[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A Photuris variant

To: bsimpson@morningstar.com, IPSEC@ans.net
Subject: A Photuris variant
From: hugo@watson.ibm.com
Date: Sat, 4 Mar 95 19:35:55 EST
Ref:  Your note of Sat, 4 Mar 95 08:05:26 GMT


OK Bill. I will answer to your specific concerns.

   I find it amusing that the same folks who beat on Photuris for possible
   compromise of a mere signature (with a time frame of only minutes)

Who are the folkS? My note was sent by one person.
As for Photuris signature, when done off-line and without expiration
(as proposed in the original draft) it indeed creates an opportunity
for the attacker to steal ONE signature and use it "FOREVER" (i.e,
for the duration of the public/private key pair). What is the "frame
of minutes" you refer to?

   propose weakening the key structure to allow compromise of the traffic
   (with a time frame of forever)!

The idea is to let the user or implementation to choose the right
tradeoff between computation and security without exposing it
to hidden vulnerabilities.

   Perfect Forward Secrecy of the traffic is _the_ important security
   requirement.

Here we agree. PFS is an important requirement for the protocol to
provide. Both plain Photuris and the variant I propose provide it!

However, can you explain to me, as an author of the IPv4-AH draft,
how perfect forward SECRECY works with NO SECRECY as is the case
of parties using only AH (and there will be such parties, e.g.,
when retrieving publicly available information that has no
confidentiality but requires integrity protection)?

Don't you think that some of these parties may prefer to save
the four DH exponentiations (two each) and still get great
security? The variant provides that (optionally, of course!).

   And then, there is "anonymity".  Not as the rest of us use the term,
   which means protection from identification by third parties, but
   instead, protection from identification by EACH OTHER.

Read the note again (including the detailed description).
I use anonymity exactly as "the rest of us".
There is no protection from each other.
When I encrypt my name under your public key, I am protecting
my name from third parties not from you. You decrypt it and find
my name.

   This is _not_ a requirement.

Indeed, not a requirement and not a feature of the scheme. It just
does not make sense in our scenario
to keep anonymity from your communication partner (since he needs
to know your public key). You just misunderstood the scheme (or
I explained it wrong).

On the other hand, I was raising the issue of misuse of the protocol by
your interlocutor in case you *sign* the fact that you are talking
to him/her.
That is one of the advantages of not using signatures. For example,
nobody will be able to blackmail you saying that he/she can prove
you were talking to him/her. This kind of privacy protection makes
a lot of sense,  but it does not imply or require that you keep your
identity secret from the guy you're talking to. Just do not provide
a signed certificate that you did talk to him/her.

   And the variant won't allow precomputation, so it is slower to setup.  A
   fine new feature....

The variant does allow for precomputation. You can precompute g^x exactly
as before. As for precomputation of signatures, that is a trade-off
existing in plain Photuris that represents a security weakness.

Most importantly, precomputation is NOT a requirement.
The requirement, or desirable feature, is to provide clear computation/
secuirty trade-offs. This is very cleanly provided by the variant.

   Why would anyone want to go to the trouble of sending protected data,
   using techniques that don't protect the data very well, to a party they
   can't positively identify?

I hope this problem with anonymity is now clear.
As for not protecting data very well, my proposal protects data
as good as Photuris does. I did not hear any complain like this
of you on plain Photuris.

I believe the flexibility this variant introduces, just provides
"best value in town" for computation/secuirty trade-off for whoever
wants it. (It even supports a "Kerberos with PFS" option, remember
you said Kerberos does not provide PFS... well, now you have it.
Read my original note).

   Sounds like Communist Plot to me....

Whatever that means I hope it sounds better to you now.

   Bill.Simpson@um.cc.umich.edu

Hugo
Prev by Date: Re: A Photuris variant
Next by Date: Re: A Photuris variant
Prev by thread: Re: A Photuris variant
Next by thread: Re: A Photuris variant
Index(es):
- Main
- Thread