Zero Knowledge Identity Proofs
Marc Branchaud
marcnarc at rsasecurity.com
Mon Jun 25 14:26:06 EDT 2001
I'm not hep to the identification scheme literature, but I'll just a note
that in Dimitrios's scheme, Alice can't just sign the challenge, but must
also include Dave's signature in her signature. That is, Alice must sign all
of {S_dave(challenge), challenge}, not just the challenge by itself. And
Dave has to verify that both the challenge and his signature were signed by
Alice. Otherwise, Bob could just masquerade Dave's challenge.
Marc
Dimitrios.Petropoulos at reuters.com wrote:
>
> I think this is a case for additional protective mechanisms to extend the
> protocol semantics (there is nothing in the protocol prohibiting the
> verifier to perform a verification on behalf of a third party, which is
> the vulnerability exploited in the Mafia Fraud attack). This
> 'challenge-relay' can easily be defeated if the verifier (in the Mafia
> Fraud case that's Bob and Dave) is required to digitally sign their
> challenges. If challenges are signed then Alice will only proceed with
> the rest of the protocol run if the challenge indeed comes from Bob;
> Carol can still pass Dave's challenges to Bob but Alice will refuse to
> perform the protocol run having noticed that the challenges do not come
> from Bob. The optimised versions of the Feige-Fiat-Shamir and Guillou-
> Quisquater protocols make signing easier since they employ a vector of
> challenges to perform multiple accreditations- in order to avoid
> multiple messages.
>
> Regards,
> Dimitrios Petropoulos
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list