Russ Housley wrote:
Yes, but then you do not get any authentication. Using a static key in a
certificate provides authentication.
What I meant was that the sender uses the recipients static key and a
random key. Since the sender may also want to read the data later it
will also include its own static key and a random key.
This has the addional requirement that the public key of the random key
must be included in the RecipientInfo structure.
This method has several advantages.
1. Both sides do not have to share the same DH parameters in their
static keys.
2. The "key agreement key" is different each time (otherwise it would be
the same with the same pair of users).
3. The message generation does not require any private key material.
I consider (3) important because otherwise any DH encrypted data has an
"implied signature". This is not always desirable: you should be able to
send encrypted data without signing it (implied or otherwise) as you can
in the case with RSA key exchange.
Steve.
--
************************************************
* Dr Stephen N. Henson. *
* Freelance Cryptographic Consultant. *
* Email: shenson(_at_)bigfoot(_dot_)com *
************************************************