Intrusion-resilient digital signature key security in mobile/wireless networks

Digital signature schemes are fundamental cryptographic primitives. Digital signature provides the foundation for many other information services such as non-repudiation, data origin authentication, and identification, just to name a few. Knowledge of the private key of a signature scheme enables an adversary to forge valid signature and thus break the scheme.; Mobile networks are more vulnerable to intrusion than fixed wired networks because the connection path is dynamically forming during communication. To prevent the dynamically forming mobile networks from intrusion, a coalition key-evolving scheme is proposed in this thesis. The proposed scheme treats the 3 entities in a dynamic path, foreign agents (FA), home agents (HA) and mobile agents (MA), as a coalition formed by each individual agent. Each agent has a pair of private and public keys. The private key is evolving with time and the public key is signed by a certificate authority (CA). All private keys of the 3 agents of the coalition are needed to sign a signature, and all the messages must be signed and verified. A signature is verified against a public key that is the product of public keys of all the agents that is readily generated when a new dynamic path is formed. This helps prevent an adversary from impersonating using fake FA or MA. Furthermore, the key-evolving scheme prevents an adversary from forging past signatures under any circumstances. In order to forge future signatures, an adversary must compromise all MA, FA and HA simultaneously due to a proactive refresh scheme. The interactive proactive synchronization scheme among the agents is proposed when a new dynamic path is formed or private keys evolve to new states. Thus the loss of a mobile device or its information will have minimal information damage.; The proposed digital signature scheme is implemented within the realm of current public key infrastructure (PKI). An implementation that contains a certificate authority (CA), a registration authority (RA) and other components of a PKI is presented in the last part of the thesis. The implementation handles the generation of security keys and certificates for all the members in PKI and it combines with LDAP (Light-weight Directory Access Protocol) to provide services of certificates and CRLs (certificate revocation list) distribution.