ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: DH keypair generation (was RE: S/MIME V3 Msg Spec Comments)

1997-11-10 12:11:07
from [Darren Harter] [Permanent Link] 
David,

The following is a brief example key exchange mechanism based on D-H that uses 
different key-pairs for sending and receiving.... It's based on a paper 
published by the Royal-Holloway college in the UK a couple of years ago, and 
is known quite widely as R-H.. There is a URL that refers, but I don't have to 
to hand....  Hope it helps...

Presume each user has two key pairs -
        one for sending (Sx and Sy) where Sy = g ^ Sx mod N 
and     one for receiving (Rx and Ry) where Ry = g ^ Rx mod N.

If A wishes to send to B, then A calculates the following KEY to encrypt the 
message key:

KEY(AtoB) = Ry(B) ^ Sx(A) mod N

A's certificate containing Sy(A) is then sent with the message to B.

On Receipt B calculates KEY(AtoB) = Sy(A) ^ Rx(B) mod N and decrypts the 
message key.

However, if B sends to A, the KEY becomes KEY(BtoA) = Ry(A) ^ Sx(B) mod N = 
Sy(B) ^ Rx(A) mod N which clearly has a different value.

Obviously, the KEY's produced in each case would be reduced to a sensible key 
size for the key encryption algorithm by using something like SHA-1, which 
would also ensure good entropy in the resultant key, and extracting n bits of 
key.

Hope this helps,

Darren Harter
dharter(_at_)msn(_dot_)com

-----Original Message-----
From:   owner-ietf-smime(_at_)imc(_dot_)org  On Behalf Of David P. Kemp
Sent:   Monday, November 10, 1997 02:49
To:     ietf-smime(_at_)imc(_dot_)org
Subject:        RE: DH keypair generation (was RE: S/MIME V3 Msg Spec Comments)


From: "Darren Harter" <dharter(_at_)classic(_dot_)msn(_dot_)com>

John,

We should also take care to ensure that DH derivatives that have
separate key-pairs (and thus certificates) for sending and receiving
are not ignored.

Darren Harter
dharter(_at_)msn(_dot_)com



Darren,
  I'm not clear on what scenario you have in mind.  DH long-term public
keys can be certified to allow the sender to authenticate the recipient,
but do not allow the recipient to authenticate the sender; for that a
certified signature key is required.

Can you describe the protocol/usage mode that requires two *certified*
DH public keys per entity, in addition to the certified signature key?
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DH keypair generation (was RE: S/MIME V3 Msg Spec Comments), Adam Back
Next by Date:  RE: Certificate request format (was RE: S/MIME V3MsgSpecComment s), Blake Ramsdell
Previous by Thread:  Re: DH keypair generation (was RE: S/MIME V3 Msg Spec Comments), Rich Ankney
Next by Thread:  RE: DH keypair generation (was RE: S/MIME V3 Msg Spec Comments), Russ Housley
Indexes:  [Date] [Thread] [Top] [All Lists]