[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A Photuris variant



I am not asserting any patents on Photuris. My understanding is that there
are none on the basic perfect forward secrecy scheme, but of course there
are never any guarantees of anything when it comes to patents.

>Now, if you are talking of an inititiator I that communicates to
>a responder R, and I does not have a way to get R's public key before
>the communication, then we have a problem.

Yes, this is exactly my concern.

Let's say I want to use somebody else's ethernet or a radio system
(CDPD, CDMA) to access my home system while traveling. I assume I will
get an arbitrary IP address on the serving network using DHCP or a
manual method. This arbitrary IP address will not be known to my home
system until I use it. It will also be meaningless to any local
eavesdroppers watching my packets.

So I'll have to identify myself to my home system.  I want to do this
in such a way that the local eavesdropper can't get it.

Now I suppose I could do this first requesting a copy of my home
system's public key, which that system freely gives to anyone who
asks, and using it to encrypt my identity. This would work, but if the
protocol is symmetric this would entail something like two RSA secret
and public key operations on each end, one public/secret pair for the
confidential exchange of public keys and a secret/public pair for the
exchange of signatures to verify identity. This would be in
addition to the DH step required to provide perfect forward secrecy.

So I might as well do the DH step first and use the result to protect
my identity with the same symmetric cipher I'm going to use to protect
my actual traffic. Only one secret and one public RSA operation is now
required on each end for signature generation and verification. And it
has the added minor advantage of hiding *both* parties' public keys
from eavesdropping, not just that of the mobile station.

Phil