[Cryptography] Dumb Question about Pair-Wise Authentication
kentborg at borg.org
Sat Apr 4 15:35:11 EDT 2020
So I am starting work on a personal little project that involves two
copies of a simple little server (written in Rust!). Each copy will be
e-mailing automated requests to its partner. It is nothing very critical
and I am not a juicy target, it will be obscure, so I don't need to
secure it...or maybe I secure it a little.
The "right" way to do this would be to sign each request, right? The
other side uses a public key to verify the request.
But I'm lazy, every infrequent time I look at the man pages for any of
the standard public key software my head hurts and I don't trust I am
doing it right.
Can't I do it much more simply? This is a pair-wise data syncing
problem, it can only every be for a pair of machines, I don't have the
key distribution problems that public key signatures solve. So why can't
I just have a shared secret?
When I want to send a message I do a hash of the message plus the
secret, and append that hash. On receipt I strip the hash, do a new hash
of the message plus the secret and compare the result. So simple. What
is wrong with it? Seems radical.
There must even be a name for this.
-kb, the Kent who is sensibly afraid of inventing security protocols.
More information about the cryptography