[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A Photuris variant



Ref:  Your note of Wed, 15 Mar 1995 18:26:13 -0800 (attached)

 > So I'll have to identify myself to my home system.  I want to do this
 > in such a way that the local eavesdropper can't get it.
 >
 > Now I suppose I could do this first requesting a copy of my home
 > system's public key, which that system freely gives to anyone who
 > asks, and using it to encrypt my identity. This would work, but if the
 > protocol is symmetric this would entail something like two RSA secret
 > and public key operations on each end, one public/secret pair for the
 > confidential exchange of public keys and a secret/public pair for the
 > exchange of signatures to verify identity. This would be in
 > addition to the DH step required to provide perfect forward secrecy.
 >

Phil,

I am missing something here. Please be more explicit.

Are you trying to communicate with the home's system or somebody behind that
system (e.g., a particular user)?
If the key exchange is done with the home's system then using my scheme you
do not need two RSA (long) exponentiation on each end but just one.
If it's a user "hidden" behing the home's system then you need to send his
identity in the clear (e.g., IP address, user name) even if you first do a
DH exchange.

Notice that in many situations I (the initiator) discloses R's's identity.
For example when requesting her public-key from a public directory (say, DNS).

 > So I might as well do the DH step first and use the result to protect
 > my identity with the same symmetric cipher I'm going to use to protect
 > my actual traffic. Only one secret and one public RSA operation is now
 > required on each end for signature generation and verification. And it
 > has the added minor advantage of hiding *both* parties' public keys
 > from eavesdropping, not just that of the mobile station.

If really needed (I am still unconvinced) this can be done in my variant too.
One just reverts the DH and SHARE phase. I wouldn't do that (as the default
case) without a realistic common situation that calls for it.
(Clearly, things can be built modular enough to
allow switching the phases if needed. But I still see as the natural
default the SHARE first and DH second).

Hugo