Peter and Russ,
It seems that you both have the same opinion on ElGamal encryption with
Diffie-Hellman keys. What you are suggesting is to use separate usage and
object identifier for ElGamal keys.
To me it seems to be an overkill for users who would like to use ElGamal
for encryption. They would then need to have three different types of keys:
- a pair of DSA keys for signing (being mandatory in PKIX and S/MIME),
- a pair of DH keys for Diffie-Hellman key exchange (being mandatory in
PKIX and S/MIME),
- a pair of DH keys (or ElGamal keys, but essentially they are the same)
for ElGamal encryption,
in spite the fact that the two latter keys are syntactically the same (I am
not suggesting the usage of ElGamal signature, so the strength of the
generators is not questionable).
Regards,
Nada
At 16:20 5/6/98, Peter Gutmann wrote:
Trying to put this into S/MIME context it seems that Diffie-Hellman keys may
only be used in the way suggested by Russ Housley, i.e. for each
recipient to
take recipient's Diffie-Hellman certificate (key agreement certificate), get
the public key from there, generate a shared key (Russ suggested 3DES)
and use
it to encrypt the content-encryption key.
However, another possibility is to use El-Gamal algorithm with
Diffie-Hellman
keys and encrypt the content-encryption key directly with recipients
Diffie-Hellman public key. This would be a very similar operation as if the
recipient had RSA keys and keyEnchipherment certificate. This seems to be a
much better way of using Diffie-Hellman keys, similar to the way RSA keys
are
used for keys encryption (unless I have missed some point here).
If you use the key this way then it's no longer DH but Elgamal, with its own
algorithm/object identifiers and usage requirements. For example some
generators which are OK for Elgamal encryption aren't secure for Elgamal
signatures, so if you've got DH-pretending-to-be-Elgamal (which PGP does,
for
example) you can't just use it as if it were Elgamal. If you want to use a
key for Elgamal encryption/signatures, you should really call it Elgamal,
and
not take a DH key and use it for something it was never designed for.
(If you want to get really nitpicky, there are actually three different
algorithms which use keys which look more or less the same: DH (key
exchange), Elgamal encryption == DH-Vernam encryption (encryption), and
Elgamal signatures (signature). It'd be nicer to actually call it Elgamal
rather than overload DH further and further)
Peter.