<!-- HTML header for doxygen 1.8.10--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/> <meta http-equiv="X-UA-Compatible" content="IE=9"/> <meta name="generator" content="Doxygen 1.8.14"/> <title>Intel® Enhanced Privacy ID SDK: Glossary</title> <link href="tabs.css" rel="stylesheet" type="text/css"/> <script type="text/javascript" src="jquery.js"></script> <script type="text/javascript" src="dynsections.js"></script> <link href="navtree.css" rel="stylesheet" type="text/css"/> <script type="text/javascript" src="resize.js"></script> <script type="text/javascript" src="navtreedata.js"></script> <script type="text/javascript" src="navtree.js"></script> <script type="text/javascript"> /* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */ $(document).ready(initResizable); /* @license-end */</script> <link href="doxygen.css" rel="stylesheet" type="text/css" /> <link href="epidstyle.css" rel="stylesheet" type="text/css"/> </head> <body> <div id="top"><!-- do not remove this div, it is closed by doxygen! --> <div id="titlearea"> <table cellspacing="0" cellpadding="0"> <tbody> <tr style="height: 56px;"> <td id="projectalign" style="padding-left: 0.5em;"> <div id="projectname"><a onclick="storeLink('index.html')" id="projectlink" class="index.html" href="index.html">Intel® Enhanced Privacy ID SDK</a>  <span id="projectnumber">6.0.1</span> </div> </td> </tr> </tbody> </table> </div> <!-- end header part --> <!-- Generated by Doxygen 1.8.14 --> </div><!-- top --> <div id="side-nav" class="ui-resizable side-nav-resizable"> <div id="nav-tree"> <div id="nav-tree-contents"> <div id="nav-sync" class="sync"></div> </div> </div> <div id="splitbar" style="-moz-user-select:none;" class="ui-resizable-handle"> </div> </div> <script type="text/javascript"> /* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */ $(document).ready(function(){initNavTree('_glossary.html','');}); /* @license-end */ </script> <div id="doc-content"> <div class="header"> <div class="headertitle"> <div class="title">Glossary </div> </div> </div><!--header--> <div class="contents"> <div class="toc"><h3>Table of Contents</h3> <ul><li class="level1"><a href="#Issuing_CA">CA public key</a></li> <li class="level1"><a href="#Glossary_Daa">DAA</a></li> <li class="level1"><a href="#Glossary_EllipticCurve">Elliptic curve</a></li> <li class="level1"><a href="#Glossary_EllipticCurvePoint">Elliptic curve point</a></li> <li class="level1"><a href="#Glossary_Group">Group</a></li> <li class="level1"><a href="#Glossary_Group_certificate">Group certificate</a></li> <li class="level1"><a href="#Glossary_GroupPublicKey">Group public key</a></li> <li class="level1"><a href="#Glossary_Epid">Intel® EPID</a></li> <li class="level1"><a href="#Glossary_EpidSignature">Intel® EPID signature</a></li> <li class="level1"><a href="#Glossary_Issuer">Issuer</a></li> <li class="level1"><a href="#Glossary_IssuingPrivateKey">Issuing private key</a></li> <li class="level1"><a href="#Glossary_Member">Member</a></li> <li class="level1"><a href="#Glossary_NameBasedSignature">Name-based signature</a></li> <li class="level1"><a href="#Glossary_MemberPrivateKey">Member private key</a></li> <li class="level1"><a href="#Glossary_NonRevokedProof">Non-revoked proof</a></li> <li class="level1"><a href="#Glossary_Pairing">Pairing</a></li> <li class="level1"><a href="#Glossary_Revocation">Revocation, revocation lists</a></li> <li class="level1"><a href="#Glossary_Verifier">Verifier</a></li> </ul> </div> <div class="textblock"><h1><a class="anchor" id="Issuing_CA"></a> CA public key</h1> <p>The CA (Certificate Authority) public key contains the ECDSA public key of the issuing CA. The verifier uses this key to authenticate that information provided by the issuer is genuine.</p> <h1><a class="anchor" id="Glossary_Daa"></a> DAA</h1> <p>Direct Anonymous Attestation (DAA) is a digital signature algorithm that supports anonymity by providing a group public verification key associated with many unique private signing keys. Intel® EPID enhances DAA by enabling a private key to be revoked given a signature created by that key, even if the key itself is still unknown.</p> <h1><a class="anchor" id="Glossary_EllipticCurve"></a> Elliptic curve</h1> <p>In elliptic curve cryptography, an elliptic curve is an algebraic structure used to create a function whose output is easy to compute, but whose input is difficult to compute given the output. Elliptic curve cryptography requires smaller keys compared to non-elliptic curve cryptography (based on Galois fields) to provide equivalent security.</p> <h1><a class="anchor" id="Glossary_EllipticCurvePoint"></a> Elliptic curve point</h1> <p>An elliptic curve point is a point along an elliptic curve. The security of elliptic curve cryptography depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original and product points.</p> <h1><a class="anchor" id="Glossary_Group"></a> Group</h1> <p>An Intel® EPID group represents a set of trusted entities called members.</p> <p>Issuers create groups and manage group membership. For each group, the issuer creates a group public key simultaneously with the corresponding issuing private key. The issuer uses the issuing private key to create unique member private keys for each group member, and makes the group public key available to verifiers.</p> <p>All groups have the following:</p> <ul> <li>Group public key, which corresponds to the issuing private key kept by the issuer</li> <li>Signature based revocation list</li> <li>Private key based revocation list</li> <li>Member private keys, generated from the issuing private key</li> </ul> <p>If a signature based revocation list or private key based revocation list does not exist, it is assumed to be empty.</p> <h1><a class="anchor" id="Glossary_Group_certificate"></a> Group certificate</h1> <p>The group certificate contains the group public key. The group certificate is created by the issuer and obtained by the verifier. When the issuer creates groups, it generates one issuing private key and one group certificate for each group.</p> <h1><a class="anchor" id="Glossary_GroupPublicKey"></a> Group public key</h1> <p>The group public key is the key used by the verifier to confirm that a member belongs to a group in good standing. Each member private key in a group is associated with the group's public key.</p> <p>When a group is created, the group public key and the issuing private key are simultaneously generated by the issuer. The verifier obtains the group public key from the issuer.</p> <h1><a class="anchor" id="Glossary_Epid"></a> Intel® EPID</h1> <p>Enhanced Privacy ID (Intel® EPID) is a cryptographic protocol for attestation of a trusted platform while preserving the user's privacy. Intel® EPID can be used as a foundational building block for a multitude of security solutions.</p> <h1><a class="anchor" id="Glossary_EpidSignature"></a> Intel® EPID signature</h1> <p>An Intel® EPID signature is a type of digital signature that preserves anonymity of the signer, while still proving the signer is a member of a trusted group.</p> <h1><a class="anchor" id="Glossary_Issuer"></a> Issuer</h1> <p>The issuer is the entity in the Intel® EPID scheme that is responsible for managing group membership. Issuer APIs are not included in the SDK. An example of an issuer is the Intel Key Generation Facility. For sample issuer material, refer to <a class="el" href="_provisioning.html">Preparing a Device</a>. For tools that can help you if you choose to use iKGF as your issuer, refer to <a class="el" href="_issuer_material.html">Test Data</a>.</p> <p>The issuer manages groups by doing the following:</p> <ul> <li>Creates groups by generating one issuing private key and one group certificate for each group. The group certificate contains the group public key.</li> <li>Creates group members by generating unique Intel® EPID member private keys through bulk provisioning. Member private keys are created from the issuing private key for the group.</li> <li>Manages requests from prospective members to join existing groups.</li> <li>Creates and maintains signature based revocation lists and private key based revocation lists. These lists of members no longer in good standing allow members to be dropped from a group.</li> <li>Creates and maintains group revocation lists.</li> <li>Makes group public keys and revocation lists available to verifiers.</li> </ul> <h1><a class="anchor" id="Glossary_IssuingPrivateKey"></a> Issuing private key</h1> <p>The issuing private key is the key used by the issuer to generate unique private keys for each member of a given group. For every group public key, there is a corresponding issuing private key. The issuing private key remains with the issuer and is kept private.</p> <h1><a class="anchor" id="Glossary_Member"></a> Member</h1> <p>The member is the entity that attempts to prove its group membership to the verifier. Members are authorized by the issuer as part of a group and each group member has a unique Intel® EPID private key. The member uses its member private key to sign a message to prove group membership without revealing its identity. An example of a member is a PC with an embedded Intel® EPID member private key.</p> <h1><a class="anchor" id="Glossary_NameBasedSignature"></a> Name-based signature</h1> <p>A name-based signature is a type of signature that gives the verifier the ability to link Intel® EPID signatures from the same member, reducing the member's privacy.</p> <p>A name-based signature is created using the additional parameter of a basename. If a basename is not specified, a random number is chosen as the basename. If the member uses the same basename, the verifier can mathematically link signatures generated by the member, showing that the signatures are from the same member.</p> <h1><a class="anchor" id="Glossary_MemberPrivateKey"></a> Member private key</h1> <p>The member private key is the key used by the member to digitally sign a message when attempting to prove to the verifier that the member belongs to the group and is in good standing.</p> <p>Unique member private keys are generated by the issuer for each member of a given group. The same group public key corresponds to each member private key in the group.</p> <h1><a class="anchor" id="Glossary_NonRevokedProof"></a> Non-revoked proof</h1> <p>A non-revoked proof is part of an Intel® EPID signature that proves that the member is not a specific revoked entity in the signature based revocation list. The member provides the signature with a number of non-revoked proofs, one per revocation list entry, to prove to the verifier that the member does not correspond to any entry in the revocation list.</p> <h1><a class="anchor" id="Glossary_Pairing"></a> Pairing</h1> <p>Pairing is a mathematical operation that maps two elliptic curve groups to a third multiplicative group.</p> <h1><a class="anchor" id="Glossary_Revocation"></a> Revocation, revocation lists</h1> <p>Revocation lists are data structures used by the verifier to identify members that are no longer approved members of the group.</p> <p>The verifier obtains the member private key based revocation list (PrivRL), signature based revocation list (SigRL), and group based revocation list (GroupRL) from the issuer. The verifier can also maintain its own verifier blacklist (VerifierRL). Verifier blacklist revocation only works with name based signatures.</p> <h1><a class="anchor" id="Glossary_Verifier"></a> Verifier</h1> <p>The verifier is the entity that checks an Intel® EPID signature to establish whether it was signed by an entity or device that is a member in good standing.</p> <p>The verifier acts on behalf of a party that needs to know it is communicating with a trusted device. Verifiers obtain group certificates and revocation lists from issuers and negotiate details of signature protocol with members. </p> </div></div><!-- contents --> </div><!-- doc-content --> <!-- HTML footer for doxygen 1.8.10--> <!-- start footer part --> <div id="nav-path" class="navpath"><!-- id is needed for treeview function! --> <ul> <li class="footer"> © 2016-2017 Intel Corporation </li> </ul> </div> </body> </html>