[2835] in Kerberos
Kerberos non-repudiation idea
daemon@ATHENA.MIT.EDU (Donald T. Davis)
Tue Oct 5 19:51:27 1993
From: "Donald T. Davis" <don@GZA.COM>
Date: Tue, 5 Oct 93 19:31:10 EDT
To: bilbo@suite.com
Cc: kerberos@MIT.EDU
the kdc is not the natural agent for signature-translation,
because in commercial applications, a lot of asynchronous
traffic needs message-integrity guarantees. it's important not
to overburden the kdc, because its database is expensive to replicate.
non-repudiation is only one common type of message-integrity assurance,
but in high-stakes communications, even just the non-repudiable
traffic can be voluminous.
you're right that the XOR step provides a cheap extra layer of
cryptographic security, but that's only true if the mask (your "nonce")
is discarded after the first use. if you re-use the mask, its
value vanishes, because the attacker can attack {msg1 ^ N}K and {msg2 ^ N}K
by trying a value for K on both messages, and XOR'ing the putative
plaintexts together. if he chooses the right K, he'll get
msg1 ^ N ^ msg2 ^ N == msg1 ^ msg2. this last is a known quantity, since
both msg1 & msg2 are message-checksums, and as such are known to the
attacker. thus, the attacker will still be able to tell when an
exhaustive attack succeeds, unless every certificate is a single-use one.
to get the effect you want, you could incorporate the nonce into the hash:
{#(msg,N)}K would indeed be more resistant to exhaustive-search,
but this makes the nonce's encryption-layer more expensive.
as you point out, an advantage of signature-translation is that the
signature-checking costs only time, not cycles. as john linn pointed
out to me, this is not important for typical e-mail-style applications,
but may be important for high-volume sibned traffic.
i should point out that i got the signature-translation protocol
from butler lampson and martin abadi, via mike burrows (all 3 @ dec research);
they suggested it as a dandy application of private-key certificates.
kudos to them. lampson discusses this stuff in a paper in the '91 acm sosp
(symp. on op. sys. principles) proceedings.
thanks, btw, for the bellcore reference; can you send me the title &
the authors' names, so i can ask them for a reprint?
-don davis
openvision/geer zolot associates
1 main st. cambridge, ma 02142
