3

Given a PKI infrastructure with a root node that signs CSR's for nodes Alice, Bob, and Carol. Is it possible for Alice to encrypt some information, store it publicly somewhere, then later Bob or Carol can decrypt that information, without Alice, Bob, nor Carol directly communicating?

The only thing they have in common is their PKI (each their private key, their public key and root's public key), and the one-way transfer of ciphertext from Alice to the public storage, then on to Bob or Carol.

Neither Bob nor Carol's public keys are available to Alice (in the real problem, Bob and Carol don't yet exist but will in the future, after Alice has generated the ciphertext)

The root CA cannot participate in this other than as a typical signer; that is, we cannot ask the root to do the encryption/decryption for us.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Uncle Spook
  • 131
  • 2

2 Answers2

1

This sounds like the scenario of identity-based encryption, or IBE.

In IBE, the ‘root CA’, called the private key generator or PKG in this scenario, doesn't handle encrypting or decrypting messages directly, but does have to furnish Bob and Carol with their respective private keys. As long as Alice knows the names Bob and Carol, and the long-term master public key of the PKG, Alice can send encrypted messages to Bob and Carol—even offline, without contact with the PKG. Then whoever can convince the PKG that they are named Bob or Carol will get a private key to decrypt those messages.

Of course, the PKG is a central point of failure: anyone who can compromise the PKG can decrypt all messages.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230
0

sorry for the delay in responding. We've been busy with our Houston datacenters due to the hurricane. Anyway, here's the direction we're taking, FWIW:

  • I gave up on the idea of deriving some magical asymmetric key-pair from the PKI parameters, 'cuz, as you indicated, its not possible. :-(
  • For the first pass we're just going with a trusted key store.
  • On the back burner I'm investigating threshold schemes, such as Shamir's secret sharing algorithm. When future Bob's and Carol's "join" and get a certain level of trust, we recompute the shards for all. I'll probably come back here for your opinions at that time!

Thanx again!

Uncle Spook
  • 131
  • 2