Re: Questions about DH and MQVs
- From: fabrice.gautier@xxxxxxxxx
- Date: 27 Oct 2006 11:17:04 -0700
Kristian Gjøsteen wrote:
<fabrice.gautier@xxxxxxxxx> wrote:
I'm trying to understand what problem DH has that MQV is supposed to
solve. I cant figure out.
Authenticated key exchange with forward security.
So: I have Alice and Bob. Private key 'a' and 'b'. Public keys 'g^a'
and 'g^b'. Alice and Bob verified each others public key out of band.
1) If Alice want to encrypt a message to Bob, she can use the shared
secret:
S=(g^b)^a and derive a key, encrypt the message with this key and send
to Bob.
Nobody but Bob and Alice can decrypt.
2) If Alice want to authenticate the message to Bob, she can use the
shared secret:
S=(g^b)^a, derive a key, compute a MAC and send it to Bob. Nobody but
Bob and Alice can verify the MAC.
So what problems do I have now with DH that MQV solves ? Or what
assumption am I making that I dont need with MQV ?
Which of the two goals of MQV did you lose by switching from DH ephemeral
keys to DH static keys.
Okay, trying to think real hard.... I just lost Forward Security ?
(still thinking real hard....)
What is Forward Security ?
In MQV (if I'm not mistaken) you have a pair of Static Keys and a pair
of Ephemeral Keys, and the ephemeral key is authenticated by the Statis
Keys. If Alice loose her static key, then anybody can fake her.
In my example, It is the same, If Alice loose her static key, Anybody
can fake her identity...
Also if Bob looses his private key, however has it can fake anybody's
identity... Would that happen in MQV as well ? This would not happen
if authentication is done with RSA....
(Thinking real hard again...)
But, with MQV, if I loose my static key, then all the encrypted
messages I encrypted before cannot be decrypted. Is that Forward
Security ?
Going a little bit further, we can use ephemeral keys (but I'm not sure
if it make any sense):
1) Alice generate ephemeral x, compute S=(g^b)^x, and send g^x to Bob
along with the encrypted message. Sure, bob cannot verify that this is
really alice encrypting this, but who cares? Alice doesnt, as long as
only Bob can decrypt. Does Bob care, not really if he is not trying to
authenticate the message.
Hint: Compare this to ElGamal...
This is pretty much Elgamal right ? Semi Ephemeral-DH ? Is there
something else in ElGamal ?
2) Alice generate ephemeral y, compute S=(g^y)^a, and send y to bob
along with the MAC. Anybody can actually verify the signature, but is
that a problem ? As long as at least Bob can verify. Thats even better
no, Alice only has to sign once for everybody ?
This is insecure. Hint: Take a long, hard look at the secret S. Then
fake it.
Oh yeah... that was dumb...
.
- Follow-Ups:
- Re: Questions about DH and MQVs
- From: Kristian Gjøsteen
- Re: Questions about DH and MQVs
- References:
- Questions about DH and MQVs
- From: fabrice . gautier
- Re: Questions about DH and MQVs
- From: Kristian Gjøsteen
- Questions about DH and MQVs
- Prev by Date: Re: OMAC coding
- Next by Date: Re: Ideas please
- Previous by thread: Re: Questions about DH and MQVs
- Next by thread: Re: Questions about DH and MQVs
- Index(es):
Relevant Pages
|
|
