Non-transferable signatures with PGP June 1998 Ian Brown Adam Back

Introduction To be sure e-mail messages have not been forged or tampered with, they should be signed . But do you want a message recipient to be able to prove to anyone what you have written?

To be sure e-mail messages have not been forged or tampered with, they should be signed .

But do you want a message recipient to be able to prove to anyone what you have written?

Secret key signatures You can sign a message by encrypting it with a key only you and its recipient know. If the message is changed in transit, it will not decrypt correctly.

You can sign a message by encrypting it with a key only you and its recipient know.

If the message is changed in transit, it will not decrypt correctly.

Public-key signatures Everyone has a pair of keys: A public key: published on home pages, etc. A private key: kept secret. Data signed with a private key can be verified with the associated public key. You cannot later deny signing the message. Only you possess the private key that could have made the signature.

Everyone has a pair of keys:

A public key: published on home pages, etc.

A private key: kept secret.

Data signed with a private key can be verified with the associated public key.

You cannot later deny signing the message. Only you possess the private key that could have made the signature.

Non-transferable signatures Non-transferable signatures can only be checked by people you designate. They use public-key techniques to share a secret key with the recipient, which is used to sign the message.

Non-transferable signatures can only be checked by people you designate.

They use public-key techniques to share a secret key with the recipient, which is used to sign the message.

Example Alice wants to send Bob a signed message. She chooses a random number to encrypt the message. She signs this number with her private key, then encrypts it with Bob’s public key. The result is sent to Bob along with the encrypted message.

Alice wants to send Bob a signed message. She chooses a random number to encrypt the message. She signs this number with her private key, then encrypts it with Bob’s public key. The result is sent to Bob along with the encrypted message.

Example Bob decrypts the signature with his private key, then verifies it with Alice’s public key. He can now be sure this random number came from Alice. If the message decrypts successfully with the random number, Bob knows it came from Alice.

Bob decrypts the signature with his private key, then verifies it with Alice’s public key. He can now be sure this random number came from Alice.

If the message decrypts successfully with the random number, Bob knows it came from Alice.

PGP Pretty Good Privacy is a widely-used standard for encrypting and signing data. A signed and encrypted PGP message: # Signed hash Session key Message data PK encrypted Session key encrypted

Pretty Good Privacy is a widely-used standard for encrypting and signing data.

A signed and encrypted PGP message:

PGP By signing a hash of the session key and the recipient’s public key instead, we have a non-transferable PGP signature. Session key Message data PK encrypted Session key encrypted Signed key

By signing a hash of the session key and the recipient’s public key instead, we have a non-transferable PGP signature.

Implementation Myself and Adam Back at Exeter University are busy implementing this in Java. Our design allows for other types of non-transferable signatures.

Myself and Adam Back at Exeter University are busy implementing this in Java.

Our design allows for other types of non-transferable signatures.

Conclusion Non-transferable signatures give the benefits of data authentication without compromising privacy. We hope to propose their inclusion in the next version of the IETF openpgp standard. http://www.cs.ucl.ac.uk/staff/I.Brown/sigs/

Non-transferable signatures give the benefits of data authentication without compromising privacy.

We hope to propose their inclusion in the next version of the IETF openpgp standard.

http://www.cs.ucl.ac.uk/staff/I.Brown/sigs/