Re: Safely proving device identity?
- From: "xmath" <xmath.news@xxxxxxxxx>
- Date: 8 Sep 2006 06:28:43 -0700
Also, if you do use the RSA-only scheme, be sure there's some evidence
of liveness before the device takes any action, to avoid replay
attacks. For example, the device could send a nonce to the client
which it expects to see again in the first (encrypted/MACd) message
from the client. Alternatively, you can include the device nonce into
the key agreement:
Client:
1. r = random floor(log2(n))-bit number
2. send s = r^e mod n to device
Device:
3. receive s
4. send c = random 256-bit nonce
5. Hash(s^d mod n || c) is the session key
Client:
6. Hash(r || c) is the session key
The device can pick and send the nonce as soon as it notices a client
wishes to establish a session (in some cases that may be sooner than
upon receiving s).
- xmath
.
- References:
- Safely proving device identity?
- From: skillzero@xxxxxxxxx
- Re: Safely proving device identity?
- From: xmath
- Re: Safely proving device identity?
- From: skillzero@xxxxxxxxx
- Re: Safely proving device identity?
- From: xmath
- Safely proving device identity?
- Prev by Date: Re: encryption using a block cipher // ? size limit of plaintext
- Next by Date: Re: Question about authentication and integrity check
- Previous by thread: Re: Safely proving device identity?
- Next by thread: Cipher advice
- Index(es):
Relevant Pages
|
