[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on Photuris
Ashar Aziz says:
> I think you misunderstood my intent. What I was trying to say was that
> these special cases were the symptom of a larger problem. The larger
> problem is that if an adversary can steal one single signature
> over a quantity whose discrete log it knows or can compute, (in
> the format that the protocol expects) then this is catastrophic to
> the protocol, because it allows umlimited impersonation thereafter.
I think I've solved this problem. Here is my strawman:
In Phil's algorithm, instead of signing the D-H components g^x'es
directly, all that is needed is to sign a hash of the g^x concatenated
with the "name" (to be defined in a moment) of the entity that I
intend to authenticate with.
The "name" should be a unique identifier of the party I anticipate
communicating with. By hashing the two together, I prevent the replay
of the signed g^x with another counterparty -- at most I can
impersonate the signer in communicating with myself, which is useless.
Perry
Follow-Ups:
References: