[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On shared keys



"sami.vaarala" <sva@netseal.com> writes:

> In an earlier mail I pointed out another alternative that
> I think would work for site-to-site setups:  let the key
> exchange protocol support only RSA, and generate RSA keypairs
> deterministically from the pre-shared secret.
> 
> In essence, you take the pre-shared secret, create a PRNG out of
> the secret using a hash function, and then use a determining
> RSA keypair generator to create the keypair.  Both communicating
> hosts use the same pre-shared secret, and thus end up with the
> same RSA keypair.
> 
> Thus, no PSK support in the key exchange, but the same simple
> administration.
> 
> -Sami

But you dont WANT both sides to have the same keypair.  The whole
point of public key cryptography is that each entity has one and only
one keypair, from which they can share their PUBLIC key with EVERY
peer.  If each set of peers are sharing a key then you have no gains
over pre-shared secret keys.

Basically, Alice generates Pub_a and Priv_a, Bob generates Pub_b and
Priv_b, Charlie generates Pub_c and Priv_c, Dave generates Pub_d and
Priv_d.  To get a full mesh, each entity shares their public key with
each other.  This means that, in the end, each of the 4 machines holds
four (4) public keys (one for each peer,), and one (1) private key
(their own):

	Alice: Priv_a, Pub_a, Pub_b, Pub_c, Pub_d
	Bob: Priv_b, Pub_a, Pub_b, Pub_c, Pub_d
	Charlie: Priv_c, Pub_a, Pub_b, Pub_c, Pub_d
	Dave: Priv_d, Pub_a, Pub_b, Pub_c, Pub_d

Notice that there are a total of four key-pairs in this mesh.  Alice
can use the same "key" (public key) with every peer.  On the other
hand, you would need six distinct secret keys to obtain the same mesh:

	Alice: K_ab, K_ac, K_ad
	Bob: K_ab, K_bc, K_bd
	Charlie: K_ac, K_bc, K_cd
	Dave: K_ad, K_bd, K_cd

Now, if you want to add Eve to the mesh, you would need to add one
more public key pair the system (Pub_e, Priv_e), or you would need to
add four secret keys to the system (K_ae, K_be, K_ce, K_de).
Basically, the total number of secret keys in the system is SUM(1..N)
= n*(n-1)/2, which scales O(n^2), whereas the total number of public
keys in the system is N.

Do I even need to mention the insecurity of generating an RSA key from
a short secret?  Worse, do I need to mention the insecurity of both
sides sharing a SINGLE keypair?

-derek

> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


Follow-Ups: References: