[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Diffie's comments on Photuris

>From: Phil Karn <karn@unix.ka9q.ampr.org>
> Thanks for forwarding that note from Whit. In thinking about it and
> similar comments from you and others, I've tentatively decided to modify
> Photuris to sign the shared secret.


This is not what Paul and myself and Whit had suggested. The
suggestion was to sign the two public exponentials, not the
shared secret. This is what the Diffie-Van Oorschot-Wiener
STS protocol does. 

As Paul has suggested, there is benefit in picking something
well examined and analyzed from the literature. I don't see
the benefit of signing the shared secret {g^xy} vs. signing
the two public exponentials {g^x, g^y}. There is obviously no
pre-computation advantage, as neither can be pre-computed.

Also, although one might consider it a plus to be able to prove
that a party is able to compute the session key, this proof
is already provided in the STS protocol, since the signatures
are encrypted/authenticated in the session key. So, there
is no advantage in this regard as well.

However, I do see some potential disadvantages. Consider the case
of weak encryption used with strong authentication. In this case the
signature of the shared secret can be recovered by breaking the weak
encryption key, even though the strong authentication key may not be
recoverable.  We are now relying on the weaker of the two functions, 
the one-wayness of the signature hash or the Diffie-Hellman problem 
to protect the shared DH secret (which includes the authentication key). 

It is also important to observe, if only for academic purposes, that
if we consider the case of identity-hash coupled with RSA signatures, 
then the shared DH secret is disclosed in the scenario described above 
because of the easy inversion of the identity function. Namely, weak
encryption discloses the strong authentication key as well.

Requiring strong encryption modules for products which may wish to
do authentication-only is also a disadvantage.

But the greater criticism is that this is not as well analyzed
as the STS protocol.

If we are going to modify the STS protocol, which I believe
is a good basis for doing authenticated Diffie-Hellman, then
there must be a clear system gain. Furthermore, it must be shown
either through informal or formal argument that the changes
do not adversely affect the security of the protocol.

I will write, in a later message, what sort of changes
I believe make sense, which provide clear system gains while
not adversely affecting protocol security. This includes 
incorporation of some of the ideas presented by Hugo earlier.

Kind Regards,