy, pp.72–84, 1992.

    Google Scholar 

  3. S. Brands, Rethinking public key infrastructures and digital certificates, The MIT Press, p.11 and pp.219–224, 2000.

    Google Scholar 

  4. W. Ford and B. Kaliski, “Server-assisted generation of a strong secret from a password,” In Proceedings of the International Workshops on the Enabling Technologies: Infr astructure for Collaborative Enterprise, IEEE, June 2000

    Google Scholar 

  5. R. Ganesan, “Yaksha: Augmenting Kerberos with public key cryptography,” In Proceedings of the ISOC Network and Distributed System Security Symposium, February 1995.

    Google Scholar 

  6. L. Gong, M. Lomas, R. Needham, and J. Saltzer, “Protecting poorly chosen secrets from guessing attacks,” IEEE Journal on Selected Areas in Communications, vol.11, no.5, pp.648–656, June 1993.

    Article  Google Scholar 

  7. D. Hoover, B. Kausik, “Software smart cards via cryptographic camouflage,” In Proceedings of the IEEE Symposium on Security and Privacy, 1999, http://www.arcot.com.

  8. D. Jablon, “Password authentication using multiple servers,” LNCS 2020: Topics in Cryptology-CT-RSA 2001, Springer Verlag, pp.344–360, 2001.

    Chapter  Google Scholar 

  9. T. Kwon, “Impersonation attacks on software-only two-factor authentication schemes,” IEEE Communications Letters, Vol.6, Iss.8, August 2002.

    Google Scholar 

  10. P. MacKenzie and M. Reiter, “Networked cryptographic devices resilient to capture,” In Proceedings of the IEEE Symposium on Security and Privacy, 2001, a full and updated version is DIMACS Technical Report 2001-19, May 2001.

    Google Scholar 

  11. R. Morris and K. Thompson, “Password security: a case history,” Communications of the ACM, vol.22, no.11, pp.584–597, 1979.

    Article  Google Scholar 

  12. R. Perlman and C. Kaufman, “Secure password-based protocol for downloading a private key,” In Proceedings of the ISOC Network and Distributed System Security Symposium, February 1999.

    Google Scholar 

  13. PKCS #1, “RSA cryptography standard,” RSA Laboratories Technical Note, Version 2.0, 1998.

    Google Scholar 

  14. PKCS #5, “Password-based encryption standard,” RSA Laboratories Technical Note, Version 2.0, 1999.

    Google Scholar 

  15. R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol.21, pp.120–126, 1978.

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Sejong University, 143-747, Seoul, Korea

    Taekyoung Kwon

Authors
  1. Taekyoung Kwon
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. College of Computer Science, Northeastern University, 02115, Boston, MA, USA

    Agnes Hui Chan

  2. Department of Electrical and Computer Engineering, University of Maryland, 20742, College Park, MD, USA

    Virgil Gligor

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kwon, T. (2002). On the Difficulty of Protecting Private Keys in Software. In: Chan, A.H., Gligor, V. (eds) Information Security. ISC 2002. Lecture Notes in Computer Science, vol 2433. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45811-5_2

Download citation

  • DOI: https://doi.org/10.1007/3-540-45811-5_2

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-44270-7

  • Online ISBN: 978-3-540-45811-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation