[cryptography] deniable store and forward with integrity protection?
thierry.moreau at connotech.com
Wed Feb 16 09:01:57 EST 2011
Adam Back wrote:
> Ian Brown and I proposed a simpler, non-interactive, approach for use in
> openPGP we called "non-transferable signatures"
> The basic idea is you use an integrity protected (non-malleable) symmetric
> encryption option in PGP, and then change the signature packet to be a
> public key signature of the hash of the symmetric key and the recipients
> public key.
> RSA_Enc( B_pub, sk ) +
> RSA_Sig( A_pri, H( sk, B_pub ) ) +
> c = Sym_Enc( sk, M ) +
> Mac( sk, c )
> it proves A sent B a message, but only proves the content of the message to
> B, if B attempts to transfer the signature to C, C cant distinguish whether
> B forged the message vs A signed the message.
c'=RSA_Enc( B_pub, sk ) +
RSA_Sig( A_pri, H( sk, c' ) ) +
This achieves at least the same security level. It *might* achieve more.
Also, H( sk, B_Pub ) must have context data (time window, reference to
transport mechanism, ...) so that replay attacks are detected.
Finally, you may have an optional proof of freshness (to the benefit of
B) with a preliminary step:
A gets sk' from B, else uses sk'=0
c'=RSA_Enc( B_Pub, sk" ) +
RSA_Sig( A_pri, sk' || H( sk", sk', c' ) ) +
B maintains a database of outstanding values for sk' if it wishes to
validate the freshness.
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
More information about the cryptography