[7513] in cryptography@c2.net mail archive
Re: Weak user keys, strong servers.
daemon@ATHENA.MIT.EDU (David Jablon)
Thu Jul 20 18:41:59 2000
Message-Id: <4.3.2.7.0.20000720174122.00adf820@world.std.com>
Date: Thu, 20 Jul 2000 18:16:54 -0400
To: "James A. Donald" <jamesd@echeque.com>,
"'cryptography@c2.net'" <cryptography@c2.net>
From: David Jablon <dpj@world.std.com>
Cc: daw@CS.Berkeley.EDU (David A. Wagner), dpj@world.std.com
In-Reply-To: <4.3.1.2.20000720073046.03939bf8@shell11.ba.best.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
This is a solved problem, under slightly different assumptions.
At 07:34 AM 7/20/00 -0700, James A. Donald wrote:
> --
>Weak user keys.
>
>Suppose the user's key p, may be weak and easily guessed from G^p
>
>Suppose the key server constructs for each user a strong supplementary
>key, q. which the server knows but the user does not know.
>
>We would like the keyserver to protect people who are not so paranoid as
>to protect themselves from the keyserver.
This can be done by using p to establish a password-authenticated secure
channel to the server
and retrieve q through that channel. The client combines p and q to
re-create the private key.
The public key that corresponds with the private key is made public.
>[1] We want a public key system that does not make public G^p, though it
>will make public G^q and G^(pq).
>
>[2] A signature in this public key system should show that the document
>has been signed by someone who knows p, with the assistance of someone who
>knows both q and the shared secret key, G^p.
>
>[3] Someone who knows G^q and G^(pq) should be able to check the signature
>without knowing G^p, p, or q.
>
>[4] Anyone knowing G^q and G^(pq) should be able encrypt a document in
>such a way that only a person who knows p can decrypt it, provided he has
>the assistance of someone who knows q and G^p
>
>I have not been able to design such a system
... Because at least one of your assumptions was wrong. As David Wagner
noted, there is no method
that works in this model. Knowing G^q and G^(pq) one can test and verify
guesses for p.
If you get rid of goals [3] and [4], limiting the public information to the
public key you can make
this work.
>One can achieve almost the same effect by having transient user keys
>separate from the user logon key, random keys which randomly generated by
>the users client software and authenticated by the server, but this
>exposes the client to man in the middle attack from the server, and only
>works for instant messaging and for transactions that either fail or
>complete within a single logon session at the server.
I'm not sure what method you have in mind, but there are several ways to do
achieve
goals [1] and [2] without MITM attack. The general model works like this:
Using a password-authenticated key exchange, the client proves knowledge of
p to
a server that knows f(p) (a special one way transformation of p) and
derives a mutually
authenticated session key K.
K is mutually authenticated by the client's knowledge of p, and the
server's knowledge of f(p).
There are several ways to do this, like B-SPEKE, SRP, A-EKE, AMP, all
described in papers at
<www.integritysciences.com>.
The client then retrieves q through the channel encrypted with K, and then
combines p and q to re-create the private key.
In some of these methods, f(p) is in fact G^p, so you weren't too far off
the mark.
----------------------------------
David P. Jablon
dpj@world.std.com
www.IntegritySciences.com
