[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: signture mode and non-repudiation
The encrypted nonce exchange (RSA or El-Gamal) provides repudiability but
that doesn't mean that the data can be mucked with. Each side knows it is
talking to an authenticated peer (via the ability of the peer to prove
knowledge of its private key and decrypt the nonce) but neither side can
later go to a 3rd party and prove it. There are lots of uses for something
like this.
Dan.
On Tue, 21 Dec 1999 12:18:06 EST you wrote
> I am definately missing something. When is repudiability (deniability_
> useful? If I have an encrypted connection with someone, why would I want to
> allow someone to be able to muck with the data stream without my knowledge?
>
> ICMan
>
> -----Original Message-----
> From: Hugo Krawczyk [mailto:hugo@ee.technion.ac.il]
> Sent: Monday, December 20, 1999 8:55 AM
> To: Stephen Kent
> Cc: francisco_corella@hp.com; ipsec@lists.tislabs.com
> Subject: signture mode and non-repudiation
>
>
> Stephen Kent wrote:
>
> > Well, not all signatures are intended to be non-repudiable!
> > Sometimes we sign things purely for authentication. As we have
> > discussed extensively on the PKIX list, one should exercise care in
> > setting the key usage bits, to distinguish the intent of signing as
> > repudiable or non-repudiable. So, IF one wished to use
> > signature-based authentication with IKE, and wished to avoid any
> > connotation of non-repudiation, it is feasible to do that.
>
> Even if a user U insists that his use of the signature mode does not
> provide non-repudiation (by usage bits or whatever means) still a person
> holding U's signature on the establishment of an ipsec SA can prove to
> a third party that U established that SA. This is not a issue of legal
> binding provided by the signature (and accepted by the signer) but a
> privacy or confidentiality issue of leaving your "fingerprints" in the
> places you visited in Internet.
>
> In general, I recommend to talk here about "deniability" (or
> undeniability) rather than non-repudiation (which has stronger legal
> connotations).
>
> In this context it is important to remark that providing non-repudiation
> of SA establishment is NOT a requirement of ipsec. To the contrary,
> it is to some extent a drawback of the signature mode (encryption mode
> deals better with this issue).
>
> Moreover, the signature mode of IKE has been designed to minimize the
> ``non-repudiation effect''.
> How? By letting the user of this mode (the signer) to find collisions in
> the input to the signature function. This is possible under certain
> instantiations of the prf function.
> To see this note that the values HASH (_I and _R) over which the signature
> is computed are the result of applying a prf to some data.
> A good choice of a prf could be, for example, 3DES in CBC-MAC mode.
> This would serve very well the purpose of the signature mode
> (i.e., as a strong authentication of the key-exchange) but will also
> allow the signer to claim that she signed a different message than the
> one she really did. (This is a good crypto class exercise: the user that
> knows the 3DES key used to produce HASH can easily find a different message
> that maps to the same output of the prf!)
>
> A collision like this may not be sufficient for the user to convince a
> journalist that he did not talk to some dubious party over the Internet,
> but will be enough to invalidate a legally acceptable non-repudiation
> property.
>
> On the other hand, if anyone insists in using the signature mode for
> non-repudiation purposes (I do not recommend that) then he can use
> a prf which is also collision resistant (e.g. HMAC-SHA1).
>
> Hugo
References: