ࡱ > q z bjbjt+t+ 2 A A p " ] t t t t P P P d d d d d D L d R+ c : * * * * * * * $ , - * i P A " c * =" t t y =" =" =" t V P * d d t t t t * =" =" ' r M* h P * Pud d i * A novel flexible approach to document encryption using a MathML extension to the W3C XML Digital Certificate Standard
Carsten Maple
University of Luton
Park Square, Luton
Bedfordshire. UK
carsten.maple@luton.ac.uk
Marc Conrad
University of Luton
Park Square, Luton
Bedfordshire. UK
marc.conrad@luton.ac.uk
Tim French
University of Luton
Park Square, Luton
Bedfordshire. UK
tim.french@luton.ac.uk
ABSTRACT
The growth of electronic communication between governmental offices highlights the need for sensitive information to be transmitted securely. The constant evolution of cryptographic techniques and standards has lead to a need for a flexible approach to encryption. This paper describes a framework that allows such a flexible approach and places it in the context of eGovernment.
KEYWORDS
Security, XML, MathML, Public-key Cryptosystems, eHealth, eGovernment
INTRODUCTION
The continuing global expansion of various e-mediated forms of human-computer discourse and trading as exemplified by B2C (Business to Consumer) and B2B (Business to Business) e-commerce and the advancement of eGovernment, has raised issues of trust and security for provider bodies as well as for on-line users and consumers of on-line products and services. Indeed one of the authors of this work has reported on trust issues as they specifically relate to the human computer interface component (French and Vile 2001). Others have recently attempted to extend this work through the construction of novel conceptual models of trust and security from a users viewpoint (Egger, 2002) or examined trust and security issues from a cross-cultural perspective (Jarnenpaa and Tractinsky, 1999). Aside from the user interface, where surface level content often engenders (or even perhaps seeks to manipulate) user trust and site credibility (Fogg et al, 2001), there is a need for e-mediated site-user discourse to be built on secure and tangible security platforms which encapsulate known security standards and protocols.
Users undoubtedly have rights in an eSociety to expect trustworthy, credible and accessible site content but also to trust that their own privacy is not compromised and that in general, that site content is managed and data exchanged in a secure manner. Tangible security measures help to ensure for example, that on-line purchases as well as real time messaging and data exchange is secure, hence trustworthy, across heterogeneous platforms. Most recently, W3C has sought to create a number of XML (Extensible Markup Language) led initiatives designed to support tangible security measures that are also inherently interoperable. Indeed, both the US Government and UK Governments have recently explicitly identified XML middleware delivery systems as being the mandatory architecture to be used to implement their ambitious eGovernment and eGIF (Government Interoperability Framework) initiatives; albeit that XML is still seen to be somewhat immature at present (GAO, 2002).
The increasing pervasive and wide influence of XML is clearly evident both within industry and academia in relation to core areas such as data/content management for e-commerce (Cagle, 2000) as well as leading edge areas such as the semantic-web initiative (Veltmann, 2002). Developing areas include, but are not restricted to: meta-data initiatives of various kinds (www.w3.org/TR/rdf-primer), RDBMS interoperability, XHTML for web-authoring, XML security and SET standards (Secure Electronic Transactions) as well as web-services and electronic data-exchanges of all kinds supported by the SOAP (Simple Objects Applications Protocol). Thus XMLs role as a common lingua franca for Computing as a discipline area cannot now be seriously ignored or questioned. This success story is due in part to the structural and syntactic simplicity of XML (comprising a hierarchical tree of container and elementary tagged elements) as well as the ease with which new variant dialects can be defined and established by the user community via schema definitions and namespaces. As Cagle (ibid) says the technology I am writing about today [XML] will be the plumbing for the world tomorrow. XML, together with associated helper technologies make for an ideal form of plumbing for security applications, where cross-platform support is essential, and where developers are free to self-select optimal transformational methods that are not constrained by specific languages or proprietary system considerations. Indeed, Java, JavaScript, C++, XSLT and DOM (Document Object Model) helper applications are commonly mixed and matched as required to implement XML enabled systems. It is perhaps no exaggeration to suggest that XML plumbing is now central to a vision of a secure and interoperable eSociety.
This paper goes on to present a novel extension to existing XML based security standards and in so doing seeks in a small way to support a trustworthy eSociety as e-mediated forms of discourse become an increasingly ubiquitous and pervasive part of users everyday lives in the 21st century. The kind of trust discussed here centres around tangible and secure cryptosystems designed to offer high levels of intrinsic security (hence trust) for on-line activities of all kinds for which XML is seen to be appropriate. The proposed framework offers greater flexibility in the choice of decryption technique but without requiring a wholesale revision of the entire security standard itself. XML markup is to be used not only (as at present) to specify the 'envelope', message, and digital signature, but also (via MathML) the choice of one-way function, hence decryption method. We go on to suggest and explicate the use of elliptic and hyper-elliptic curves and present a short worked exemplar MathML one way function by means of illustration. In principle, it is clear that any one way function may be defined and sent to the recipient of an encrypted message in this manner. However, it is suggested below that elliptic curves may well provide initial fertile territory for those seeking to use newer approaches. This is due to the intrinsically more complex function inversion and multidimensional input fields and solution spaces that elliptic curves offer.
Context of use : XML SET Digital Certificates in the NHS
One typical application area now being explored in the UK is eHealth, ( HYPERLINK http://www.nhsia.nhs.uk/erdip/pages/default.asp http://www.nhsia.nhs.uk/erdip/pages/default.asp) where it is self-evident that the privacy and security of electronic and web-mediated patient records is paramount, but where equally, timely and efficient access is needed for key stakeholder groups. These groups typically comprise key healthcare professionals (i.e. General Practitioner Surgeries, NHS Direct and Hospital Trusts) who all need to share this sensitive information across heterogeneous hardware and software environments. Various pilot ERDIP (Electronic Record and Development and Implementation Programme) related projects are now underway in the UK, with the intention for a full national roll at a later date. Similarly, other EU countries have built pilot systems to support eHealth using XML as their core (Blobel, 2001). Furthermore, the latest version of the H7 International Healthcare communications standard is currently being implemented using XML as a core component ( HYPERLINK http://www.hl7.org http://www.hl7.org).
Using eHealth as an instance, it can be seen that XML based solutions are increasingly likely to form the basis of many eGovernment and indeed commercial e-mediated systems. It is therefore perhaps both prudent and timely to re-examine the security of existing approaches in the context of our earlier discussion of trust issues within an eSociety. Our paper goes on to suggest ways in which current XML standards could be usefully made more flexible. We stress though that our paper suggests no more than a tentative add-on to the existing W3C XML standard for secure XML data exchange, rather than a wholesale revision. We now proceed to outline the technical basis and rationale for our suggested improvement to current methods.
Public-Key Cryptosystems
Cryptosystems fall into one of two categories: Private-Key Cryptosystems and Public-Key Cryptosystems. The former is the traditional method that has been in existence for a number of years and is also known as secret-key or symmetric-key, due to the fact that a single key is used for both encryption and decryption. It is vital that this key is kept private as anyone with the key can decrypt any encryption. A major problem, known as the key distribution problem, arises in such cryptosystems. The recipient must have a copy of the key to decrypt and issues arise concerning transmitting the key from the sender to the recipient without interception. A simple analogue of the situation can illustrate the problem. Consider Alice, who wishes to send a private parcel to Bob. She decides to put the parcel in a case locked using the key, for security which she now sends to Bob. In order for Bob to retrieve the parcel from the case he needs the key. Alice now has the problem of how to send Bob the key safely. Public-key cryptography overcomes this problem. Two keys are used in a public-key cryptosystem. One is used to lock the data and a different key used to unlock the data. Returning to Alice and Bob, Bob creates a padlock and matching key. Bob makes a number of padlocks available publicly but keeps the key to himself. Anyone wishing to send Bob a private parcel simply puts the parcel in a case using a copy of this padlock. When Bob receives a parcel, he can unlock it using the key that he has kept. The system relies on the assumption that although anybody can have a copy of the padlock, it would be very difficult for them to make a key for it.
In their seminal work of 1976, Whitfield Diffie and Martin Hellman (Diffie and Hellman, 1976) introduced the concept of public-key cryptography to the academic community. The concept is the same as explained in the case of Alice and Bob, only there is no physical padlock nor key. Rather there is a mathematical function that acts as a padlock. A number of systems have been developed that build upon this work. Any system relies on establishing an appropriate one-way function, a function easy to perform but difficult to invert. These public-key cryptosystems are generally only used to transmit secret keys for a private-key cryptosystem. That is, they provide a secure medium for key distribution.
Advances in hardware and algorithms will lead eventually to the reduction in the level of confidence in the security of algorithms for encryption. Many changes in government policy and acceptance of protocols have occurred over the last three decades. In the US, for example, the National Institute for Standards and Technology has in 2000 approved the use of certain elliptic curves for use with the Digital Signature Standard (NIST, 2000), a standard based upon the Diffie-Hellman protocol (see section 3 for more details of this protocol). In all there are 15 elliptic curves approved for use by NIST (Cipra, 2002).
There are essentially two bases for public-key cryptography. There is a class of one-way functions that rely on the discrete logarithm problem for the security of the private key and a class that relies on the difficulty in factoring large primes. We discuss three major cryptosystems before establishing common features and presenting the proposed framework in the next section.
3.1 The Diffie-Hellman Exchange Protocol
Diffie and Hellman presented a two way exchange that results in both parties having a secret key without risk of the message being read by an eavesdropper. The method utilises two public parameters a prime number p and a so-called generator g < p such that for all i, i = 1, ..., p-1 there exists k such that gk = i mod p. If Alice and Bob wish to exchange a message using the Diffie-Hellman method, they each need a public key. Alice and Bob generate a random private values a and b in {1, ..., p-2} respectively, and public values eA = ga mod p and eB = gb mod p respectively. Then Bob can receive a message m = gab without Alice ever sending a (she merely sends eA) and therefore protecting the message from being interpreted by anyone without either a or b. All that is known to any eavesdropper is ga mod p and gb mod p but not gab mod p. The security of the system is based upon the assumption that when the prime p is sufficiently large, it is difficult to find the secret key k = gab mod p from only ga mod p and gb mod p. This is a variation on the discrete logarithm problem (DLP) and provides Diffie-Hellman with its one-way function. The DLP can be expressed as given an element g in a finite group G and another element k in G, it is hard to find an integer x such that gx = k.
3.2 The RSA Algorithm
Rivest, Shamir and Adelman (Rivest et al, 1978) developed the RSA algorithm using an effective so-called one-way function, a function easy to perform but difficult to invert. It should be noted that recently British Intelligence revealed that the function had been found 5 years earlier by Clifford Cocks (Cocks, 1973) at GCHQ and indeed that his senior, Ellis, thought of the concept in 1970, some 6 years earlier than Diffie and Hellman (Ellis, 1970).
The RSA algorithm requires a modulus, n = pq, the product of two primes p and q. A public exponent, e, that is less than n and has no factors in common with (p - 1)(q - 1) other than 1. The private exponent, d, is a number such that (ed - 1) is divisible by (p - 1)(q - 1). The public key is then the pair (n, e) and the pair (n, d) is the private key. As required by Alice and Bob, it is currently difficult to obtain the private key from the public key. If one could factor n into p and q, then obtaining the private key would be a very simple matter and hence the assumption that factoring large primes is difficult is central to RSA. Much research has been undertaken in this field and "number sieves" have been found (see for example, Buhler et al, 1994, or Buchmann et al, 1994) that make the task easier but no significant breakthrough has considerably weakened RSA.
If Alice wants to communicate a plaintext message, m, to Bob, she creates ciphertext, c, by performing the operation c = me mod n, where (n, e) is Bob's public key, and sends that to Bob. Bob retrieves m by performing the operation m = cd mod n.
3.3 The ElGamal Algorithm
In 1985 an algorithm was proposed by ElGamal (ElGamal, 1985). It, like Diffie-Hellman, is based upon the discrete logarithm problem. The (public) parameters required for the ElGamal cryptosystem are a prime p and an integer g. The powers of g modulo p should generate a large number of elements (though not necessary all). Alice has a private key a and a public key e, where e = ga mod p, which is where we see the assumption that the private key is difficult to obtain from the public key.
If Bob wants to send a plaintext message, m, to Alice he must first generate a random number k < p. He then computes c1 = gk mod p and c2 = ekm mod p, and sends the pair (c1, c2) to Alice. To decrypt the message, Alice computes c1-a c2 mod p. This is equal to m, since c1-a c2 = g-akek m = e-k ek m = m mod p.
The Proposed Framework
We have highlighted three different public-key cryptosystems: Diffie-Hellman, RSA and ElGamal. We notice that each of these as presented are based on modular exponentiation in a ring. Each is well established and used widely used in this form. There has been lately a move away from exponentiation in a ring to multiplication on an elliptic curve. Elliptic curve cryptosystems were first proposed by Victor Miller (Miller, 1986) and (independently) by Neal Koblitz a year later (Koblitz, 1987). Instead of calculating gx, as in the three systems mentioned, the operation here is xg = g + g + + g where the addition is performed on a curve (see Menezes, 1995 or Blake et al.,1999). This addition is not as simple as modular exponentiation, but using this group gives the same security for a much shorter key-length. That is, it is even harder to invert modular exponentiation (at present anyhow). There exist implementations of analogues of each of the three cryptosystems of the previous section using elliptic curves instead of the modular ring.
Many cases are being made to advance the use of genus 2 hyperelliptic curves for the underlying group of computation (AREHCC, 2001). If this becomes the next standard to be used we can see that we will have three (major) systems, each with implementations using any of three different groups. Currently we might expect to see RSA encryption and ECRSA encryption, in time one can expect HECRSA, and then what is beyond this? We see that we can represent cryptosystems as a protocol (RSA, DH, etc.) along with some appropriate operation in a suitable finite abelian group (such as multiplication on an elliptic curve).
MathML is a XML specification for describing mathematics for machine to machine communication. The current version, MathML 2.0, to which we refer has been adopted by W3C in February 2001 (2nd edition December 2002). The MathML specification defines two types of elements (tags). Presentation elements are used for encoding mathematical notation and content elements used for encoding structural information. For the application in cryptography described here we use content elements as the aim is to express formulas which are evaluated by the encryption/decryption software.
Example 4.1: The semantics of the formula y = x - 2 using MathML content elements is as follows:
y
x
2
2
Note that the MathML expression is human-readable, however it is recommended by the authors of MathML that equation editors etc. should be used for generating this output. Several tools do exist or are under development (MathML, 2002).
The proposed framework links together the arithmetic of cryptosystems with the ability of MathML to express mathematical content. Figure 4.1 shows how cryptosystems are composed, and the levels which we use to represent encryption.
Our framework involves using XML with MathML to fully and flexibly describe the cryptosystem used for encryption (and thus to be used for decryption). The current standard of MathML allows specification of mathematical content by using special tags for content markup (as opposed to tags for presentation markup). It should be noted here that using content markup tags in our case allows a wide range of basic mathematical expressions to be encoded into XML, which we can use to define the group and the operation. In the context of cryptography the group elements are vectors over a suitable ring. For instance in RSA the vector is 1-dimensional, for (elliptic and hyperelliptic) curves it is 2-dimensional. Hence we transmit the decryption process such as m = cd mod n for RSA encryption, rather than sending a tag with value "RSA". We see here that transmitting the equation allows a more meaningful communication and also greater flexibility: we explicitly state that c is "operated on" d times. We would then send the operation and the group over which the operation is performed. For example, we might transmit an elliptic curve along with the set of equations (1) and (2) from section 5 to show how the operation is performed in that group. Essentially the framework uses MathML within an XML envelope to transmit:
The encryption/decryption process
The finite abelian group
The operation in that group
From Example 4.1 it is obvious that we can encode the necessary formulas for modular exponentiation and elliptic curve point addition (Blake, et al. 1 9 9 9 ) , s a y f o r t h e e l l i p t i c c u r v e y = x + 2 x + 3 :
= ( y 2 y 1 ) / ( x 2 x 1 )
x 3 = - x 1 x 2 f o r y 1 `" y 2
y 3 = ( x 1 x 3 ) x 3 y 1 ( 1 )
= ( 3 x 1 + 2 ) / 2 y 1
x 3 = - 2 x 1 f o r y 1 = y 2
y 3 = ( x 1 x 3 ) x 3 y 1 ( 2 )
S i m i l a r y w e c a n e x p r e s s t h e r u l e s f o r h y p e r e l l i p t i c c u r v e s u s i n g t h e e x p l i c i t f o r m u l a e i n ( L a n g e , 2 0 0 2 ) .
W h i l e M a t h M L i s s u i t a b l e f o r e x p r e s s i n g f o r m u l a e i t h a s l i m i t a t i o n s i n e x p r e s s i n g t h e s e m a n t i c s o f d o m a i n s . Especially the construction of a polynomial ring is not supported. However we show that the addition of one single tag, is sufficient to express the underlying group where the formulas can be evaluated.
Example 4.2: If we wish to use the elliptic curve y = x + 2x + 3 over the fini t e f i e l d F 1 2 1 w i t h 1 2 1 e l e m e n t s , t h e m a t h e m a t i c a l r e p r e s e n t a t i o n i s { ( x , y ) F 1 2 1 ; y = x + 2 x + 3 } . W e d i s c u s s f i r s t h o w t o d e c l a r e t h e s y m b o l F 1 2 1 . F o r t h i s p u r p o s e , w e u s e a s p e c i a l e l e m e n t <