ietf-openpgp
[Top] [All Lists]

new approach to MDCs: single shared private key

1999-04-21 06:14:59

Whilst looking at RFC2440 with a view to defining suitable algorithm
ids and minimal backwards compatible changes to try out the
verification packet approach, in response to Werner Koch's posts, an
insight struck me:

        all we have to do is publish and agree upon a minimal sized
        RSA public and private key and publish it.

This allows us to provide:

- the best backwards compatibility of all (allows even pgp23a to
*check* MDCs, which is even better than just "not choking" on them).

- the lowest implementation overhead of all (ie none!)

This approach:

- prevents Gary Howland's encrypted message modification attack
because the signature with known public and private key performs the
same function as a hash inside the encryption envelope.

- it doesn't provide non-repudiation because the private key is shared
(which is the whole point, we don't want non-repudiation in this
scenario, and some people have good reasons for not wanting it).

- any pgp2.3a and forward implementation can "implement" these MDCs
merely by adding this public and private key pair to their key ring.

- PRZ identified the problem that even with signed messages often the
public key is not present to verify them, so integrity is not assured.
With openPGP and pgp(5|6).x where multiple signatures can be applied,
the document could be signed by both the fixed published RSA key, and
the user's private RSA key.

- The same approach of a published public and private DSA key can be
used to do the same thing with DSA for implementations temporarily
avoiding RSA until the patent expires.

- The only extra overhead is the signature creation and verification.
The key size does not affect security, so using a small a key as
possible does not adversely affect security.  A 384 bit key, or
perhaps even 256 bit key would be perfectly adequate.  (The limit will
be imposed by the size of RSA block required to hold the minimum sized
padded document hash.)  The minimum key size that the already deployed
DSA and RSA signature verification code would consider a valid
signature

- The keyid on the keys can be set to the string "Integrity
Verification Key" to help ensure that implementations present
representative messages.

- These public and private keys can be distributed with new
implementations, and distrubted widely on the internet.


Comments?  I think it is a neat, and exciting trick which allows even
pgp2.3a to overcome the message modification problem with no
implementation work.

The only advantages of defining a different MDC packet (which is what
I was in the process of doing when this occured to me) is to avoid
this small computational and space overhead.

Defining an elegant, space and computationally efficiient
implementation at our leisure can be done once the standard RSA and
DSA private and public keys are agreed upon, as an optimally backwards
compatible approach can be used for old implementations.

Adam

<Prev in Thread] Current Thread [Next in Thread>