Adam Back wrote:
Ian Brown and I proposed a simpler, non-interactive, approach for use in
openPGP we called "non-transferable signatures"
http://www.cs.ucl.ac.uk/staff/i.brown/nts.htm
The basic idea is you use an integrity protected (non-malleable) symmetric
encryption option in PGP, and then change the signature packet to be a
public key signature of the hash of the symmetric key and the recipients
public key.
RSA_Enc( B_pub, sk ) +
RSA_Sig( A_pri, H( sk, B_pub ) ) +
c = Sym_Enc( sk, M ) +
Mac( sk, c )
it proves A sent B a message, but only proves the content of the message to
B, if B attempts to transfer the signature to C, C cant distinguish whether
B forged the message vs A signed the message.
Adam
What about
c'=RSA_Enc( B_pub, sk ) +
RSA_Sig( A_pri, H( sk, c' ) ) +
This achieves at least the same security level. It *might* achieve more.
Also, H( sk, B_Pub ) must have context data (time window, reference to
transport mechanism, ...) so that replay attacks are detected.
Finally, you may have an optional proof of freshness (to the benefit of
B) with a preliminary step:
A gets sk' from B, else uses sk'=0
c'=RSA_Enc( B_Pub, sk" ) +
RSA_Sig( A_pri, sk' || H( sk", sk', c' ) ) +
sk=H(sk",sk')
B maintains a database of outstanding values for sk' if it wishes to
validate the freshness.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
