[Cryptography] Hiding parties identities

[Christian Huitema]

I am looking at the “Pre-shared key” specs in RFC 4279, and in particular at
the privacy issues inherent with pre-shared key. According to 4279, the
client sends to the server a “key identity” so the server understands which
shared key to use in the exchange. The problem of course is that by doing so
the client reveals its own identity in a clear text message. This is
dutifully flagged in the security considerations, but no mitigation is
proposed.

 

I can think of two kinds of mitigations. The first one is to encrypt the key
identity with a server provided key. The problem is that this is a bit
circular, as the server has to identity that identity encryption key. Also,
privacy is only achieved if the server key is shared with multiple clients,
but then it falls into the “widely known secret” category. 

 

The second one is to replace the key identity by a puzzle, e.g. a nonce and
the hash of the nonce and the shared key. The server tries many shared keys
until one is found to match, thus identifying the client with which the key
was shared. Bluetooth LE does a variation of that. The problem of course is
that the server load increases linearly with the number of clients, which
may be OK with small Bluetooth devices paired with a small number of peers,
but not so OK for medium to large servers.

 

Do you know a better way?

 

-- Christian Huitema

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151028/36bc7553/attachment.html>