Signing only your own public component

[whitfield.diffie@Eng.Sun.COM]

    It seems to me that there are some serious drawbacks to an authenticated
key exchange in which you sign only your own public component and not the
one you receive.

	If an intruder can get your signature on a public component
	for which he knows the secret component, he can impersonate
	you.  This means you have to audit the implications of each
	use of signature to be sure you don't create a path to this
	end.

	It has the same unaesthetic quality as DSS in creating a secret
	whose intended use is ephemeral, but whose compromise has long
	term consequences.  If for whatever reason, the secret
	component is compromised, the recipient acquires the power to
	impersonate.  There is an architecture with many attractive
	features that this would make hazardous --- doing the
	Diffie-Hellman part in a workstation and only having the
	signature done by a smart card.

						Whit



----- End Included Message -----

---

• Prev by Date: Re: IPv6 Security Last Call Initial Questions (per user keying)
• Next by Date: Quantity of plaintext/ciphertext required for DES crypto
• Prev by thread: Re: Mission-Critical
• Next by thread: Quantity of plaintext/ciphertext required for DES crypto
• Index(es):
  • Main
  • Thread