|After authentication, certificates may be created by the Monitor. That
is, the monitor shall be used as an identity certification authority.
This results in the addition of three new commands to the protocol.
The GET_MONITOR_KEY command may be used to retrieve the
Monitor's public key modulus for signature verification purposes as
where n is the public modulus of the monitor's RSA key. The other portion, e is the exponent and is the number 65537, or 0x10001. The monitor also has a hidden private key, d. The monitor signs some value m using x = md mod n, where m < n. A system may subsequently decipher this value and check it using m = xe mod n. The value m must be sufficiently small to "fit" in n, and therefore typically represents the SHA-1 hash of a larger dataset.
The monitor also provides a method for anyone to get the certificate for any
system using the GET_CERTIFICATE command as follows:
where x is the requested participant's certificate signed by the Monitor. The Monitor has a certificate which may be obtained by issuing:
A system may certify itself with one key at any time to the Monitor, this is done by completing the normal authentication steps and then providing the Monitor with its public key information v and n using the MAKE_CERTIFICATE command as follows:
The certificate c is the SHA-1 hash of the concatenation of
v, then n (md.update(v);
md.update(n)) and x = cd mod n, or the
hash signed with the Monitor's RSA private key. The monitor saves
x. This value is returned by the Monitor after the
GET_CERTIFICATE command is executed.
|For desperados: ZKPTest.java|