[Cryptography] Dumb Question about Pair-Wise Authentication

Kent Borg kentborg at borg.org
Sat Apr 4 15:35:11 EDT 2020

So I am starting work on a personal little project that involves two 
copies of a simple little server (written in Rust!). Each copy will be 
e-mailing automated requests to its partner. It is nothing very critical 
and I am not a juicy target, it will be obscure, so I don't need to 
secure it...or maybe I secure it a little.

The "right" way to do this would be to sign each request, right? The 
other side uses a public key to verify the request.

But I'm lazy, every infrequent time I look at the man pages for any of 
the standard public key software my head hurts and I don't trust I am 
doing it right.

Can't I do it much more simply? This is a pair-wise data syncing 
problem, it can only every be for a pair of machines, I don't have the 
key distribution problems that public key signatures solve. So why can't 
I just have a shared secret?

When I want to send a message I do a hash of the message plus the 
secret, and append that hash. On receipt I strip the hash, do a new hash 
of the message plus the secret and compare the result. So simple. What 
is wrong with it? Seems radical.

There must even be a name for this.


-kb, the Kent who is sensibly afraid of inventing security protocols.

More information about the cryptography mailing list