Ellipse-based Email Encryption

madlinguist writes: "Researchers connected with Stanford's Applied Crypto Group have developed a new method of identity-based encryption from spending too much time with ellipses. Named after two of the researchers, the Boneh-Franklin project was presented at Crypto 2001, where these researchers encouraged the crypto community to crack their open-source system. Best of all, the project's homepage allows you to try it on your own email address."

when are people going to learn?

[Anonymous Coward]

Identity-based PKI doesn't solve the problems it is purported to. IBE has a handful of really specialized applications, and is quite useless for the kind of widespread PKI that most of us are interested in.

IBE keeps being pushed as a way to solve the key distribution problem - the problem of determining someone's public key so that one can encrypt a message for them. Really the problem is not with finding someone's key, of course, but with making sure that one has the right key, and not a fake one. IBE solves this by making the public key a function of the identity. But it does this at the expense of requiring a central CA to generate everyone's private keys. Everyone has to trust this CA - it can decrypt everyone's messages, and in signature applications it can forge anyone's signature.

If everyone trusts a single CA, then there's an easier answer to the key distribution problem - the single CA just certifies everyone's public keys. This means everyone has to go to the CA to get anyone's public key, but the advantage is that the CA doesn't know anyone's private keys, and so doesn't have to be quite as trusted.

In addition to the trust issue, IBE introduces its own, much more serious, key distribution problem. The CA has to give all the private keys to their respective owners, without anyone else being able to eavesdrop, and it must be very sure that it gave each key to the right person and not to an imposter. In some specialized applications this is easy, but in most cases IBE is just replacing one key distribution problem with a more difficult one.

The system that these researchers provided the source for, for example, doesn't properly solve this problem. It needs to authenticate the user requesting a private key as being the actual owner of the email address they specified. It does this by emailing the private key to that email address - essentially, ability to read email sent to the address is what authenticates a user as the owner of that email address. This mechanism assumes that the email containing the private key can't be eavesdropped - an eavesdropper, who can receive email sent to the email address in question, passes the authentication. But if email can't be eavesdropped, then why did we want to encrypt our email in the first place?

One must also consider the increased damage that occurs if an IBE CA is compromised - all private keys ever used are compromised in one go. There's also a huge problem of replacing a compromised key.

Taken all together, IBEs just shouldn't be considered as a general-purpose PKI. I'm sure the researchers working on them understand this, but we keep getting organs such as Slashdot presenting IBE inappropriately, as something to solve all our PKI woes. Slashdot, and everyone else, please learn: IBE just isn't useful to your crypto-geek audience.

It has nothing to do with ellipses

[SIGFPE]

It uses elliptic curve crypto. It has nothing to do with ellipses. Elliptic curves are not ellipses and have absolutely nothing to do with ellipses. OK - they do have a historical connection with ellipses because elliptic curves arise out of the study of elliptic functions and elliptic functions can be used to find the arc-length of an ellipse. But really the use of the word 'elliptic' is just a historical accident.