<div dir="ltr"><div>Hi Stuart,<br>I might have overlooked something too, though I just drop here my 50 cents.<br></div><div><br></div><div>What about this protocol:<br><br></div><div>1. Alice generates a random key A, then encrypts it using B's public and sends it to B.<br>
</div><div>2. Bob decrypts what it got from Alice, and then the shared key is established for the rest of the conversation.<br><br></div><div>I don't have much theoretic knowledge about using Diffie Hellman, however I think it has the advantage of being useful even when<br>
</div><div>there is no signing or authentication scheme in the background.<br><br></div><div>real.<br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Mar 5, 2014 at 4:26 PM, Stuart Longland <span dir="ltr"><<a href="mailto:stuartl@longlandclan.yi.org" target="_blank">stuartl@longlandclan.yi.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I'm not sure if this is the right "forum" to ask this, I stumbled on this<br>
mailing list whilst looking through the newsgroups on my NNTP server; I<br>
see this list is one of a couple that pop up (via gmane).<br>
<br>
I was doing some thinking about ways of establishing shared secrets over<br>
a public medium.<br>
<br>
The use case here that I'm thinking of is for allowing authentication of<br>
individuals over a medium that prohibits encryption. Examples of this<br>
would be some countries (i.e. in the past France prohibited encryption,<br>
China at best frowns upon it), and also amateur radio. My intent here is<br>
to have some means of proving that the other person is who they say they<br>
are by means of the web-of-trust.<br>
<br>
GPG seems a good fit here, but public key crypto is expensive: good for<br>
that initial contact and negotiating a shared secret, but expensive to<br>
keep on with indefinitely. The thought is that the initial shared-key<br>
exchange is signed using asymmetric crypto (i.e. GPG, and using its web-<br>
of-trust feature to authenticate), to negotiate a session key which can<br>
be used as a HMAC key for verifying traffic.<br>
<br>
Thinking about the problem, it seems Diffie-Hellman is one to achieve<br>
this. From what I see, D-H key exchange normally works using modulo<br>
arithmetic and prime numbers (big ones). I wondered if simple XOR (which<br>
is commutative) could work.<br>
<br>
Conventional D-H relies on having a common secret: this won't work with<br>
XOR... it takes two inputs and produces an output, you need to know any<br>
two pieces to produce the third piece of data. The thought is to do away<br>
with the common secret altogether.<br>
<br>
i.e. two parties, Alice and Bob wish to establish a shared key.<br>
<br>
1. Alice generates two keys: A1 and A2.<br>
Bob generates two keys: B1 and B2.<br>
2. Alice signs A2 and sends A2 + signature to Bob.<br>
Bob signs B2 and sends B2 + signature to Alice.<br>
3. Alice verifies B2+signature, then generates<br>
A3 = A1 ^ A2 ^ B2. Alice signs A3 and sends to Bob.<br>
Bob verifies A2+signature, then generates<br>
B3 = B1 ^ B2 ^ A2. Bob signs B3 and sends to Alice.<br>
4. Alice verifies B3+signature, then generates<br>
A4 = B3 ^ A1 = B1 ^ B2 ^ A2 ^ A1<br>
Bob verifies A3+signature, then generates<br>
B4 = A3 ^ B1 = A1 ^ A2 ^ B2 ^ B1<br>
<br>
Since XOR is commutative; A4 and B4 should be identical. A1 and B1 are<br>
never revealed in public. XOR is computationally inexpensive, not the<br>
strongest, and probably wouldn't stop a determined (i.e. state-backed)<br>
cracker. Information theory would be useless as the keys would be random.<br>
<br>
The keys in my case would be used with keyed hashes, but the same scheme<br>
could generate crypto keys too.<br>
<br>
I'm guessing that, if done frequently enough (and it's simple enough it<br>
should be computationally inexpensive to negotiate new secrets) it'd be<br>
nearly impossible to guess A1 and B1 fast enough before the session<br>
became invalid with today's technology.<br>
<br>
Anyone here have any thoughts on this? Did I overlook something<br>
fundamental?<br>
<br>
Regards,<br>
Stuart Longland<br>
<br>
_______________________________________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" target="_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br>
</blockquote></div><br></div>