Reading about several attacks based on partial message replay, I was wondering if the following idea had any worth, or maybe was already widely used (sorry, I'm way behind in the literature):
"the actual symmetric key to be used to encrypt the payload is the hash of the shared secret, the time, and other public data." Optionally, "other public data" can include information identifying the two parties, to make active attacks harder, as well as nonces sent by either or both parties, and sequential numbers preventing reuse within the window, etc. This means that protocol attacks are now restricted to a smaller window (say, TCP timeout of 5 minute), in either the time range that active attacks can be conducted, or that the passive data can be decrypted. i.e. that's automated rekeying, in a way that almost guarantees the same key is never used twice. Depending on the protocol, the server can be trusted to broadcast and communicate its time with some coarse grain, and the client just uses its NTP time as a guess. The server can accept the proposed client's time if within an acceptable window, or override it with its time, that the client can deny if in paranoid mode — in which case there is a DoS attack possible if NTP is subverted. —♯ƒ • François-René ÐVB Rideau •Reflection&Cybernethics• http://fare.tunes.org Reason isn't about not having prejudices, it's about having (appropriate) postjudices. — Faré _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography