-----BEGIN PGP SIGNED MESSAGE-----
Hi!
After the thread about weak RSA keys in sci.crypt, I tought about
improving the security against attacks on the public keys.
My propoal in short: Use multiple keys at the same time.
Why using multiple keys at the same time
========================================
If a key is generated, there is a probability p, that there is a 'fast'
algorithm to factorize this key. For two keys, the probability, that
both are 'easy' to break is p^2. And therefore much smaler.
How it works
============
To encrypt some data d with two keys K1 and K2:
1. Create a one time pad o (random data) of the same length as d.
2. Encrypt the data d with o: c1= E(d, o)
3. Encrypt the result from step 2 with the key K1: c2= E(c1, K1)
4. Encrypt the one time pad with key K2: c3= E(o, K2)
5. The encrypted data is the concatenation of c2 and c3.
To decrypt:
1. Decrypt c3 with K2: o= D(c3, K2)
2. Decrypt c2 with K1: c1= D(c2, K1)
3. Decrypt the data: d= D(c1, o)
If key K1 is broken, only c2 can be decrypted. Because without the one
time pad o, the knowledge about the data is still zerol
If key K2 is broken, the one time pad is known, but this also does not
give any information about the data d.
Some thougths have to be done for multiple recipients, that two broken
keys of different recipients don't reveal the cleartext.
Communication with PGP 2.6.x and PGP 5.x
========================================
The usage of two keys can easaly be added to the today version with
one key:
- Add the information about the key id of the second key in the
public key, as non critical information.
- pgp-2keys checks if the receipient has a one-key public key. If he
has, the old encryption/signing is used. If not, the new system is
used.
Users of pgp-1key will always encrypt/sign with only one key, which is the
today used scheme. pgp-2key users can communicate with the schema
proposed in this mail.
This way it is fully compatible with todys versions. (Or at least as
compatible as today versions)
2 keys or m keys
================
Of course, this system can easaly be extended to the more general case
of m keys. The keys could even be from other key algorithms.
What do you think? Would this be a suitable way to reduce the risk
given by the usage of one signle key?
Could this be an idea for later versions of OpenPGP?
Cheers, Patrick
- --
PGP-KeyID: DD934139 (pafei(_at_)rubin(_dot_)ch) encrypt mail with PGP if
possible
more about PGP on http://www.rubin.ch/pgp/ (in german only at the moment)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQESAwUBNJeAe5VgYabdk0E5AQFLvgfkCKj+9dmpQMAYBxyKRKUnNpMIVvbIqOIB
Cn/ja5vUy+Z9NPX8dBKkiqlTS2vbJV88awtnjGE761M0983kLiX8gzdzMUQoC8bM
CJobaGHK9J1UjOzzJdCtxGbBYkqjVAU8UQec8d1d787u1MRcpjZg/AwOvcGLFLYs
wXhWA89/wur9487Jc/wxx2gtf+rphgdQcLrSTxmx25LISwJG4jLPvINbWbk+YC7W
jqB2vwHx0ZmEyyPOHsMpIqQ+Y9s1B2Mm9ckft9jcRbmG/w0MJezr58A8SWnbJHxl
A3yAXCYivlwinfk6LyNBulh5YiV7N/rVPtj+mwRNgp5FsgPrZg==
=8pFP
-----END PGP SIGNATURE-----