Re: I-D ACTION:draft-schaad-dhsign-00.txt

EKR <ekr@rtfm.com> Sat, 14 November 1998 01:37 UTC

To: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com>
Cc: "IETF-PKIX (E-mail)" <ietf-pkix@imc.org>
Subject: Re: I-D ACTION:draft-schaad-dhsign-00.txt
References: <2FBF98FC7852CF11912A0000000000010ECB5A96@DINO>
From: EKR <ekr@rtfm.com>
Date: Fri, 13 Nov 1998 15:46:39 -0800
In-Reply-To: "Jim Schaad's message of "Fri, 13 Nov 1998 12:04:29 -0800"
Message-ID: <kjhfw3xijk.fsf@speedy.rtfm.com>
Lines: 29
Sender: owner-ietf-pkix@imc.org
Precedence: bulk

"Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> writes:
> This draft is referenced from the new CMC draft so it should be of interest
> to the readers of that draft.
Jim, 
First, a meta-comment:
Why do we need this at all? DH keys are suitable for computing
DSA signatures. Wouldn't it be simpler just to compute a DSA
signature over the data? This would eliminate the need for a common
group between the sender and recipient.

Secondly, I don't believe that the ephemeral scheme is strong.
Provided that the attacker has access to the triplet
g,p,Ys (sender's public key), it's trivial for him to compute
a private key Xe such that he knows:

Ye^Xe = g^(XsXe) 

This allows him to forge any number of signed messages
Remember, computing the DH shared secret requires access
to only one of the DH private keys.

I hesitate to bring this up because I'm sure I'm missing something
really obvious, but I sure can't see what it is.

Confused,
-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]

I-D ACTION:draft-schaad-dhsign-00.txt Jim Schaad (Exchange)
Re: I-D ACTION:draft-schaad-dhsign-00.txt EKR
Re: I-D ACTION:draft-schaad-dhsign-00.txt Tony Bartoletti
RE: I-D ACTION:draft-schaad-dhsign-00.txt Jim Schaad (Exchange)