Re: DH Question

From: Peter Fairbrother (zenadsl6186_at_zen.co.uk)
Date: 06/29/04 

Date: Tue, 29 Jun 2004 12:12:50 +0100

David Oxley wrote:
 
[The answers you wanted are: No. No benefit. Sign the whole.]

> It's not too difficult to see how a key exchange protocol like SKEME*
> works in order to securely negotiate a session key with PFS
> properties, but that relies on the ability to interact with the other
> party everytime you need a new session key. But in times where the
> latency of a given communication channel is extremely high, you want
> the ability to come up with a key without having to talk to the other
> party, and whilst remaining resistant to man-in-the-middle.
>
> * - http://www.research.ibm.com/security/skeme.ps

Non-interactive MITM resistance and FS? Tricky. The problem is getting Bob
to delete a secret - after all Alice and Bob have to share a secret for
there to be secure comms, and Bob has to know the secret.

Bob can provide a list of disposable keys, signed with a long-term key, and
delete the secret keyparts when he gets a message. You then have to arrange
for Alice and other users to get the keys, and not use a key for which Bob
has deleted his part.

Bob can delete keyparts using a time-based schedule, giving FS after the key
is deleted on a schedule, or he can deposit single-use keys on a server
which allocates them as requested, giving FS after receipt.

m-o-o-t does both btw, in order to prevent a DoS due to single-use key
exhaustion at the key server. It also uses preshared secrets and dummy
traffic to give deniable-based-FS in the inbetween times. Only for your best
friends :)

Nit: DH and SPEKE do not give perfect forward security. They do give forward
security, but if ana attacker can calculate discreet logs they are broke, so
the forward security is not perfect. The only thing I know of that will give
PFS is an otp. 

-- 
Peter Fairbrother

Relevant Pages

  • Re: Variation on prisoners dilemma
    ... the digital domain --- where Alice and Bob have two secrets they want ... They each have two coins, a heavy '1' coin and a light '0' coin, ... their secret bit down a tube into the same pan of a balance. ... learns Alice's secret, but Alice learns only the value of Bob's random ...
    (rec.puzzles)
  • [OT] 11/10
    ... we celebrate Bob "Tiger Bob" Bush's birthday. ... Walt Disney begins serving as a secret informer for the Los Angeles ... Said one of the two hijackers later, ...
    (alt.smokers.cigars)
  • Re: [OT] 11/10
    ... we celebrate Bob "Tiger Bob" Bush's birthday. ... Walt Disney begins serving as a secret informer for the Los Angeles ... Said one of the two hijackers later, ...
    (alt.smokers.cigars)
  • Re: QC-proof cipher?
    ... What has keeping a secret to do with authentication? ... In this case Bob gives Alice a secret - in order to authenticate herself to ... Bob at a later time, Alice proves that she knows the secret. ...
    (sci.crypt)
  • What is insecure in this Authentication Protocol
    ... Use R as session key ... K_Ais TimeStamp encrypted using Alice's private key ... Alice decrypts this using Bob's public key and verifies Bob's identity ... later impersonate as one to the other of Alice and Bob? ...
    (sci.crypt)