123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 |
- <!-- HTML header for doxygen 1.8.10-->
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
- <meta http-equiv="X-UA-Compatible" content="IE=9"/>
- <meta name="generator" content="Doxygen 1.8.11"/>
- <title>Intel® Enhanced Privacy ID SDK: Introduction to the Intel® EPID Scheme</title>
- <link href="tabs.css" rel="stylesheet" type="text/css"/>
- <script type="text/javascript" src="jquery.js"></script>
- <script type="text/javascript" src="dynsections.js"></script>
- <link href="navtree.css" rel="stylesheet" type="text/css"/>
- <script type="text/javascript" src="resize.js"></script>
- <script type="text/javascript" src="navtreedata.js"></script>
- <script type="text/javascript" src="navtree.js"></script>
- <script type="text/javascript">
- $(document).ready(initResizable);
- $(window).load(resizeHeight);
- </script>
- <link href="doxygen.css" rel="stylesheet" type="text/css" />
- <link href="epidstyle.css" rel="stylesheet" type="text/css"/>
- </head>
- <body>
- <div id="top"><!-- do not remove this div, it is closed by doxygen! -->
- <div id="titlearea">
- <table cellspacing="0" cellpadding="0">
- <tbody>
- <tr style="height: 56px;">
- <td id="projectalign" style="padding-left: 0.5em;">
- <div id="projectname"><a
- onclick="storeLink('index.html')"
- id="projectlink"
- class="index.html"
- href="index.html">Intel® Enhanced Privacy ID SDK</a>
-  <span id="projectnumber">2.0.0</span>
- </div>
- </td>
- </tr>
- </tbody>
- </table>
- </div>
- <!-- end header part -->
- <!-- Generated by Doxygen 1.8.11 -->
- </div><!-- top -->
- <div id="side-nav" class="ui-resizable side-nav-resizable">
- <div id="nav-tree">
- <div id="nav-tree-contents">
- <div id="nav-sync" class="sync"></div>
- </div>
- </div>
- <div id="splitbar" style="-moz-user-select:none;"
- class="ui-resizable-handle">
- </div>
- </div>
- <script type="text/javascript">
- $(document).ready(function(){initNavTree('EpidOverview.html','');});
- </script>
- <div id="doc-content">
- <div class="header">
- <div class="headertitle">
- <div class="title">Introduction to the Intel® EPID Scheme </div> </div>
- </div><!--header-->
- <div class="contents">
- <div class="toc"><h3>Table of Contents</h3>
- <ul><li class="level1"><a href="#EpidOverview_Roles">Roles</a><ul><li class="level2"><a href="#EpidOverview_Issuers">Issuers</a></li>
- <li class="level2"><a href="#EpidOverview_Members">Members</a></li>
- <li class="level2"><a href="#EpidOverview_Verifiers">Verifiers</a></li>
- </ul>
- </li>
- <li class="level1"><a href="#EpidOverview_Groups">Groups</a></li>
- <li class="level1"><a href="#EpidOverview_Keys">Keys</a><ul><li class="level2"><a href="#EpidOverview_Group_public_key">Group Public Key</a></li>
- <li class="level2"><a href="#EpidOverview_Issuing_private_key">Issuing Private Key</a></li>
- <li class="level2"><a href="#EpidOverview_Member_private_key">Member Private Key</a></li>
- </ul>
- </li>
- <li class="level1"><a href="#EpidOverview_Entity_interaction">Member and Verifier Interaction</a></li>
- </ul>
- </div>
- <div class="textblock"><p>Intel® EPID is a cryptographic protocol which enables the remote authentication of a trusted platform whilst preserving the user's privacy.</p>
- <h1><a class="anchor" id="EpidOverview_Roles"></a>
- Roles</h1>
- <p>In the Intel® EPID scheme, there are three roles: issuers, members, and verifiers.</p>
- <p>The entities in these roles interact with each other in such a way that a member can prove to a verifier that it is a trusted member of a group without disclosing the identity of the member. Groups are created and managed by the issuer.</p>
- <div class="image">
- <img src="epid_diagram_high_level_use_case.png" alt="epid_diagram_high_level_use_case.png"/>
- </div>
- <h2><a class="anchor" id="EpidOverview_Issuers"></a>
- Issuers</h2>
- <p>The issuer is responsible for managing group membership.</p>
- <p>The issuer manages groups by doing the following:</p>
- <ul>
- <li>Creates groups by generating one issuing private key and one group certificate for each group. The group certificate contains the group public key.</li>
- <li>Creates group members by generating unique Intel® EPID member private keys through bulk provisioning. Member private keys are created from the issuing private key for the group.</li>
- <li>Manages requests from prospective members to join existing groups by using the join protocol.</li>
- <li>Creates and maintains signature based revocation lists and private key based revocation lists. These lists of members no longer in good standing allow members to be dropped from a group.</li>
- <li>Creates and maintains group revocation lists.</li>
- <li>Makes group public keys and revocation lists available to verifiers.</li>
- </ul>
- <div class="image">
- <img src="epid_diagram_issuer_high_level.png" alt="epid_diagram_issuer_high_level.png"/>
- </div>
- <h2><a class="anchor" id="EpidOverview_Members"></a>
- Members</h2>
- <p>The member is the entity that attempts to anonymously prove its group membership to the verifier.</p>
- <ul>
- <li>Members are authorized by the issuer as part of a group.</li>
- <li>Each group member has a unique Intel® EPID private key, which corresponds to the group.</li>
- <li>The member uses its member private key to sign a message to prove group membership to the verifier without revealing the identity of the member.</li>
- </ul>
- <div class="image">
- <img src="epid_diagram_member_high_level.png" alt="epid_diagram_member_high_level.png"/>
- </div>
- <h2><a class="anchor" id="EpidOverview_Verifiers"></a>
- Verifiers</h2>
- <p>The verifier checks an Intel(R) EPID signature to establish whether it was signed by an entity or device that is a member in good standing.</p>
- <p>The verifier acts on behalf of a party that needs to know it is communicating with a trusted device. Verifiers obtain group certificates and revocation lists from issuers and negotiate details of signature protocol with members.</p>
- <p>A verifier can do the following:</p>
- <ul>
- <li>Confirm a member is in fact a member of a given group in good standing.</li>
- <li>Obtain group certificates and revocation lists from issuers.</li>
- <li>Negotiate details of signature protocol with members.</li>
- </ul>
- <div class="image">
- <img src="epid_diagram_verifier_high_level.png" alt="epid_diagram_verifier_high_level.png"/>
- </div>
- <h1><a class="anchor" id="EpidOverview_Groups"></a>
- Groups</h1>
- <p>An Intel® EPID group represents a set of trusted entities called members. Issuers create groups and manage group membership. For each group, the issuer creates a group public key simultaneously with the corresponding issuing private key. The issuer uses the issuing private key to create unique member private keys for each group member, and makes the group public key available to verifiers.</p>
- <p>All groups have the following:</p>
- <ul>
- <li>Group public key, which corresponds to the issuing private key kept by the issuer</li>
- <li>Signature based revocation list</li>
- <li>Private key based revocation list</li>
- <li>Member private keys, generated from the issuing private key</li>
- </ul>
- <p>If a signature based revocation list or private key based revocation list does not exist, it is assumed to be empty.</p>
- <h1><a class="anchor" id="EpidOverview_Keys"></a>
- Keys</h1>
- <p>The Intel® EPID scheme works with three types of keys: the group public key, the issuing private key, and the member private key. A group public key corresponds to the unique member private keys that are part of the group. Member private keys are generated from the issuing private key.</p>
- <p>Additionally, in the Intel® EPID scheme, a private key can be revoked given a signature created by that key, even if the key itself is still unknown. Group membership can be revoked and entire groups can be revoked. For more information on revocation, refer to <a class="el" href="SignVerifyTutorial.html#SignVerifyTutorial_Revocation_Group">Revocation</a>.</p>
- <h2><a class="anchor" id="EpidOverview_Group_public_key"></a>
- Group Public Key</h2>
- <p>The group public key is the key used by the verifier to confirm that a member belongs to a group in good standing. Each member private key in a group is associated with the group's public key.</p>
- <p>When a group is created, the group public key and the issuing private key are simultaneously generated by the issuer. The verifier obtains the group public key from the issuer.</p>
- <h2><a class="anchor" id="EpidOverview_Issuing_private_key"></a>
- Issuing Private Key</h2>
- <p>The issuing private key is the key used by the issuer to generate unique private keys for each member of a given group. For every group public key, there is a corresponding issuing private key. The issuing private key remains with the issuer and is kept private.</p>
- <h2><a class="anchor" id="EpidOverview_Member_private_key"></a>
- Member Private Key</h2>
- <p>The member private key is the key used by the member to digitally sign a message when attempting to prove to the verifier that the member belongs to the group and is in good standing.</p>
- <p>Unique member private keys are generated by the issuer for each member of a given group. The same group public key corresponds to each member private key in the group.</p>
- <h1><a class="anchor" id="EpidOverview_Entity_interaction"></a>
- Member and Verifier Interaction</h1>
- <p>Each Intel® EPID member uses its Intel® EPID private key to digitally sign a message. The resulting signature is called an Intel® EPID signature.</p>
- <p>The Intel® EPID verifier uses the group public key to verify the correctness of an Intel® EPID signature, i.e., to verify that the signature was indeed created by a member with a valid Intel® EPID private key.</p>
- <p>However, the Intel® EPID signature does not convey any information about which unique private key was used to create the signature.</p>
- <div class="image">
- <img src="epid_diagram_high_level_interaction.png" alt="epid_diagram_high_level_interaction.png"/>
- </div>
- </div></div><!-- contents -->
- </div><!-- doc-content -->
- <!-- HTML footer for doxygen 1.8.10-->
- <!-- start footer part -->
- <div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
- <ul>
- <li class="footer">
- © 2016 Intel Corporation
- </li>
- </ul>
- </div>
- </body>
- </html>
|