Re: bootstrapping a secure channel
From: Allen Pulsifer (amicrypt_at_amishare.com)
Date: 08/10/04
- Next message: Paul Rubin: "Re: bootstrapping a secure channel"
- Previous message: PeerSec Networks: "Re: ASN.1 "INTEGER"?"
- In reply to: Michael Scott: "Re: bootstrapping a secure channel"
- Next in thread: Paul Rubin: "Re: bootstrapping a secure channel"
- Reply: Paul Rubin: "Re: bootstrapping a secure channel"
- Reply: Michael Scott: "Re: bootstrapping a secure channel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 09 Aug 2004 21:04:34 -0400
Michael Scott wrote:
> 2. Using any PK method they behave as if their public keys were in fact
> authenticated, and do a key exchange to agree a random 128-bit key K
>
> 3. One phones the other (via an "authenticated channel") and they swap short
> one-way hashes of their mutually agreed secret key K - the one they are
> going to bootstrap into. These should be the same. Say the hash is in hex
> AC78 098B1 CD15 EF98.
>
> 4. Now Alice is satisfied that the secret key she has is the same as the one
> Bob has, and visa versa.
An attacker might be able to first do a key exchange with Alice, then do
a key exchange with Bob, and in the process, force the mutually agreed
secrets, or the hashes of the mutually agreed secrets, to be the same.
Without specifying how the secret is negotiated, its not possible to
tell what probability this attack would have of succeeding.
This also has the effect of reducing the security of the channel to the
security of the hash, and opens up the 128-bit key to an offline brute
force attack. These are two things we wanted to avoid.
Are you aware of a paper that analyzes the security of this method?
> BTW I thought in your original protocol that Bob and Alice would make up
> different public keys for themselves every time.. why use the same ones over
> again? They are unauthenticated anyway...
Alice and Bob can use a new public key pair every time, or they can
reuse the same key pair. It makes no difference to the security of the
authentication. (I can't find where it says anything different in the
paper, but if it does that's not correct. Please let me know where it
is and I'll fix it.)
On the other hand, if they computed a new key pair every time someone
tried to execute the protocol with them, they would be vulnerable to a
denial of service attack. This is why in practice it makes sense to use
the same key pair for at least some period of time, so they don't have
to repeatedly do the work of deriving a new key pair.
> I think the reason that you have not come across protocols like these before
> is that you have been looking in the wrong place. Check out the literature
> on secure phones.
That's possible. We haven't looked at any literature on secure phones.
Thank you for the pointer.
Best Regards,
Allen Pulsifer
- Next message: Paul Rubin: "Re: bootstrapping a secure channel"
- Previous message: PeerSec Networks: "Re: ASN.1 "INTEGER"?"
- In reply to: Michael Scott: "Re: bootstrapping a secure channel"
- Next in thread: Paul Rubin: "Re: bootstrapping a secure channel"
- Reply: Paul Rubin: "Re: bootstrapping a secure channel"
- Reply: Michael Scott: "Re: bootstrapping a secure channel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
