If you ignore standards for the moment and think about
requirements and threat models, you need to do the following:
- protect against passive eavesdropping (so use crypto)
- exchange keys securely (so use Diffie-Hellmann)
- prevent man-in-the-middle attacks (so sign the DH parameters)
- only talk to people you know (optional)(again, sign the DH parameters)
- prevent public-key substitutions (check certificates or whatever.)
So you're not encrypting a key for transmission - you're only signing
DH keyparts, and a signature-only key and cert should be fine.
It's also particularly useful if you live in nosy jurisdictions like the UK
that want you to hand over your private encryption keys,
because the DH keys are ephemeral and not saved,
and your signature keys can only be used for forgery, not decryption
of previous traffic.
At 11:03 AM 8/15/00 +0800, Enzo Michelangeli wrote:
>If I use a signature-only cert to authenticate a D-H key exchange (e.g., in
>IPSEC, or SSL with ephemeral DH ciphersuites) am I in violation of any
>licensing condition and/or, when applicable, export regulation? I'm asking
>because MS seems to suggest that for Win2K's IPSEC stack a signature-only
>cert would suffice:
>
>http://www.microsoft.com/WINDOWS2000/library/planning/security/ipsecsteps.as
>p
>
>[...]
>Here are the requirements for the certificate to be used for IPSec:
>
>Certificate stored in computer account (machine store)
>Certificate contains an RSA public key that has a corresponding private key
>that can be used for RSA signatures.
>Used within certificate validity period
>The root certificate authority is trusted
>A valid certificate authority chain can be constructed by the CAPI module
>[...]
>
>Cheers --
>
>Enzo
>
>
>
>
>
>
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
