I've been thinking about how to integrate Ron Rivest's
Chaffing & Winnowing algorithms with PGP. It looks like
I won't have the time to make this precise for the next
few weeks due to travel, but I'd like to bring up the topic and
suggest some directions. The problem can be broken into two parts:
- developing a general framework for keyed authentication protocols in OP,
which can support C&W and other HMAC-like approaches
so future extensions can be compliant.
- specifically implementing one or more C&W versions,
such as the original inefficient bit-by-bit version
or the efficient all-or-nothing block version.
While actually implementing the protocol takes a good bit of work,
it looks like the framework is fairly simple, consisting of
a public- or conventionally-encrypted session key
followed by N {one-pass signature packet, literal data, signature}
for some versions, or possibly a new "authenticated data" packet type,
plus some words up front saying that it's ok and compliant to have
those combinations of pieces. It's a good opportunity for a section
saying "See, it's just purely authentication - these aren't
the encryption algorithms you're looking for - ".
Implementation at this stage probably should be using
user-defined algorithms rather than an official list.
The all-or-nothing version has several obvious ways to map
to PGP - either a bunch of messages, each signed,
with some of the signatures being bad,
or one message with N blocks of signed all-or-nothing'd data, some bad.
Thanks!
Bill
Bill Stewart, bill(_dot_)stewart(_at_)pobox(_dot_)com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639