Re: Using signature-only certs to authenticate key exchanges
This effectively exempts things like signature-only smartcards and similar tokens. I would not want to risk things on strict technical interpretation. I would go solely by intent, which often seems obvious. "I don't know what cryptography is, but I know it when I see it." /r$
Re: Using signature-only certs to authenticate key exchanges
At 07:39 AM 8/17/00 +0800, Enzo Michelangeli wrote: My question was about the legal meaning, or, better, prevalent legal interpretation, of "signature-only key". ... This is not a purely academic issue. For example, in Hong Kong the import of cryptographic devices is exempted from import licensing (not a big hurdle, but an annoying bureaucratic procedure nevertheless) if they are "only used for authentication or digital signature": Ah. The certificate structure - keys, software, smartcards, data, etc. can all work fine as signature-only, so it sounds like it'll pass your import license issues. On the other hand, the Diffie-Hellman key exchange itself, and the symmetric-key application that uses the key generated by DH, aren't signature-only systems - they're clearly for doing encryption. So you'll need to keep track of which pieces are integrated and which are separate. Do your import restrictions apply to intangibles like downloading software in the net? Some places only restrict import/export of physical objects. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
RE: Using signature-only certs to authenticate key exchanges
Enzo, My apologies for being unclear. Since I am not an attorney licensed to practice law in Hong Kong, I of course cannot speak to the legalities of using a cert/key with a signature-only key usage restriction for encryption purposes. Though I suspect even an attorney meeting the above qualifications could not answer with certainty which consequences the manufacturer of signature-only devices might face should such devices be used for encryption purposes. As a data point, to the best of my knowledge, the use of signature-only keys for encryption purposes has not been tested in any court of law anywhere on the planet. Which tends to mean that any claims as to what the consequences of doing so would be are speculative at best. (Long rant why relying on an application outside one's control to enforce key usage is bound to fail omitted). --Lucky Green [EMAIL PROTECTED] "Anytime you decrypt: that's against the law". Jack Valenti, President, Motion Picture Association of America in a sworn deposition, 2000-06-06 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Enzo Michelangeli Sent: Wednesday, August 16, 2000 16:40 To: Cryptography@C2. Net Subject: Re: Using signature-only certs to authenticate key exchanges Lucky (and Bill, in another message), My question was about the legal meaning, or, better, prevalent legal interpretation, of "signature-only key". I know how authenticated key exchange mechanisms work, and, on the other hand, Ron Rivest has shown that at least in principle there are other ways of achieving confidentiality by relying only on authentication primitives. This is not a purely academic issue. For example, in Hong Kong the import of cryptographic devices is exempted from import licensing (not a big hurdle, but an annoying bureaucratic procedure nevertheless) if they are "only used for authentication or digital signature": http://www.info.gov.hk/tid/faq/strategic1.htm#q23 This effectively exempts things like signature-only smartcards and similar tokens. Cheers -- Enzo - Original Message - From: "Lucky Green" [EMAIL PROTECTED] To: "Cryptography@C2. Net" [EMAIL PROTECTED] Sent: Wednesday, August 16, 2000 4:00 PM Subject: RE: Using signature-only certs to authenticate key exchanges Enzo, Many applications that employ certs ignore key usage restrictions. This isn't your fault or the fault of the CA. It simply reflects a 'broken' implementation. IANAL, but I fail to see how you or your customers could be held responsible for applications that use certs in ways other than the cert was intended to be used by the issuer. [...]
RE: Using signature-only certs to authenticate key exchanges
Enzo, Many applications that employ certs ignore key usage restrictions. This isn't your fault or the fault of the CA. It simply reflects a 'broken' implementation. IANAL, but I fail to see how you or your customers could be held responsible for applications that use certs in ways other than the cert was intended to be used by the issuer. --Lucky Green [EMAIL PROTECTED] "Anytime you decrypt: that's against the law". Jack Valenti, President, Motion Picture Association of America in a sworn deposition, 2000-06-06 -Original Message- From: owner-c [mailto:[EMAIL PROTECTED]]On Behalf Of Enzo Michelangeli Sent: Monday, August 14, 2000 20:03 To: [EMAIL PROTECTED] Subject: Using signature-only certs to authenticate key exchanges If I use a signature-only cert to authenticate a D-H key exchange (e.g., in IPSEC, or SSL with ephemeral DH ciphersuites) am I in violation of any licensing condition and/or, when applicable, export regulation? I'm asking because MS seems to suggest that for Win2K's IPSEC stack a signature-only cert would suffice: http://www.microsoft.com/WINDOWS2000/library/planning/security/ips ecsteps.as p [...] Here are the requirements for the certificate to be used for IPSec: Certificate stored in computer account (machine store) Certificate contains an RSA public key that has a corresponding private key that can be used for RSA signatures. Used within certificate validity period The root certificate authority is trusted A valid certificate authority chain can be constructed by the CAPI module [...] Cheers -- Enzo
Re: Using signature-only certs to authenticate key exchanges
Lucky (and Bill, in another message), My question was about the legal meaning, or, better, prevalent legal interpretation, of "signature-only key". I know how authenticated key exchange mechanisms work, and, on the other hand, Ron Rivest has shown that at least in principle there are other ways of achieving confidentiality by relying only on authentication primitives. This is not a purely academic issue. For example, in Hong Kong the import of cryptographic devices is exempted from import licensing (not a big hurdle, but an annoying bureaucratic procedure nevertheless) if they are "only used for authentication or digital signature": http://www.info.gov.hk/tid/faq/strategic1.htm#q23 This effectively exempts things like signature-only smartcards and similar tokens. Cheers -- Enzo - Original Message - From: "Lucky Green" [EMAIL PROTECTED] To: "Cryptography@C2. Net" [EMAIL PROTECTED] Sent: Wednesday, August 16, 2000 4:00 PM Subject: RE: Using signature-only certs to authenticate key exchanges Enzo, Many applications that employ certs ignore key usage restrictions. This isn't your fault or the fault of the CA. It simply reflects a 'broken' implementation. IANAL, but I fail to see how you or your customers could be held responsible for applications that use certs in ways other than the cert was intended to be used by the issuer. [...]
Re: Using signature-only certs to authenticate key exchanges
If you ignore standards for the moment and think about requirements and threat models, you need to do the following: - protect against passive eavesdropping (so use crypto) - exchange keys securely (so use Diffie-Hellmann) - prevent man-in-the-middle attacks (so sign the DH parameters) - only talk to people you know (optional)(again, sign the DH parameters) - prevent public-key substitutions (check certificates or whatever.) So you're not encrypting a key for transmission - you're only signing DH keyparts, and a signature-only key and cert should be fine. It's also particularly useful if you live in nosy jurisdictions like the UK that want you to hand over your private encryption keys, because the DH keys are ephemeral and not saved, and your signature keys can only be used for forgery, not decryption of previous traffic. At 11:03 AM 8/15/00 +0800, Enzo Michelangeli wrote: If I use a signature-only cert to authenticate a D-H key exchange (e.g., in IPSEC, or SSL with ephemeral DH ciphersuites) am I in violation of any licensing condition and/or, when applicable, export regulation? I'm asking because MS seems to suggest that for Win2K's IPSEC stack a signature-only cert would suffice: http://www.microsoft.com/WINDOWS2000/library/planning/security/ipsecsteps.as p [...] Here are the requirements for the certificate to be used for IPSec: Certificate stored in computer account (machine store) Certificate contains an RSA public key that has a corresponding private key that can be used for RSA signatures. Used within certificate validity period The root certificate authority is trusted A valid certificate authority chain can be constructed by the CAPI module [...] Cheers -- Enzo Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639