Tim Dierks wrote:
What are the differences?
- The only substantial difference is that in ElGamal, the sender uses
a
temporary key, while in my description of Diffie-Hellman,
that key
must be authenticated.
- In Diffie-Hellman, the sender and all recipients must have keys in
the
same group in order to communicate. In ElGamal, the keys can
be in
any group and the sender need not have a certificate.
- In Diffie-Hellman, the identity of the sender must be known and
correct
in order to correctly unwrap the key K. Let us assume that K
can be
validated as correct. However, this does not mean that the
message,
encrypted with K, is intact; it could be modified in any
number of
ways. Thus, this cannot serve in place of a signature.
Because the sending key is temporary in ElGamal, it neither gives
this
benefit nor suffers from this restriction.
I queried the DH mechanism before. The two keys need not belong to the
same group if a temporary DH key is generated in each recipients group
and the public key stored somewhere (in RecipientInfo presumably). The
recipients DH key would be authenticated (e.g. part of a certificate).
If the sending agent wanted to read the encrypted message the it would
also generate a temporary DH key in its own group and put the info into
another RecipientInfo structure.
I'm not sure if it has been decided to do this but IMHO the alternative
of forcing all parties to use static keys in the same group with static
wrapping keys and implied signatures is too restrictive. As you pointed
out.
Steve.
--
************************************************************
* Dr Stephen N. Henson. *
* Freelance Cryptographic Consultant. *
* Email: shenson(_at_)bigfoot(_dot_)com *
* PGP key: http://www.drh-consultancy.demon.co.uk/key.asc *
************************************************************