Jerzy Pejaś

Implicit and Explicit Certificates-Based Encryption Scheme

Certificate-based encryption (CBE) combines traditional public-key encryption and certificateless encryption. However, it does suffer to the Denial of Decryption (DoD) attack called by Liu and Au. To capture this attack, they introduced a new paradigm called self-generated-certificate public key cryptography. In this paper we show that the problem of DoD attack can be solved with a new implicit and explicit certificates-based public key cryptography paradigm. More importantly, we propose a concrete implicit and explicit certificate-based encryption (IE-CBE) scheme that defends against DoD attack. This new scheme is enhanced version of CBE scheme and preserves all its advantages, i.e., every user is given by the trusted authority an implicit certificate as a part of a private key and generates his own secret key and corresponding public key. In addition, in the IE-CBE scheme trusted authority has to generate an explicit certificate for a user with some identity and a public key. We prove that our scheme is IND-CCA2− and DoD-Free secure in the random oracle model as hard is to solve p-BDHI and k-CCA problems.

A Practical Certificate and Identity Based Encryption Scheme and Related Security Architecture

Group encryption schemes based on general access structures can be used to build advanced IT systems, which store and manage confidential documents. The paper proposes a reference architecture of public key cryptography infrastructure required to implement CIBE-GAS scheme. The CIBE-GAS scheme is a certificate-based group-oriented encryption scheme with an effective secret sharing scheme based on general access structure and bilinear pairings. The security architecture required to implement the scheme must be compliant with common standards and technical specifications, e.g. X.509 certificate format and XML-encryption standard for messages. In order to encrypt arbitrary-length messages, we also suggest a new CIBE-GAS-H scheme with a key encapsulation mechanism based on the techniques of Bentahar et al., and combined with one-time symmetric-key encryption.

Chaos-Based Information Security

This chapter presents new possibilities for a design of chaotic cryptosystems on the basis of paradigms of continuous and discrete chaotic maps. The most promising are discrete chaotic maps that enable one to design stream ciphers and block ciphers similar to conventional ones. This is the result of the fact that discrete-time dynamic chaotic systems naturally enable one to hide relations between final and initial states. These properties are very similar to the requirements for stream ciphers and block ciphers; therefore, they enable one to design complete ciphers or their components.

The proposal of protocol for electronic signature creation in public environment

Electronic signatures are introduced by more and more countries as legally binding means for signing electronic documents with the primary hope of boosting e-commerce and e-government. The security of an electronic signature creation process is the crucial issue especially in distributed environment where the frameworks (forms) of finally signed documents are delivered by the entity other than the Signing Entity (SE). Usually, after the completion of such a form with the data specific for SE, the final acceptance is performed via the encryption of completed data hash value with SEs private key. It is important to ensure the conditions when the whole document, including the form (template) delivered by the Application Provider (AP), could be trusted. It is quite different situation than the case of standing alone Secure Signature Creation Device (SSCD) separated from telecommunication channels during the signing procedure. The trust assigned to various APs can be limited so the participation of the commonly accepted Trusted Party (TP) operating on-line can be the solution of that problem.The proposed cryptographic protocol is designed to fulfil the security requirements. It combines asymmetric and symmetric cryptographic means. SE after the completion of the form delivered by AP sends it back to AP for examination of formal correctness of the Data to Be Signed. The next steps of the protocol require the Signature Service Provider (SSP) confirmation of those data. That confirmation is transmitted directly to SE and after the mutual authentication of SSP and SE the secure channel is established and the secure electronic signature is created with the usage of the technical component (TC) being at SEs disposal. The final transfer of the signed document to AP depends on an individual SEs decision preceded by the verification of an obtained signature.

Practical Authentication Protocols for Protecting and Sharing Sensitive Information on Mobile Devices

Mobility of users and information is an important feature of IT systems that must be considered during design of sensitive information protection mechanisms. This paper describes an architecture of MobInfoSec system for sharing documents with sensitive information using fine-grained access rules described by general access structures. However, the proper usage of general access structures requires trusted components and strong authentication protocols. They allow to establish secure communication channels between different system components. In the paper we propose a conference protocol based on Boyd’s ideas with key transport and key establishment mechanisms. We show that the protocol achieves three goals: (a) the key and participants’ mutual authentication, (b) the common secure communication channel, and (c) the personal secure communication channels between the protocol initializer and other protocol participants.

Certificate-based access control policies description language

The paper contains the proposal of the access control policy description language to support security and management of distributed systems. This policy language is based on a declarative, object-oriented Ponder language presented in Damianou [DDL00]. The language is flexible, expressive and extensible to cover the wide range of requirements implied by the current distributed systems paradigms. The additional extensions included into Ponder allow us to implement a certificate-based access control system, which formally has been specified by Kurkowski, et. al. [KUP02].

A propositional logic for access control policy in distributed systems

The goal of this paper is to pursue a proposal of the logic-based model for interpreting the basic events and properties of the distributed access control systems. We provide a convenient formal language, an axiomatic inference system, a model of computation, and semantics. We prove some important properties of this logic and show how our logical language can express some access control policies proposed so far.

Non-standard Certification Models for Pairing Based Cryptography

In the traditional Public Key Infrastructure (PKI), a Certificate Authority (CA) issues a digitally signed explicit certificate binding a user’s identity and public key to achieve this goal. The main goal of introducing an identity-based cryptosystem and certificateless cryptosystem was avoiding certificates’ management costs. In turn, the goal of introducing an implicit certificate-based cryptosystem was to solve the certificate revocation problem. The certificate and pairing based cryptography is a new technology and at present that technology mainly exists in theory and is being tested in practice. This is in contrast to PKI-based cryptography, which has been an established and is widespread technology. New types of cryptographic schemes require new non-standard certification models supporting different methods of public keys’ management, including theirs generation, certification, distribution and revocation. This paper takes a closer look at the most prominent and widely known non-standard certification models, discusses their properties and related issues. Also, we survey and classify the existing non-standard certification models proposed for digital signature schemes that are using bilinear pairings. Then we discuss and compare them with respect to some relevant criteria.

Implementation of Pairing-Based Cryptographic Trust Infrastructure in Mobile Environment

Current trends in information system design show that users should have access to services provided by information system offered on their mobile devices. Because many information systems store sensitive information, appropriate protection mechanisms must be deployed. This paper presents the software libraries (APIs) that can be used to implement pairing-based systems on mobile devices. Variety of mobile devices causes that is necessary to design a generic trust infrastructure that will allow to implement efficiently a system that uses parings. There are two basic paradigms that can be used: client-server or cloud-based. The analysis of pros and cons of the architectures showed that it is faster and easier to implement pairing application using cloud-based approach mainly because of the lower number of components required to implement, e.g., the library containing pairing calculations must be only prepared for one operating system instead of many that are using different technologies. The tests conducted using cloud-based demonstrator showed, that in case of documents signing and verification with auxiliary server instead of the mobile device, the pairing calculation time is marginally short in relation to the required to retrieve documents from a remote location. Streszczenie. Aktualne trendy w projektowaniu systemow informacyjnych pokazują, ze uzytkownik powinien miec dostep do uslug systemow IT za pomocą urządzen mobilnych. W przypadku przechowywania informacji wrazliwej w systemach informacyjnych muszą byc wdrozone odpowiednie mechanizmy zabezpieczen. W artykule zaprezentowano biblioteki programowe (API), umozliwiające implementacje systemow wykorzystujących odwzorowania dwuliniowe na urządzeniach mobilnych. Roznorodnośc urządzen mobilnych powoduje, ze konieczne jest zaprojektowanie ogolnej infrastruktury zaufania, w szczegolności przy zalozeniu wykorzystania odwzorowan dwuliniowych. W artykule zostaly przeanalizowane dwa podstawowe podejścia bazujące na modelu klient-serwer i modelu bazującym na chmurze. Testy bazujące na demonstratorze wykorzystującym model chmury pokazaly, ze czas obliczen odwzorowania przy podpisywaniu i weryfikowaniu podpisu cyfrowego jest bardzo maly w stosunku do czasu pobierania plikow ze zdalnych serwerow. (Implementacja kryptograficznej infrastruktury zaufania opartej na odwzorowaniach dwuliniowych w środowisku mobilnym).

Cryptographic Properties of Some Cryptosystem with Modulation of the Chaotic Sequence Parameters

This paper discusses mixing of some non-linear chaotic maps, e.g. a logistic equation and a tent mapping, as simplified method for information encryption and decryption. A ciphertext is obtained by the iteration of defined mixing chaotic maps from an initial state. Because the secure control parameters of these chaotic mappings are modulated according to currently encrypted plaintext, the proposed cipher algorithm can be treated as some homophonic substitution cipher with encryption key defined by initial state of build-in chaotic maps and some additional parameters. The resulting cipher algorithm is investigated against typical attacks on classical encryption schemes. The objective of these attacks is to recover plaintext from ciphertext or to deduce the decryption key. In this paper we study the exhaustive key search attack and find that this attack is not efficient as a practical attack on proposed cipher. Similar conclusion concerns some classical attacks, e.g.: ciphertext-only attacks and a known-plaintext attacks.