On Sep 8, 2013, at 10:45 AM, Ray Dillinger wrote:
>> Pairwise shared secrets are just about the only thing that scales
>> worse than public key distribution by way of PGP key fingerprints on
>> business cards.  ....
>> If we want secure crypto that can be used by everyone, with minimal
>> trust, public key is the only way to do it.
>> One pretty sensible thing to do is to remember keys established in
>> previous sessions, and use those combined with the next session.
> You've answered your own conundrum!
> Of course the idea of remembering keys established in previous
> sessions and using them combined with keys negotiated in the next
> session is a scalable way of establishing and updating pairwise
> shared secrets....
It's even better than you make out.  If Eve does manage to get hold of the 
Alice's current keys, and uses them to communicate with Bob, *after the 
communication, Bob will have updated his keys - but Alice will not have*.  The 
next time they communicate, they'll know they've been compromised.  That is, 
this is tamper-evident cryptography.

There was a proposal out there based on something very much like this to create 
tamper-evident signatures.  I forget the details - it was a couple of years ago 
- but the idea was that every time you sign something, you modify your key in 
some random way, resulting in signatures that are still verifiably yours, but 
also contain the new random modification.  Beyond that, I don't recall how it 
worked - it was quite clever... ah, here it is:  
                                                        -- Jerry

The cryptography mailing list

Reply via email to