net2o: Hex Artifact Content

Artifact 7132edf8cec073d704d1829507fe90c36bc85d47:

File wiki/key-revocation.md — part of check-in [df70ba92ea] at 2019-03-09 22:50:25 on branch trunk — Use html parser to convert wiki files to md files (user: bernd size: 2916)
0000: 23 20 4b 65 79 20 52 65 76 6f 63 61 74 69 6f 6e  # Key Revocation
0010: 20 23 0a 0a 4b 65 79 20 72 65 76 6f 63 61 74 69   #..Key revocati
0020: 6f 6e 20 28 66 6f 72 20 50 4b 49 73 20 77 69 74  on (for PKIs wit
0030: 68 6f 75 74 20 63 65 72 74 69 66 69 63 61 74 69  hout certificati
0040: 6f 6e 20 61 75 74 68 6f 72 69 74 69 65 73 29 20  on authorities) 
0050: 75 73 75 61 6c 6c 79 20 69 73 20 64 6f 6e 65 0a  usually is done.
0060: 77 69 74 68 20 61 20 73 69 67 6e 61 74 75 72 65  with a signature
0070: 20 6f 66 20 74 68 65 20 6c 6f 73 74 20 6b 65 79   of the lost key
0080: 2c 20 69 2e 65 2e 20 62 6f 74 68 20 74 68 65 20  , i.e. both the 
0090: 6f 77 6e 65 72 20 61 6e 64 20 74 68 65 20 61 64  owner and the ad
00a0: 76 65 72 73 61 72 79 20 63 61 6e 0a 72 65 76 6f  versary can.revo
00b0: 6b 65 20 61 20 63 6f 6d 70 72 6f 6d 69 73 65 64  ke a compromised
00c0: 20 6b 65 79 2e 20 20 48 6f 77 65 76 65 72 2c 20   key.  However, 
00d0: 74 68 65 20 69 6d 70 6f 72 74 61 6e 74 20 66 75  the important fu
00e0: 6e 63 74 69 6f 6e 20 69 6e 20 63 61 73 65 20 6f  nction in case o
00f0: 66 20 61 0a 72 65 76 6f 63 61 74 69 6f 6e 20 69  f a.revocation i
0100: 73 20 64 65 63 6c 61 72 69 6e 67 20 74 68 65 20  s declaring the 
0110: 73 75 63 63 65 73 73 6f 72 20 6b 65 79 2c 20 77  successor key, w
0120: 68 69 63 68 20 72 65 65 73 74 61 62 6c 69 73 68  hich reestablish
0130: 73 20 74 72 75 73 74 2e 20 54 6f 20 64 6f 0a 74  s trust. To do.t
0140: 68 61 74 2c 20 79 6f 75 20 6d 75 73 74 20 61 63  hat, you must ac
0150: 74 75 61 6c 6c 79 20 70 72 6f 6f 66 20 74 68 61  tually proof tha
0160: 74 20 79 6f 75 20 61 72 65 20 74 68 65 20 6c 65  t you are the le
0170: 67 69 74 69 6d 61 74 65 20 6f 77 6e 65 72 20 6f  gitimate owner o
0180: 66 20 74 68 65 20 65 78 70 6f 73 65 64 0a 73 65  f the exposed.se
0190: 63 72 65 74 20 6b 65 79 2c 20 73 6f 20 68 6f 77  cret key, so how
01a0: 20 64 6f 20 79 6f 75 20 64 6f 20 74 68 61 74 3f   do you do that?
01b0: 20 20 41 66 74 65 72 20 61 6c 6c 2c 20 74 68 65    After all, the
01c0: 20 61 64 76 65 72 73 61 72 79 20 68 61 73 20 73   adversary has s
01d0: 74 6f 6c 65 6e 0a 69 74 21 0a 0a 54 68 65 72 65  tolen.it!..There
01e0: 66 6f 72 65 2c 20 74 68 65 20 72 65 71 75 69 72  fore, the requir
01f0: 65 6d 65 6e 74 73 20 61 72 65 20 61 73 20 66 6f  ements are as fo
0200: 6c 6c 6f 77 73 3a 0a 0a 2a 20 4f 6e 6c 79 20 74  llows:..* Only t
0210: 68 65 20 63 72 65 61 74 6f 72 20 6f 66 20 74 68  he creator of th
0220: 65 20 73 65 63 72 65 74 20 6b 65 79 20 63 61 6e  e secret key can
0230: 20 72 65 76 6f 6b 65 20 69 74 0a 2a 20 41 20 74   revoke it.* A t
0240: 68 69 65 66 20 6f 66 20 74 68 65 20 73 65 63 72  hief of the secr
0250: 65 74 20 6b 65 79 20 63 61 6e 27 74 20 28 69 2e  et key can't (i.
0260: 65 2e 20 66 75 72 74 68 65 72 20 69 6e 66 6f 72  e. further infor
0270: 6d 61 74 69 6f 6e 20 69 73 20 6e 65 63 65 73 73  mation is necess
0280: 61 72 79 29 0a 2a 20 52 65 76 6f 63 61 74 69 6f  ary).* Revocatio
0290: 6e 20 6d 75 73 74 20 70 72 65 73 65 6e 74 20 61  n must present a
02a0: 20 74 72 75 73 74 77 6f 72 74 68 79 20 72 65 70   trustworthy rep
02b0: 6c 61 63 65 6d 65 6e 74 20 6b 65 79 0a 2a 20 54  lacement key.* T
02c0: 68 69 72 64 20 70 61 72 74 69 65 73 20 6d 75 73  hird parties mus
02d0: 74 20 74 72 75 73 74 20 62 6f 74 68 20 74 68 65  t trust both the
02e0: 20 72 65 76 6f 63 61 74 69 6f 6e 20 61 6e 64 20   revocation and 
02f0: 74 68 65 20 72 65 70 6c 61 63 65 6d 65 6e 74 20  the replacement 
0300: 6b 65 79 0a 20 20 77 69 74 68 6f 75 74 20 61 6e  key.  without an
0310: 6f 74 68 65 72 20 74 72 75 73 74 77 6f 72 74 68  other trustworth
0320: 79 20 69 6e 73 74 61 6e 63 65 2c 20 69 2e 65 2e  y instance, i.e.
0330: 20 74 72 75 73 74 69 6e 67 20 6f 6e 6c 79 20 74   trusting only t
0340: 68 65 69 72 20 63 6f 6d 6d 75 6e 69 63 61 74 69  heir communicati
0350: 6f 6e 0a 20 20 70 61 72 74 6e 65 72 0a 0a 23 23  on.  partner..##
0360: 20 4b 65 79 20 43 72 65 61 74 69 6f 6e 20 23 23   Key Creation ##
0370: 0a 0a 49 20 63 72 65 61 74 65 20 74 77 6f 20 72  ..I create two r
0380: 61 6e 64 6f 6d 20 6e 75 6d 62 65 72 20 73 31 20  andom number s1 
0390: 61 6e 64 20 73 32 2e 20 20 55 73 69 6e 67 20 74  and s2.  Using t
03a0: 68 65 73 65 20 6e 75 6d 62 65 72 73 2c 20 49 20  hese numbers, I 
03b0: 63 72 65 61 74 65 0a 70 75 62 6b 65 79 73 20 70  create.pubkeys p
03c0: 31 3d 5c 5b 73 31 5d 62 61 73 65 20 61 6e 64 20  1=\[s1]base and 
03d0: 70 32 3d 5c 5b 73 32 5d 62 61 73 65 2e 20 20 50  p2=\[s2]base.  P
03e0: 6f 69 6e 74 73 20 63 61 6e 20 62 65 20 63 6f 6d  oints can be com
03f0: 70 72 65 73 73 65 64 20 74 6f 20 61 0a 33 32 20  pressed to a.32 
0400: 62 79 74 65 20 6e 75 6d 62 65 72 20 75 73 69 6e  byte number usin
0410: 67 20 74 68 65 20 63 6f 6d 70 72 65 73 73 28 29  g the compress()
0420: 20 66 75 6e 63 74 69 6f 6e 2c 20 61 6e 64 20 74   function, and t
0430: 68 65 6e 20 63 61 6e 20 62 65 20 74 72 65 61 74  hen can be treat
0440: 65 64 0a 61 73 20 73 63 61 6c 61 72 20 76 61 6c  ed.as scalar val
0450: 75 65 73 20 6c 69 6b 65 20 5c 5b 73 5d 2e 20 20  ues like \[s].  
0460: 49 20 63 6f 6d 70 75 74 65 20 5c 5b 73 5d 3d 5c  I compute \[s]=\
0470: 5b 73 31 c3 97 63 6f 6d 70 72 65 73 73 28 70 32  [s1Ă—compress(p2
0480: 29 5d 20 61 73 20 22 77 6f 72 6b 0a 73 65 63 72  )] as "work.secr
0490: 65 74 22 20 28 69 2e 65 2e 20 74 68 65 20 73 65  et" (i.e. the se
04a0: 63 72 65 74 20 6b 65 79 20 74 68 61 74 20 69 73  cret key that is
04b0: 20 70 72 6f 76 69 6e 67 20 6d 79 20 69 64 65 6e   proving my iden
04c0: 74 69 74 79 29 2c 20 61 6e 64 0a 70 3d 5c 5b 73  tity), and.p=\[s
04d0: 5d 62 61 73 65 2c 20 6d 79 20 70 75 62 6b 65 79  ]base, my pubkey
04e0: 2e 20 20 49 20 70 75 62 6c 69 73 68 20 70 20 61  .  I publish p a
04f0: 6e 64 20 70 31 2c 20 77 68 69 63 68 20 74 6f 67  nd p1, which tog
0500: 65 74 68 65 72 20 61 72 65 20 73 74 6f 72 65 64  ether are stored
0510: 0a 61 73 20 69 64 65 6e 74 69 74 79 2e 20 20 54  .as identity.  T
0520: 68 65 20 61 73 73 75 6d 70 74 69 6f 6e 20 69 73  he assumption is
0530: 20 74 68 61 74 20 70 31 20 63 61 6e 27 74 20 62   that p1 can't b
0540: 65 20 72 65 76 65 72 73 65 64 20 74 6f 20 67 65  e reversed to ge
0550: 74 20 73 31 2c 0a 61 6e 64 20 70 20 77 6f 6e 27  t s1,.and p won'
0560: 74 20 72 65 76 65 61 6c 20 73 2e 20 20 41 6e 20  t reveal s.  An 
0570: 61 74 74 61 63 6b 65 72 20 77 68 6f 20 73 74 6f  attacker who sto
0580: 6c 65 20 73 20 63 61 6e 27 74 20 67 75 65 73 73  le s can't guess
0590: 20 73 31 2c 20 62 65 63 61 75 73 65 0a 68 65 20   s1, because.he 
05a0: 64 6f 65 73 6e 27 74 20 68 61 76 65 20 70 32 2c  doesn't have p2,
05b0: 20 61 6e 64 20 73 6f 20 69 74 27 73 20 65 76 65   and so it's eve
05c0: 6e 20 6d 6f 72 65 20 64 69 66 66 69 63 75 6c 74  n more difficult
05d0: 20 74 6f 20 67 65 74 20 73 32 2e 20 20 41 6e 0a   to get s2.  An.
05e0: 61 74 74 61 63 6b 65 72 20 77 68 6f 20 73 74 6f  attacker who sto
05f0: 6c 65 20 73 20 63 61 6e 20 67 65 6e 65 72 61 74  le s can generat
0600: 65 20 61 20 6e 65 77 20 70 61 69 72 20 6f 66 20  e a new pair of 
0610: 70 31 2c 20 70 32 2c 20 62 75 74 20 74 68 61 74  p1, p2, but that
0620: 20 77 6f 75 6c 64 0a 67 69 76 65 20 68 69 6d 20   would.give him 
0630: 61 20 64 69 66 66 65 72 65 6e 74 20 69 64 65 6e  a different iden
0640: 74 69 74 79 20 28 61 20 73 75 73 70 69 63 69 6f  tity (a suspicio
0650: 75 73 20 69 64 65 6e 74 69 74 79 2c 20 74 68 6f  us identity, tho
0660: 75 67 68 29 2e 20 20 41 66 74 65 72 0a 67 65 6e  ugh).  After.gen
0670: 65 72 61 74 69 6e 67 20 74 68 65 20 6b 65 79 2c  erating the key,
0680: 20 73 31 20 69 73 20 64 65 73 74 72 6f 79 65 64   s1 is destroyed
0690: 3b 20 69 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65  ; it is no longe
06a0: 72 20 6e 65 65 64 65 64 2c 20 74 68 6f 75 67 68  r needed, though
06b0: 20 69 74 0a 63 61 6e 20 62 65 20 72 65 63 6f 6d   it.can be recom
06c0: 70 75 74 65 64 20 75 73 69 6e 67 20 73 20 61 6e  puted using s an
06d0: 64 20 70 32 20 61 6e 64 20 74 68 65 20 65 78 74  d p2 and the ext
06e0: 65 6e 64 65 64 20 65 75 63 6c 69 64 65 61 6e 20  ended euclidean 
06f0: 61 6c 67 6f 72 69 74 68 6d 2e 0a 0a 23 23 20 50  algorithm...## P
0700: 72 6f 6f 66 20 6f 66 20 43 72 65 61 74 69 6f 6e  roof of Creation
0710: 20 23 23 0a 0a 49 20 6b 65 65 70 20 73 32 20 61   ##..I keep s2 a
0720: 73 20 6f 66 66 6c 69 6e 65 20 63 6f 70 79 20 28  s offline copy (
0730: 69 74 27 73 20 6a 75 73 74 20 36 34 20 68 65 78  it's just 64 hex
0740: 20 64 69 67 69 74 73 20 6f 72 20 34 30 20 62 61   digits or 40 ba
0750: 73 65 38 35 0a 63 68 61 72 61 63 74 65 72 73 29  se85.characters)
0760: 2c 20 61 6e 64 20 73 20 61 73 20 70 72 6f 74 65  , and s as prote
0770: 63 74 65 64 20 6f 6e 6c 69 6e 65 20 63 6f 70 79  cted online copy
0780: 20 69 6e 20 6d 79 20 64 65 76 69 63 65 3b 20 73   in my device; s
0790: 20 69 73 20 73 75 62 6a 65 63 74 0a 74 6f 20 61   is subject.to a
07a0: 74 74 61 63 6b 73 20 61 6e 64 20 62 61 63 6b 64  ttacks and backd
07b0: 6f 6f 72 73 2c 20 61 6e 64 20 74 68 65 72 65 66  oors, and theref
07c0: 6f 72 65 20 61 74 20 72 69 73 6b 2e 20 20 54 6f  ore at risk.  To
07d0: 20 72 65 76 6f 6b 65 20 61 20 6b 65 79 2c 20 49   revoke a key, I
07e0: 0a 70 75 62 6c 69 73 68 20 70 32 2c 20 77 68 69  .publish p2, whi
07f0: 63 68 20 74 68 65 20 72 65 63 69 70 69 65 6e 74  ch the recipient
0800: 20 63 61 6e 20 76 61 6c 69 64 61 74 65 20 62 79   can validate by
0810: 20 5c 5b 63 6f 6d 70 72 65 73 73 28 70 32 29 5d   \[compress(p2)]
0820: 70 31 3d 3d 70 2e 0a 0a 54 6f 20 73 69 67 6e 20  p1==p...To sign 
0830: 61 20 6e 65 77 20 6b 65 79 2c 20 49 20 75 73 65  a new key, I use
0840: 20 73 32 20 61 73 20 73 69 67 6e 61 74 75 72 65   s2 as signature
0850: 20 6b 65 79 2c 20 69 2e 65 2e 20 74 68 65 20 72   key, i.e. the r
0860: 65 63 69 70 69 65 6e 74 20 63 61 6e 0a 75 73 65  ecipient can.use
0870: 20 74 68 65 20 6a 75 73 74 20 70 75 62 6c 69 73   the just publis
0880: 68 65 64 20 70 32 20 74 6f 20 76 65 72 69 66 79  hed p2 to verify
0890: 20 74 68 65 20 74 72 61 6e 73 69 74 69 6f 6e 20   the transition 
08a0: 74 6f 20 74 68 65 20 72 65 70 6c 61 63 65 6d 65  to the replaceme
08b0: 6e 74 0a 6b 65 79 2e 20 20 4f 66 20 63 6f 75 72  nt.key.  Of cour
08c0: 73 65 2c 20 74 68 65 20 6e 65 77 20 6b 65 79 20  se, the new key 
08d0: 61 6c 73 6f 20 68 61 73 20 61 20 73 69 67 6e 61  also has a signa
08e0: 74 75 72 65 20 77 69 74 68 20 73 2c 20 74 68 65  ture with s, the
08f0: 20 6f 6c 64 20 6b 65 79 2e 0a 54 68 65 20 66 6f   old key..The fo
0900: 72 6d 61 74 20 6f 66 20 74 68 65 20 72 65 76 6f  rmat of the revo
0910: 63 61 74 69 6f 6e 20 61 74 74 72 69 62 75 74 65  cation attribute
0920: 20 69 73 20 61 63 74 75 61 6c 6c 79 20 e2 80 b9   is actually â€ą
0930: 6e 65 77 20 70 75 62 6b 65 79 73 3a 20 70 6e 65  new pubkeys: pne
0940: 77 2c 0a 70 31 6e 65 77 e2 80 ba 20 e2 80 b9 70  w,.p1newâ€ş â€ąp
0950: 32 2c 20 73 69 67 20 75 73 69 6e 67 20 73 32 e2  2, sig using s2â
0960: 80 ba 20 e2 80 b9 73 69 67 20 75 73 69 6e 67 20  €ş â€ąsig using 
0970: 73 6e 65 77 e2 80 ba 20 e2 80 b9 64 61 74 65 3a  snewâ€ş â€ądate:
0980: 6e 65 76 65 72 e2 80 ba 20 e2 80 b9 73 69 67 20  neverâ€ş â€ąsig 
0990: 75 73 69 6e 67 20 73 e2 80 ba 2e 0a 0a 42 6f 74  using sâ€ş...Bot
09a0: 68 20 73 69 67 6e 61 74 75 72 65 73 20 6d 75 73  h signatures mus
09b0: 74 20 68 61 76 65 20 74 68 65 20 73 61 6d 65 20  t have the same 
09c0: 73 69 67 6e 69 6e 67 20 64 61 74 65 2c 20 61 6e  signing date, an
09d0: 64 20 61 20 6e 65 76 65 72 20 65 78 70 69 72 61  d a never expira
09e0: 74 69 6f 6e 0a 64 61 74 65 20 28 61 20 72 65 76  tion.date (a rev
09f0: 6f 63 61 74 69 6f 6e 20 64 6f 65 73 6e 27 74 20  ocation doesn't 
0a00: 65 78 70 69 72 65 29 2e 20 20 54 68 65 20 72 65  expire).  The re
0a10: 76 6f 63 61 74 69 6f 6e 20 69 73 20 69 6e 20 74  vocation is in t
0a20: 68 65 20 66 6f 72 6d 20 6f 66 20 61 6e 0a 61 64  he form of an.ad
0a30: 64 72 65 73 73 2c 20 73 6f 20 69 66 20 79 6f 75  dress, so if you
0a40: 20 6c 6f 6f 6b 20 75 70 20 74 68 65 20 61 64 64   look up the add
0a50: 72 65 73 73 20 6f 66 20 79 6f 75 72 20 63 6f 6e  ress of your con
0a60: 74 61 63 74 20 69 6e 20 74 68 65 20 44 48 54 2c  tact in the DHT,
0a70: 20 61 6e 64 20 74 68 65 72 65 27 73 0a 61 20 72   and there's.a r
0a80: 65 76 6f 63 61 74 69 6f 6e 2c 20 79 6f 75 27 6c  evocation, you'l
0a90: 6c 20 66 69 6e 64 20 69 74 2e 0a 0a 41 6e 20 61  l find it...An a
0aa0: 6c 74 65 72 6e 61 74 69 76 65 20 77 61 79 20 77  lternative way w
0ab0: 6f 75 6c 64 20 62 65 20 74 6f 20 63 72 65 61 74  ould be to creat
0ac0: 65 20 61 20 73 69 67 6e 61 74 75 72 65 20 6b 65  e a signature ke
0ad0: 79 20 28 77 68 69 63 68 20 77 6f 75 6c 64 20 62  y (which would b
0ae0: 65 20 73 32 29 2c 0a 61 6e 64 20 75 73 65 20 74  e s2),.and use t
0af0: 68 61 74 20 74 6f 20 73 69 67 6e 20 74 68 65 20  hat to sign the 
0b00: 77 6f 72 6b 69 6e 67 20 6b 65 79 2e 20 20 43 72  working key.  Cr
0b10: 6f 73 73 2d 73 69 67 6e 69 6e 67 20 77 6f 75 6c  oss-signing woul
0b20: 64 20 73 74 69 6c 6c 20 70 72 65 76 65 6e 74 0a  d still prevent.
0b30: 69 64 65 6e 74 69 74 79 20 74 68 65 66 74 20 69  identity theft i
0b40: 66 20 6a 75 73 74 20 74 68 65 20 73 69 67 6e 61  f just the signa
0b50: 74 75 72 65 20 6b 65 79 20 69 73 20 73 74 6f 6c  ture key is stol
0b60: 65 6e 2e 0a                                      en..