Domain-Based Administration of Identity-Based Cryptosystems for Secure Email and IPSEC

 

Summary

 

In this paper the authors note that while cryptographic technologies for securing email and IP traffic exist (and have been around for some time e.g. PGP, S/MIME, and IPSec) these technologies are not widely deployed. The reason for this is the difficulty and inefficiency of establishing a large-scale PKI. The paper proposes the use of Identity-Based Cryptography (IBC) along with DNSSec to overcome some of the problems in deploying wide-scale PKIs. In IBC, there is no need to obtain the other party’s public key or certificate, instead the public key is based on the party’s name (hostname, or email address), and thus, it is known to all interested parties. However, IBC requires a trusted server (PKG) that securely stores a “Master Secret” and requires all endpoints to agree on some system parameters. Existing approaches for deploying IBC suffer from poor scalability, particularly for inter-domain scenarios. The paper proposes a solution where different administrative domains can deploy IBC with their own PKG, domain-parameters, and “salt values” (used for revoking identities). The paper extends DNSSec to support the publication of the domain parameters and salts. The authors implement an email client that uses their proposed system, and extend IPSec’s IKE to support IBC-based key exchange protocols, in order to enable IPSec with IBC.

 

 

 

Voting

Accept: 1

Weak Accept: 4

Weak Reject: 3

Reject: 0