Re: New Method for Authenticated Public Key Exchange without Digital Certificates

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 08/06/04

Next message: Bill Unruh: "Re: Which is more secure: Mixmaster or Steganography? How the FBI crac"
Previous message: jack frusciante: "Re: classic crypto challenge"
In reply to: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Next in thread: Anne & Lynn Wheeler: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Reply: Anne & Lynn Wheeler: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Reply: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 06 Aug 2004 15:01:46 -0600

Mok-Kong Shen <mok-kong.shen@t-online.de> writes:
> I am very sorry for my poor knowledge and hence having many dumb
> questions. I continue to surmise that without CAs there would be
> stuff that wouldn't go as fine. For CAs are by definition what
> common people can trust (whether that's inherently reasonable or not
> is irrelevant for the current discussion). Now without CAs how are
> the parties who don't know one another personally going to establish
> trust between them at all for doing electronic transactions? In
> particular, how does one know that a public key claimed to be one of
> a specific firm is really genuine? I don't yet see a good way for
> that. Note as analogy that even some number of normal
> (non-electronic) transactions may (under circumstances) need a third
> party that enjoys the trust of the ones doing the transactions as
> mediator. (Cf. notary for contracts, civil registry office for
> marriage, etc.)

ok ... try SSL domain name server certificates and associated
infrastructure for something called electronic commerce ... minor
reference:
http://www.garlic.com/~lynn/subtopic.html#asrn2
http://www.garlic.com/~lynn/subtopic.html#asrn3

one of the motivating factors for the SSL domain name server
certificates were issues with the integrity of the domain name
infrastructure and things like ip-address take-over ... and/or how do
i know that the server that i think i'm talking to is really the
server that i'm talking to.

so somebody applies to a certification authority for an SSL domain
name server certificate. in many cases the certification authority
isn't the authoritative agency as to the owner of the domain name.
therefor the certification authority has to contact the authoritative
agency for domain name ownership ... which is the domain name
infrastructure (the very operation that there are concerns with
regarding integrity ... giving rise to much of the motivation for SSL
domain name server certificates).

so somewhat motivated by the certification authority industry, there
is a proposal that when somebody registers a domain name with the
domain name infrastructure, they also register a public key. then when
the entity applies to a certification authority for a SSL domain name
server certificate, they digitally sign the request. Then the
certification authority just has to retrieve the naked public key on
file with the domain name infrastructure to validate the digital
signature on the SSL domain name server certificate request.

currently, there is identification information on file with the domain
name infrastructure as to the owner of the domain name. in the
existing SSL domain name server certificate application scenario, the
applicate would supply identification information and the
certification authority then would have to execute a complex,
time-consuming, expensive error prone process that attempts to match
the identification information supplied with the SSL domain name
server certificate application to the identification information on
file with the domain name infrastructure.

in the proposal to have naked public keys on file with the domain name
infrastructure, the certification authority would just have to
retrieve the naked public key from the domain name infrastructure to
validate the digital signature on the SSL domain name server certificate
application. this replaces a time-consuming, expensive, complex, and
error-prone identification process with an simple, inexpensive,
straight-forward, strong authentication process.

the catch22 for the certification authority industry are:

1) if communication related to correct domain name can be
authenticated with (naked) public keys on file with the domain name
infrastructure, it improves the integrity of the domain name
infrastructure, which mitigates the motivation for needing SSL domain
name server certificates

2) if there are public keys on file with the domain name
infrastructure which can be retrieved by certification authories for
validating digital signatures on SSL domain name server certificate
applications, then it would be possible for other people to retrieve
on-file public keys also to validate digital signature on other kinds
of communication. The ability to distribute on-file public keys
related to domain name issues then totally subsumes the need for
distributing public keys via SSL domain name server certificates.

some past threads mentioning notary infrastructures:
http://www.garlic.com/~lynn/aadsm5.htm#ocrp Online Certificate Revocation Protocol
http://www.garlic.com/~lynn/aadsm5.htm#ocrp2 Online Certificate Revocation Protocol
http://www.garlic.com/~lynn/aadsm5.htm#ocrp3 Online Certificate Revocation Protocol
http://www.garlic.com/~lynn/aadsm5.htm#ocrp4 Online Certificate Revocation Protocol
http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aadsm18.htm#4 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/2002o.html#10 Are ssl certificates all equally secure?

actually some of the notary issues ... don't so much come up with
respect to valid certifices ... but come up with respect to real-time
proof of intention related to signatures for demonstrating intent,
approval, and/or agreement with what has being digitally signed. This
is different that using digital signatures for strictly authentication
purposes demonstrating origin. In fact, I've made the assertion that
there may be comprimises where there is dual-use of the same key-pair
for both authentication and demonstrating intent, approval, and/or
agreement ... specifically some authentication protocols may send
random challenges which the receiver digitally signs (w/o reading) and
returns. An attack on digital signatures in the sense of intent, agreement,
and/or approval ... is send valid information in place of random challenge
as part of an authentication prototol. misc pieces of the dual-use
thread:
http://www.garlic.com/~lynn/aadsm17.htm#25 Single Identity. Was: PKI International Consortium
http://www.garlic.com/~lynn/aadsm17.htm#55 Using crypto against Phishing, Spoofing and Spamming
http://www.garlic.com/~lynn/aadsm17.htm#57 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm17.htm#59 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#0 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#1 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#2 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#3 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#4 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#6 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#12 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#13 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#17 should you trust CAs? (Re: dual-use digital signature vulnerability)

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Next message: Bill Unruh: "Re: Which is more secure: Mixmaster or Steganography? How the FBI crac"
Previous message: jack frusciante: "Re: classic crypto challenge"
In reply to: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Next in thread: Anne & Lynn Wheeler: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Reply: Anne & Lynn Wheeler: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Reply: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Proposal for a new PKI model (At least I hope its new)
... > Then the world would have no problem trusting your domain level PKI ... coined the term "certificate manufacturing" to distinquish from actual ... it turns out that one of the reasons for the SSL server domain name ...
(sci.crypt)
Re: IPSEC wireless router ?
... My guessis that SSL ... amounts for a server certificate. ... the market and priced their PKI services accordingly, ... certificate as valid" without the slightest authentication, ...
(alt.internet.wireless)
Re: Is that secure :

... for that URL (via checking for a valid domain name certificate and the ... when they discovered that using SSL cut their thruput/performance ... The scenario about the website that you thought you were ... "payment" URL (for some website that the attackers were able to obtain ...
(comp.security.misc)
Re: MOD_SSL and MOD_AUTH_OPENVMS
... ## for proper server startup. ... ## SSL Support ... # List the ciphers that the client is permitted to negotiate. ... # Point SSLCertificateFile at a PEM encoded certificate. ...
(comp.os.vms)
Re: X.509 and ssh
... SSL establishes sessions, where in the cert / keys are exchanged only at the beginning of the session. ... supposedly one of the big drivers for certificate business in the mid-90s was in conjunction with financial transactions. ... that the typical financial transaction was 60-80 bytes and the payload overhead of having redundant and superfluous certificates was on the order of 4k-12k bytes. ... verified with the onfile public key. ...
(comp.security.ssh)