I recently ran across the notion of Identity Based Encryption (IBE) which seems like a novel idea. However, I haven't noticed many in the cryptography community attempting to find ways to break it. Am I wrong?
我最近遇到了基于身份的加密(IBE)的概念,这似乎是一个新颖的想法。但是,我没有注意到密码学界的许多人试图找到打破它的方法。我错了吗?
Likewise, I am of the belief that unless you can actually distribute open source implementations where the blackhat crowd can attack it, that it may not have merit?
同样,我相信除非你真的可以分发开源实现,黑帽人群可以攻击它,它可能没有价值?
I guess I would like to understand the experiences of the community-at-large in using this approach and how easy it is to incorporate into your application and distribute?
我想我想了解整个社区使用这种方法的经验,以及将它合并到您的应用程序和分发中是多么容易?
(Edit: here's a Wikipedia article on ID based encryption.)
(编辑:这是关于基于身份的加密的*文章。)
5 个解决方案
#1
I'm not clear what you're trying to ask, so I'm going to make up a couple things, and answer them. Let me know if I'm getting warm
我不清楚你要问的是什么,所以我要做几件事,并回答它们。如果我变暖,请告诉我
First, "identity based encryption" isn't really an encryption scheme so much as a key management scheme. In any public/private — or, technically, "asymmetric" — encryption, there are two keys. One of them is used to encrypt, one to decrypt, and they have the special property that if you know one of them, it's still exponentially hard (or thought to be exponentially hard) to construct the other one. So, I can for example encrypt a letter to you using my private key; I publish my public key. If you can decrypt the letter using the public key, you have assurance that I was the one who really sent it. This is the core idea of digital signing schemes.
首先,“基于身份的加密”实际上并不是一种加密方案,而是一种密钥管理方案。在任何公共/私人 - 或技术上,“非对称” - 加密中,有两个密钥。其中一个用于加密,一个用于解密,并且它们具有特殊属性,如果您知道其中之一,则构建另一个仍然是指数级硬(或被认为是指数级难)。所以,我可以使用我的私钥加密给你的一封信;我发布了我的公钥。如果您可以使用公钥解密该字母,您可以确保我是真正发送它的人。这是数字签名方案的核心思想。
The problem is that you have to have a way of generating and managing those keys, and that turns out to be hard, because the scheme is only as good as the protection you have on your private key. There are a number of methods for doing this.
问题是你必须有一种生成和管理这些密钥的方法,结果很难,因为这个方案只有你私钥上的保护。有很多方法可以做到这一点。
ID based encryption attempts to simplify this key management problem by proposing special algorithms that construct private keys from a known public piece of information: say an email address. To do this in a way that still makes it hard to figure out the private side, you need to have a trusted entity who constructs the private key based on some other secret they know. So, to establish your communications with someone who knows your email address. you go to the trusted provider and ask for the private key to be generated. The person you want to communicate with knows what provider you use, and gets a master public key from that provider.
基于ID的加密试图通过提出从已知公共信息构造私钥的特殊算法来简化此密钥管理问题:例如电子邮件地址。要以一种仍然难以找出私有方面的方式执行此操作,您需要拥有一个可信实体,该实体根据他们所知道的其他秘密构建私钥。因此,与知道您的电子邮件地址的人建立通信。您转到可信提供商并要求生成私钥。您要与之通信的人知道您使用的提供商,并从该提供商处获取主公钥。
Now, the person you want to send to can then generate the public side from your ID without knowing anything except some master key information from the provider; the key is never transmitted direction.
现在,您要发送给的人可以从您的ID生成公共端,除了来自提供商的一些主密钥信息之外不知道任何事情;关键是永远不会传播方向。
In other words, it looks like this: Alice wants to send email to Bob that's encrypted. They both trust a provider, Tom.
换句话说,它看起来像这样:Alice希望向加密的Bob发送电子邮件。他们都信任提供者,汤姆。
- Alice sends a request to Tom with her email address "alice@example.com", and gets back a private key P. There is a corresponding public key p, but Tom doesn't send that to anyone.
- Bob sends a request to Tom and gets Tom's master public key m.
- Alice encrypts her message "x" with her private key, giving {"x"}P. (That notation is just "message "x" "wrapped" or encryption with key P.) Alice then sends that message to Bob.
- Bon uses his knowledge of Alice's email address and Tom's master key m, and computes. p=f("alice@example.com", m). Now he applies the decryption decrypt({"x")P, p) and poof, out comes Alice's message.
Alice用她的电子邮件地址“alice@example.com”向Tom发送请求,并获回私钥P.有一个相应的公钥p,但Tom不会将其发送给任何人。
Bob向Tom发送请求并获取Tom的主公钥m。
Alice用她的私钥加密她的消息“x”,给出{“x”} P. (该符号只是“消息”x“”包裹“或用密钥P加密。)然后,Alice将该消息发送给Bob。
Bon使用他对Alice的电子邮件地址和Tom的主密钥m的知识,并进行计算。 p = f(“alice@example.com”,m)。现在他应用解密解密({“x”)P,p)和poof,out来自Alice的消息。
The thing about these schemes is that it simplifies some key management issues, but only somewhat. You still need to generate the keys, and what's worse, you have to really trust Tom, because he knows everything: he can generate your private key, and encrypt with it, making any message look like it came from you. What this means is that it creates an inherent key escrow scheme; your private key can be found out.
关于这些方案的问题在于它简化了一些关键的管理问题,但只是在某种程度上。你仍然需要生成密钥,更糟糕的是,你必须真正信任Tom,因为他知道一切:他可以生成你的私钥,并用它加密,使任何消息看起来像是来自你。这意味着它创造了一个固有的密钥托管方案;你的私钥可以找到。
Some ways this is good; it handles the problem of lost keys. But for most reasons people want to use encryption, it's bad. Now someone can subpoena Tom, or just beat him up, and get at your private data.
有些方面这很好;它处理丢失密钥的问题。但由于大多数原因,人们想要使用加密,这很糟糕。现在有人可以传唤汤姆,或者只是打败他,并获取你的私人数据。
The result is that ID based encryption alone is a nifty idea, but hasn't got a lot of a market.
结果是,仅基于ID的加密是一个很好的想法,但没有很多市场。
#2
Charlie is on the right track, but I want to emphasize some other points. (My comments were written based on an earlier, shorter version of Charlie's answer.) IBE is more a key-management scheme than an approach to encryption, and its approach to key management sweeps the important issues under the rug. Trying to use identity as the foundation is fraught with problems, because no one has a really good solution to verifying identity in electronic applications, whether on the net or in the physical world. Without a good solution to identity, these IBE schemes fall on their face once you stress the identities they rely on.
查理走在正确的轨道上,但我想强调其他一些观点。 (我的评论是基于较早版本的查理答案而编写的。)IBE更像是一种密钥管理方案,而不是一种加密方法,其密钥管理方法扫除了地毯下的重要问题。尝试使用身份作为基础充满了问题,因为没有人能够在电子应用程序中验证身份,无论是在网络上还是在物理世界中都有一个非常好的解决方案。如果没有一个良好的身份解决方案,一旦你强调他们所依赖的身份,这些IBE计划就会落在他们的脸上。
Most of the IBE systems I've seen any technical detail about really devolve to "trust the provider", which doesn't scale and doesn't provide real security when you really care about it. The provider endeavors to to establish identity over the network, and then acts as a trusted third party, holding the encryption keys for everyone. Relying on a trusted third party has many known weaknesses.
大多数IBE系统我已经看到任何关于真正转向“信任提供者”的技术细节,当你真正关心它时,它不会扩展并且不能提供真正的安全性。提供商努力通过网络建立身份,然后充当受信任的第三方,为每个人保留加密密钥。依赖可信赖的第三方有许多已知的弱点。
Modern cryptography is all about searching for ways to not have to rely on the third party. Web of trust is one approach, the main drawback is that it leaves key management to the end users and key management is expensive. Relying on certificate issuers is another approach, but there it's clear that the issuers are the trusted third parties. A few years ago, one of the major issues that all the browsers trusted went bust and was bought out of bankruptcy by a player who wasn't obviously trustworthy, making it clear that the weakness in that scheme is at the root of the certificate chains.
现代密码学就是在寻找不必依赖第三方的方法。信任网是一种方法,主要缺点是它将密钥管理留给最终用户并且密钥管理是昂贵的。依靠证书发行人是另一种方法,但很明显发行人是受信任的第三方。几年前,所有浏览器都信任的一个主要问题破产并被一个显然不值得信赖的玩家从破产中收购,明确表明该方案的弱点是证书链的根源。
#3
Identity based encryption would be difficult to pull off in an open source project, especially the kind that's not just free as in freedom, but free as in beer. As has been mentioned, the whole system relies on a trusted third party to issue keys. This takes infrastructure, for both hard and software, that is expensive to purchase and maintain. Additionally, it puts a lot of responsibility on the party that's doing the key issuing. People who use the system will expect the issuer to take responsibility when things go wrong (and they will); this kind of responsibility is not cheap, and is often infeasible for a open source project to take on.
在开源项目中,基于身份的加密很难实现,尤其是那种不仅像*一样免费,而且像啤酒一样免费的类型。如前所述,整个系统依赖于受信任的第三方来发布密钥。这需要硬件和软件的基础设施,购买和维护成本高昂。此外,它对正在进行密钥发布的一方承担了很多责任。使用该系统的人会期望发行人在出现问题时承担责任(他们会这样做);这种责任并不便宜,而且开源项目通常也是不可行的。
#4
Is there a particular scheme you have in mind? "Identity-Based Encryption" is quite a broad term.
你有什么特别的计划吗? “基于身份的加密”是一个相当广泛的术语。
But in any case, possibly you haven't seen so much attention because it's not cryptographically that special per se. General principles of cryptography will still apply, such as how many bits of entropy are there in the encryption key? what are the risks of collision attacks and other attacks based on having large volumes of plaintext/ciphertext if the same key is going to be used for an essentially indefinite period of time..?
但无论如何,可能你没有看到如此多的关注,因为它本身并不是加密的。密码学的一般原则仍然适用,例如加密密钥中有多少位熵?如果相同的密钥将在一个基本上无限期的时间内使用,那么基于具有大量明文/密文的冲突攻击和其他攻击的风险是什么?
#1
I'm not clear what you're trying to ask, so I'm going to make up a couple things, and answer them. Let me know if I'm getting warm
我不清楚你要问的是什么,所以我要做几件事,并回答它们。如果我变暖,请告诉我
First, "identity based encryption" isn't really an encryption scheme so much as a key management scheme. In any public/private — or, technically, "asymmetric" — encryption, there are two keys. One of them is used to encrypt, one to decrypt, and they have the special property that if you know one of them, it's still exponentially hard (or thought to be exponentially hard) to construct the other one. So, I can for example encrypt a letter to you using my private key; I publish my public key. If you can decrypt the letter using the public key, you have assurance that I was the one who really sent it. This is the core idea of digital signing schemes.
首先,“基于身份的加密”实际上并不是一种加密方案,而是一种密钥管理方案。在任何公共/私人 - 或技术上,“非对称” - 加密中,有两个密钥。其中一个用于加密,一个用于解密,并且它们具有特殊属性,如果您知道其中之一,则构建另一个仍然是指数级硬(或被认为是指数级难)。所以,我可以使用我的私钥加密给你的一封信;我发布了我的公钥。如果您可以使用公钥解密该字母,您可以确保我是真正发送它的人。这是数字签名方案的核心思想。
The problem is that you have to have a way of generating and managing those keys, and that turns out to be hard, because the scheme is only as good as the protection you have on your private key. There are a number of methods for doing this.
问题是你必须有一种生成和管理这些密钥的方法,结果很难,因为这个方案只有你私钥上的保护。有很多方法可以做到这一点。
ID based encryption attempts to simplify this key management problem by proposing special algorithms that construct private keys from a known public piece of information: say an email address. To do this in a way that still makes it hard to figure out the private side, you need to have a trusted entity who constructs the private key based on some other secret they know. So, to establish your communications with someone who knows your email address. you go to the trusted provider and ask for the private key to be generated. The person you want to communicate with knows what provider you use, and gets a master public key from that provider.
基于ID的加密试图通过提出从已知公共信息构造私钥的特殊算法来简化此密钥管理问题:例如电子邮件地址。要以一种仍然难以找出私有方面的方式执行此操作,您需要拥有一个可信实体,该实体根据他们所知道的其他秘密构建私钥。因此,与知道您的电子邮件地址的人建立通信。您转到可信提供商并要求生成私钥。您要与之通信的人知道您使用的提供商,并从该提供商处获取主公钥。
Now, the person you want to send to can then generate the public side from your ID without knowing anything except some master key information from the provider; the key is never transmitted direction.
现在,您要发送给的人可以从您的ID生成公共端,除了来自提供商的一些主密钥信息之外不知道任何事情;关键是永远不会传播方向。
In other words, it looks like this: Alice wants to send email to Bob that's encrypted. They both trust a provider, Tom.
换句话说,它看起来像这样:Alice希望向加密的Bob发送电子邮件。他们都信任提供者,汤姆。
- Alice sends a request to Tom with her email address "alice@example.com", and gets back a private key P. There is a corresponding public key p, but Tom doesn't send that to anyone.
- Bob sends a request to Tom and gets Tom's master public key m.
- Alice encrypts her message "x" with her private key, giving {"x"}P. (That notation is just "message "x" "wrapped" or encryption with key P.) Alice then sends that message to Bob.
- Bon uses his knowledge of Alice's email address and Tom's master key m, and computes. p=f("alice@example.com", m). Now he applies the decryption decrypt({"x")P, p) and poof, out comes Alice's message.
Alice用她的电子邮件地址“alice@example.com”向Tom发送请求,并获回私钥P.有一个相应的公钥p,但Tom不会将其发送给任何人。
Bob向Tom发送请求并获取Tom的主公钥m。
Alice用她的私钥加密她的消息“x”,给出{“x”} P. (该符号只是“消息”x“”包裹“或用密钥P加密。)然后,Alice将该消息发送给Bob。
Bon使用他对Alice的电子邮件地址和Tom的主密钥m的知识,并进行计算。 p = f(“alice@example.com”,m)。现在他应用解密解密({“x”)P,p)和poof,out来自Alice的消息。
The thing about these schemes is that it simplifies some key management issues, but only somewhat. You still need to generate the keys, and what's worse, you have to really trust Tom, because he knows everything: he can generate your private key, and encrypt with it, making any message look like it came from you. What this means is that it creates an inherent key escrow scheme; your private key can be found out.
关于这些方案的问题在于它简化了一些关键的管理问题,但只是在某种程度上。你仍然需要生成密钥,更糟糕的是,你必须真正信任Tom,因为他知道一切:他可以生成你的私钥,并用它加密,使任何消息看起来像是来自你。这意味着它创造了一个固有的密钥托管方案;你的私钥可以找到。
Some ways this is good; it handles the problem of lost keys. But for most reasons people want to use encryption, it's bad. Now someone can subpoena Tom, or just beat him up, and get at your private data.
有些方面这很好;它处理丢失密钥的问题。但由于大多数原因,人们想要使用加密,这很糟糕。现在有人可以传唤汤姆,或者只是打败他,并获取你的私人数据。
The result is that ID based encryption alone is a nifty idea, but hasn't got a lot of a market.
结果是,仅基于ID的加密是一个很好的想法,但没有很多市场。
#2
Charlie is on the right track, but I want to emphasize some other points. (My comments were written based on an earlier, shorter version of Charlie's answer.) IBE is more a key-management scheme than an approach to encryption, and its approach to key management sweeps the important issues under the rug. Trying to use identity as the foundation is fraught with problems, because no one has a really good solution to verifying identity in electronic applications, whether on the net or in the physical world. Without a good solution to identity, these IBE schemes fall on their face once you stress the identities they rely on.
查理走在正确的轨道上,但我想强调其他一些观点。 (我的评论是基于较早版本的查理答案而编写的。)IBE更像是一种密钥管理方案,而不是一种加密方法,其密钥管理方法扫除了地毯下的重要问题。尝试使用身份作为基础充满了问题,因为没有人能够在电子应用程序中验证身份,无论是在网络上还是在物理世界中都有一个非常好的解决方案。如果没有一个良好的身份解决方案,一旦你强调他们所依赖的身份,这些IBE计划就会落在他们的脸上。
Most of the IBE systems I've seen any technical detail about really devolve to "trust the provider", which doesn't scale and doesn't provide real security when you really care about it. The provider endeavors to to establish identity over the network, and then acts as a trusted third party, holding the encryption keys for everyone. Relying on a trusted third party has many known weaknesses.
大多数IBE系统我已经看到任何关于真正转向“信任提供者”的技术细节,当你真正关心它时,它不会扩展并且不能提供真正的安全性。提供商努力通过网络建立身份,然后充当受信任的第三方,为每个人保留加密密钥。依赖可信赖的第三方有许多已知的弱点。
Modern cryptography is all about searching for ways to not have to rely on the third party. Web of trust is one approach, the main drawback is that it leaves key management to the end users and key management is expensive. Relying on certificate issuers is another approach, but there it's clear that the issuers are the trusted third parties. A few years ago, one of the major issues that all the browsers trusted went bust and was bought out of bankruptcy by a player who wasn't obviously trustworthy, making it clear that the weakness in that scheme is at the root of the certificate chains.
现代密码学就是在寻找不必依赖第三方的方法。信任网是一种方法,主要缺点是它将密钥管理留给最终用户并且密钥管理是昂贵的。依靠证书发行人是另一种方法,但很明显发行人是受信任的第三方。几年前,所有浏览器都信任的一个主要问题破产并被一个显然不值得信赖的玩家从破产中收购,明确表明该方案的弱点是证书链的根源。
#3
Identity based encryption would be difficult to pull off in an open source project, especially the kind that's not just free as in freedom, but free as in beer. As has been mentioned, the whole system relies on a trusted third party to issue keys. This takes infrastructure, for both hard and software, that is expensive to purchase and maintain. Additionally, it puts a lot of responsibility on the party that's doing the key issuing. People who use the system will expect the issuer to take responsibility when things go wrong (and they will); this kind of responsibility is not cheap, and is often infeasible for a open source project to take on.
在开源项目中,基于身份的加密很难实现,尤其是那种不仅像*一样免费,而且像啤酒一样免费的类型。如前所述,整个系统依赖于受信任的第三方来发布密钥。这需要硬件和软件的基础设施,购买和维护成本高昂。此外,它对正在进行密钥发布的一方承担了很多责任。使用该系统的人会期望发行人在出现问题时承担责任(他们会这样做);这种责任并不便宜,而且开源项目通常也是不可行的。
#4
Is there a particular scheme you have in mind? "Identity-Based Encryption" is quite a broad term.
你有什么特别的计划吗? “基于身份的加密”是一个相当广泛的术语。
But in any case, possibly you haven't seen so much attention because it's not cryptographically that special per se. General principles of cryptography will still apply, such as how many bits of entropy are there in the encryption key? what are the risks of collision attacks and other attacks based on having large volumes of plaintext/ciphertext if the same key is going to be used for an essentially indefinite period of time..?
但无论如何,可能你没有看到如此多的关注,因为它本身并不是加密的。密码学的一般原则仍然适用,例如加密密钥中有多少位熵?如果相同的密钥将在一个基本上无限期的时间内使用,那么基于具有大量明文/密文的冲突攻击和其他攻击的风险是什么?
#5
Try it. Good and simple solution.
试试吧。好而简单的解决方案。