Unfortunately, the role of distributing the CA among multiple physical
entities is easier said than done. Realize that the CA is characterized
by the possession of the system secret, K
iCA. In our
distributed-CA model, who would possess this system secret? A trivial
solution is to have each of the S nodes which form the virtual-CA
possess the system secret.
However, this approach has several problems. By having each of the S
nodes posses the system secret, we have effectively created multiple
instances of the same CA and not a distributed CA as we had intended.
This approach also compromises the system secret since it is available
to multiple nodes and therefore more vulnerable to compromise.
 |
| Figure
8.2: Bluetooth Networks |
To achieve a virtual CA, we turn to threshold cryptography, also
known as threshold secret sharing, which works by distributing trust
among multiple nodes. In this approach, the system secret is divided
into Q parts such that any S (< Q) of these parts are enough to
carry out a cryptographic operation that would have been possible with
the system secret. (There are various
approaches to achieve this division but we do not go into the details
for reasons of brevity.)
Note that to carry out a cryptographic operation at least S parts of
the system secret are required. A system employing threshold
cryptography is therefore defined by the use of two parameters: Q and
S. Q nodes posses shares of the system secret and any S of these nodes
can work in coalition as a CA.
This means that the system can tolerate a compromise of up to S-1
nodes without the security of the whole system being compromised. We
now describe how threshold cryptography is extended to build a virtual
CA in an ad hoc environment. We first divided the system secret, KiCA
(the private key of the CA) into Q secret shares (k1, k2,
., kQ).
A single share of the system secret by itself cannot be used to
provide any CA service. However, if S (< Q) such shares are
combined, they can be used to provide CA services. Each of these shares
is assigned or distributed to a server. (There is an interesting initialization
problem here which will be discussed later in this series.)
The term server is used to refer to a node which will participate in
forming the virtual CA. Servers in an ad hoc data network have the
following special properties:
1. A server can
be initialized securely with its share of the system secret which
allows them to act as the server.
2. A server
knows the public keys of all nodes which can join the ad hoc network.
Now, consider an ad hoc network where node A wishes to communicate with
node B securely.
To do so, A needs to authenticate B. A could simply use a
challengeresponse system with PKC as follows:
1. A sends a
challenge (random number) to B
2. B encrypts the
challenge with its private key (KiB) to generate a response
and sends it back to A.
3. A decrypts
the response with B's public key (KwB) and compares the
decrypted value with the challenge and if the two match, A concludes
that it is communicating with B.
