1 optimal mail certificates in mail payment applications leon pintsov pitney bowes 2nd cacr...
TRANSCRIPT
1
Optimal Mail Certificates in
Mail Payment Applications
Leon Pintsov
Pitney Bowes2nd CACR Information Security Workshop
31 March 1999
2Pitney Bowes LAP
Talk outline Mail pre-payment application and Digital
Postage Marks DPM requirements /optimality criteria Choices Elliptic Curves Signatures and Certificates Optimal Mail Certificates DPM generation and Verification Comparisons and conclusion
3Pitney Bowes LAP
Mail Communication System
Postal sorting and delivery system
Sender
Receiver
Pitney Bowes LAP 4
Mail Item - Information-Based Payment Evidence-Digital Postage Mark (DPM)
MasterCard International 2000 Purchase StreetPurchase, NY 10577-2509
Pitney Bowes35 Waterview DrShelton CT 06484
Pitney Bowes LAP 5
Mail Item - DPM Generation
MasterCard International 2000 Purchase StreetPurchase, NY 10577-2509
Pitney Bowes35 Waterview DrShelton CT 06484
Computer Printer
to network
Pitney Bowes LAP 6
Mail Item - DPM Verification
MasterCard International
Pitney Bowes35 Waterview DrShelton CT 06484
Scanner
MasterCard International
Pitney Bowes35 Waterview DrShelton CT 06484
7Pitney Bowes LAP
DPM Content and Data Representation Plaintext
– Protected Data– Other Data
Ciphertext (Cryptographic Integrity Validation Code or CIVC)
Error Correction Code Data Representation
– Machine Readable– Human readable
Pitney Bowes LAP 8
DPM Security Cryptographic Integrity Validation Code
(signature with appendix)
Plain Text Data CIVC
9Pitney Bowes LAP
DPM generation Obtain Protected Data (PD)
– Postage Amount– Mail Item ID– Date– Other
Compute M = h(PD) [hash of Protected Data] Obtain mailer’s Private Key K Compute CIVC = CryptotransformationK (M) Format and print PD and CIVC
10Pitney Bowes LAP
DPM verification
Scan and interpret DPM Obtain plain text Protected Data PD1
Compute M1 = h(PD1) Obtain mailer’s Public Key PK Compute
M = CryptotransformationPK (CIVC)
Accept DPM if M = M1
11Pitney Bowes LAP
Requirements /optimization criteria CIVC cryptanalytic strength (e.g. > 280) Size (CIVC) should be minimal CIVC generation and verification algorithms
performance should match performance of fastest mail generation and processing equipment– generation at least 10 CIVC per second– verification at least 20 CIVC per second
DPM should contain all information required for verification including verification key
12Pitney Bowes LAP
Requirements /optimization criteria (2) Verifier should be able to verify several
possible restrictions based on DPM information (e.g. restricted privilege to print value above certain threshold)
CIVC size inflation due to improvements in computing power should be minimal (i.e. cryptanalytic strength per bit of CIVC should be maximal)
Combined cost of generating and processing mail should be minimal (including the cost of maintaining required infrastructure)
13Pitney Bowes LAP
Design Choices Asymmetric key schemes for CIVC
– with or without certificate in the DPM– signatures schemes
• with appendix• with message recovery
Symmetric key schemes for CIVC– MAC– Truncation
Data representation – 2-D Barcode (DataMatrix, PDF417)
Verification and key management infrastructure
14Pitney Bowes LAP
Elliptic Curve Cryptographic Scheme Elliptic curves can be defined over any
finite field Fq where q is a prime number or a power of a prime number.
When elliptic curves are applied to cryptography, standards bodies (e.g. IEEE, ANSI, ISO) have restricted q to a prime or a power of 2.
15Pitney Bowes LAP
Point Addition
(x2,
y2)
(x3, y
3)
(x1,
y1)
16Pitney Bowes LAP
Point Doubling
(x1, y
1)
(x3,y
3) = 2 (x
1,
y1)
17Pitney Bowes LAP
Point Multiplication
Point multiplication is a fundamental operation performed on an elliptic curve during execution of a cryptographic protocol
kP = P +P + …+ P k summands
18Pitney Bowes LAP
Elliptic Logarithm Problem
Given E(Fq), a point P and a point Q=kP, determine k
Systemwide Parameters:– E(Fq) is an elliptic curve with total number
of points N– P is a point on E of order n (n divides N)– n > 2160
19Pitney Bowes LAP
Optimal Mail Certificates Set Up Postal CA has a private key c, c is a positive integer
such that c < n and a public key b = cP Mailer A with identity IA (IA generated by Postal CA)
computes its private and public key:– A generates random integer kA, computes kAP and sends
point kAP to Postal CA
Postal CA does the following:– generates a random integer cA, 0 < cA < n, and
computes A = kAP + cAP.
– computes f = H (A || IA), where H is a hash function such as SHA-1
– computes mA = cf + cA mod n.
– sends A, mA, and IA to mailer A
20Pitney Bowes LAP
Optimal Mail Certificates Set Up
Mailer A computes his private key a:a = mA + kA mod n = cf + kA + cA mod n
and his public key QA:QA =aP = cfP + A
Note: 1. a is a function of IA, A , c , kA and cA
2. QA is a function of public parameters only
21Pitney Bowes LAP
Optimal Mail Certificate Quantity A is called Optimal Mail Certificate
(or OMC) and is a function of two random numbers independently generated by mailer (mailing system) and Postal certification authority.
A is imprinted within DPM and serves as an input to computation of the CIVC verification key QA
(together with the public key b of Postal CA,
mailer’s identity IA and hash value H (A || IA)).
22Pitney Bowes LAP
EC ElGamal signature with message recoveryGeneration Mailer A wants to generate DPM with
CIVC and send it to Post P:– Format Protected Data into message m– Generate random positive integer k < n and
compute K = kP– Format K into key L suitable to be a key for a good
symmetric encryption algorithm SKE
– Compute e = SKEL (m)
– Compute d = H(e || IA)
– Compute s = ad +k (mod n), – (s, e) is the signature. (s, e) = CIVC
23Pitney Bowes LAP
EC ElGamal signature with message recoveryVerification
Postal DPM verification operations:– Scan DPM and obtain IA, (s, e), A
– Compute verification key QA
– Compute d = H (e || IA)
– Compute R = sP - d QA and format R into symmetric key X
– Compute M = SKE-1X (e)
– Check redundancy of M and accept DPM if M has required redundancy
24Pitney Bowes LAP
Comments on OMC
OMC public key authentication can be integrated with ECC ElGamal or ECDSA signature generation to achieve computational efficiencies
Size of OMC is the size of the point on the curve that is [OMC] = 20 bytes
25Pitney Bowes LAP
Comparison (DPM size)
Bytes IBIP withRSA
IBIP withECDSA
EC withMR
EC w MRand OMC
PlainText
49 49 49 49
CIVC 128 40 20 20
OMC _ _ _ 20
Total 177 89 69 89
26Pitney Bowes LAP
IBIP DPM with certificate
IBIP DPM without certificate
Symmetric key OCR DPM
27Pitney Bowes LAP
Comparison (Computational Efficiency)
IBIP EC w MRand OMC
ECDSAwith OMC
DPMgeneration
t t t
DPMverification
T+u>2u u u
t is time to generate ECDSA, u is time to verify ECDSA,T is time to retrieve and verify traditional certificate
28Pitney Bowes LAP
Conclusion Optimal Mail Certificates deliver very
significant advantages for verification process and infrastructure compared to other known methods
Optimal Mail Certificates can be particularly effective in combination with ECC ElGamal signature with message recovery
OMC in combination with ECC ElGamal with message recovery deliver the best known combination of critical system parameters