[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Photuris terminology

To: ipsec@ans.net
Subject: Photuris terminology
From: rivest@theory.lcs.mit.edu (Ron Rivest)
Date: Thu, 12 Oct 95 19:54:57 EDT


I agree with Hugo Krawczyk's concern that the use of the term
"Signature" (as in section 5, "Signature Exchange") is somewhat
misleading, and introduces some risk.  The difficulty can be removed
by slightly changing the protocol (Hugo's proposal), or adding some
clarifying language.

The danger, as he points out, is that the term "signature" generally
refers only to a quantity computed from the message and the private
key that can only be computed by someone possessing the private key,
while being capable of being verified by anyone holding the
corresponding public key.  
*****************************************************************
*** There is nothing in this notion of "signature" that means ***
*** that the message can not be derived from the signature.   ***  
*****************************************************************
Indeed, I believe that the CCITT standards distinguish explicitly between
"signature schemes with message recovery" and "signature schemes without
message recovery".  

Furthermore, it IS important that the signature scheme used not have
the "message recovery" property, since part of what is signed is the 
computed shared-secret.

At the minimum, this requirement should be noted in the document.  Otherwise,
there is a risk that the list of approved "signature schemes" might be 
inadvertently expanded in the future to include one that had message recovery.
(Not by anyone currently involved in the proposal, but by some future 
caretaker...)

I would suggest adding language of the following form somewhere (such as
on the top of page 23):

	The Signature-Choice method must specify a signature method that 
	does not have "message recovery": it should not be feasible to 
	compute the message from the signature.  (More specifically, it should
        not be feasible to compute any of the bits of the message from 
        the signature.)  This property is required of the signature method
        to prevent an adversary from computing the computed shared-secret
        from the signature.  The signature methods specified in Appendix B
        are believed to be satisfactory from this point of view.  Also,
        any signature scheme that signs a cryptographic hash of the 
        message should be satisfactory.

Ronald L. Rivest

Prev by Date: Re: Photuris generality
Next by Date: text contribution
Prev by thread: Updated AH code fragment available
Next by thread: Re: Photuris terminology
Index(es):
- Main
- Thread