[2842] in Kerberos
Re: non-repudiation
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Oct 6 22:48:42 1993
Date: Wed, 6 Oct 93 22:34:26 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: kerberos@MIT.EDU
In-Reply-To: Donald T. Davis's message of Wed, 6 Oct 93 00:36:26 EDT,
One can argue about the true reasons why no one has pursued private-key
signature schemes. At some level, this isn't important.
What is important is to recognize some of the tradeoffs inherent in
private-key signature schemes versus public-key schemes. The most
important one, in my opinion, is that in order for a signature to be
verifiable ten years after it has been signed, the authentication server
must keep at least one secret secure for that time period. (Note that
this is not true for electronic funds transfer applications.)
Now, it is true, that there are all sorts of game one can play involving
some sort of time-notarization over the application message archive ---
but this only protects you against compromise of the authentication
server secret *IF* the time/date of the compromise is well known. It
still remains the fact that the assertion of non-repudiation is weakened
by the possibility that the KDC could have been compromised in a
non-detectable fashion.
However, there is a further problem which I hadn't thought of last
night. The time notarization only protects you against *compromise* of
the authentication server secrets; however, it does not protect you
against the *destruction* of the authentication server secrets. After
all, if the secret key of the authentication server is destroyed, it
will no longer be possible to verify the private-key signature, since
you won't be able to decrypt the private-key certificate.
Imagine the scenario that Alice sends to Bob a digitally signed
contract; five years later, Alice's computer center gets blown up
because it was in the computer room of the World Trade Center at just
the wrong time. Bob's digitally signed contract is now useless, because
it can't be verified anymore. It becomes even worse; if Alice does want
to repudiate her contract, she can just arrange for "accidents" to take
out the master and slave Kerberos servers in her realm, which are under
her control. (Sure, it's suspicious.... but proving what actually
happened may be difficult....)
For this reason alone, it seems fairly clear that you would not want to
run the non-repudation service on Alice's Kerberos servers, but on a
third-party run authentication server, run by Charlie, that both Alice
and Bob trust to keep secure. But this becomes yet another trust
dependency weighing down on the non-repudiation claim of the private-key
signature system.
- Ted
