Re: Forward secrecy from two RNGs
From: Henrick Hellström (henrick.hellstrm_at_telia.com)
Date: 06/06/04
- Next message: Phil Carmody: "Re: Entropy Loss in Hashing"
- Previous message: pixelwit: "re:I encrypted it, can you decrypt it?"
- In reply to: Henrick Hellström: "Re: Forward secrecy from two RNGs"
- Next in thread: Henrick Hellström: "Re: Forward secrecy from two RNGs"
- Reply: Henrick Hellström: "Re: Forward secrecy from two RNGs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 05 Jun 2004 22:35:30 GMT
> Michael Amling wrote:
>
>> I'd worry less if
>> compromise of Carol's data didn't depend on a single point of failure,
>> namely Carol's RNG. (The prospect of Sue's long-term private key and
>> Sue's RNG both being compromised doesn't really worry me, and Sue's
>> data is not as valuable as Carol's.)
I don't think you can (or should try to) get around Carol's need for a
high quality RNG. If Carol has neither a long term private key nor a
CSPRNG Carol will be a deterministic system with no unknowns and you are
toast.
You can however create a protocol that remains secure if either but not
both of Sue's long-term private key or Sue's (underlying) RNG is
compromised. The solution that comes to mind is to use long-term RSA
keys, and SHA-1 hash the concatenation of the RSA signature (with
application specific padding if the RSA key is used for other purposes
as well) of the other party's protocol messages so far together with
output from the (underlying) RNG and use that as the ephemeral private key.
- Next message: Phil Carmody: "Re: Entropy Loss in Hashing"
- Previous message: pixelwit: "re:I encrypted it, can you decrypt it?"
- In reply to: Henrick Hellström: "Re: Forward secrecy from two RNGs"
- Next in thread: Henrick Hellström: "Re: Forward secrecy from two RNGs"
- Reply: Henrick Hellström: "Re: Forward secrecy from two RNGs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
