Key Validation has been a neglected aspect of providing cryptographic security. Key Validation is the process whereby a claimed cryptographic key has arithmetic tests run against its components to ensure that the key is plausible, that is, that it conforms to the requirements specified during key generation. Use of bogus keys should be expected to produce bogus results, including loss of intended security by the owner and/or user.

The following presentation--a simplified overview of why one cares about key validation--was given by Don Johnson at the ANSI X9F1 meeting in July of 1998.

This presentation--a summary of advances and advantages of MQV and UM protocols--was given by Don Johnson at the ANSI X9F1 meeting in July of 1998.

This presentation was given by Simon Blake-Wilson at the ANSI X9F1 meeting in July of 1998.

Public Key Validation (PKV) consists of arithmetic tests that help ensure that the components of a candidate public key conform to the key generation requirements of a standard. If an invalid public key is used, any intended security may be void. Each user in the Public Key Infrastructure (PKI) is responsible to decide whether to seek assurance regarding the validity of a candidate public key or to accept the risks of using an possibly invalid public key. A CA may provide this assurance to its clients as part of its public key certification process.

The security of a signature scheme based on a hash function depends not only on the strength of the hash function, but also on the verifier's assurance that the correct hash function is applied during signature verification. In several schemes, this assurance is provided by a hash function ``firewall'', where a hash function identifier is included along with the hash value in the input to the signature primitive. The identifier is intended to prevent an opponent from causing a verifier to process an existing signature with a weak hash function, in an attempt to obtain a signature forgery. Despite this protection for existing signatures, we show that in several schemes it is possible for an opponent to exploit a weak hash function to forge new signatures. In particular, we show how to break the hash function firewalls in the ISO/IEC 9796-2 signature scheme, the ISO/IEC 14888-2 scheme based on Guillou-Quisquater signatures, a variant of DSA with a hash function identifier, and a version of the Bellare-Rogaway Probabilistic Signature Scheme (PSS). We also show how the version of PSS in the current draft of IEEE P1363a resists this kind of attack, without having an explicit hash function identifier.

A slide presentation on the potential to obtain a DSA secret key given only a bias in the high bit of the one-time keys u_j.