[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on Photuris



Ref:  Your note of Wed, 15 Feb 1995 01:23:25 -0800 (attached)


 >
 > But I see an addition to the protocol to at least limit the damage if
 > this were to happen. Simply append an expiration time to the
 > precomputed DH public part before you sign it.
 >

Well, that's already significantly better!
I still prefer the option of signing nonces chosen by the other party.
It is more secure (time sync considerations, granularity of frshness, etc.)
Clearly, using nonces is less efficient as for pre-computation.
However, for parties that periodically refresh their keys there is no reason
not to maintain a nonce sent in the previous refreshment round; in that case
the signature can be performed at the convenience of the signer
at any time between the two refreshment rounds.

 > 	Then there is also the scenario that Hugo mentioned about
 > 	the intruder simply stealing the fatal triple {x,g^x,Sig(g^x)}
 > 	from the precompute table. This is also fatal, even if the
 > 	triple was never used and the private key is perfectly protected.
 >
 > This is just a superset of the previous attack. It's not really fair
 > to posit that x is compromised since DH has always assumed it to be
 > secret. But the timestamp feature could again limit the duration of
 > the breach if it were to occur.

What does it mean "not fair"?? Is being attacked ever fair?
Isn't your own proposal defending against
possible stealing of x (by intrusion) by distroying pairs (x,g^x) some
time after its creation? See your draft sections 1.3 and 4.5.

Even if your concerns are motivated by secrecy and not authentication,
the fact of a possible intrusion does not change.
(And, needless to say, strong secrecy also requires strong authentication.
 In the words of the famous Decryptes: "impersonatum ergo eavesdropum").

Hugo


Follow-Ups: