[Cryptography] On the deployment of client-side certs

[Thierry Moreau]

On 15/11/16 10:08 AM, Jerry Leichter wrote:
> A system based on a client-side certificate consists of the following on the client side:
>
> 1.  A private/public key pair;
> 2.  Secure storage of the private key;
> 3.  Secure computation of a signature using the private key;
> 4.  Delivery of the public key along with appropriate signed material.
>
> Both steps 2 and 3 represent the key implementation requirement:  A secure mechanism to hold and apply a private key.
>
> Given the hardware necessary to do that, wouldn't it be easier, more efficient, and less likely to leak identity information to use it to implement a password-authenticated key agreement protocol like SRP?  Note that the "password", being stored in the secure hardware rather than the user's head, can be an arbitrary bitstring.

About identity information leakage, the first SRP message sent from the 
client to the server includes plaintext identity, isn't it?

About password being stored on an hardware token, then the SRP password 
secret turns into a long term discrete logarithm private authentication 
key. With this understanding, SRP enrollment with a server becomes 
equivalent to registering a unique public key for each server.

I do not know which exact scheme is easier and more efficient. 
Nonetheless, SRP with user-remembered password spares "secure mechanism 
to hold a private key" but requires a "secure mechanism to apply a 
private key." If you afford a secure hardware token, the SRP main 
benefit appears less relevant.

- Thierry Moreau