Re: On shared keys

[Henry Spencer <henry@spsystems.net>]

On 29 Nov 2001, Derek Atkins wrote:
> > I think would work for site-to-site setups:  let the key
> > exchange protocol support only RSA, and generate RSA keypairs
> > deterministically from the pre-shared secret...
> 
> But you dont WANT both sides to have the same keypair.  The whole
> point of public key cryptography is that each entity has one and only
> one keypair, from which they can share their PUBLIC key...

This isn't a way of doing proper public-key cryptography.  It's a way of
doing shared-secret authentication using crypto machinery which only needs
to understand public keys.  It has all the disadvantages of shared-secret,
*EXCEPT* that it has zero impact on the protocol and the protocol
implementation. 

Nobody is claiming that this replaces real public-key cryptography.  The
claim is that it can avoid the need to contort the protocol for the sake
of users who still want to use shared secrets.  As such, it looks fairly
promising, although details would need to be filled in and reviewed by
the crypto gurus.

> Do I even need to mention the insecurity of generating an RSA key from
> a short secret?  Worse, do I need to mention the insecurity of both
> sides sharing a SINGLE keypair?

In what way is it worse than old-style shared secrets?  *That* is the
crucial question.

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• Re: On shared keys
• From: Derek Atkins <warlord@mit.edu>

References:

• Re: On shared keys
• From: Derek Atkins <warlord@mit.edu>

---

• Prev by Date: Re: Just Fast Keying (JFK) draft
• Next by Date: Son-of-IKE Selection Criteria?
• Prev by thread: Re: On shared keys
• Next by thread: Re: On shared keys
• Index(es):
  • Main
  • Thread