[370] in cryptography@c2.net mail archive
Re: Digital Signatures without PKCS
daemon@ATHENA.MIT.EDU (Hal Finney)
Mon Mar 17 15:10:30 1997
Date: Mon, 17 Mar 1997 07:43:29 -0800
From: Hal Finney <hal@rain.org>
To: cryptography@c2.net
From: Bill Stewart <stewarts@ix.netcom.com>
> At 11:43 PM 3/15/97 -0500, Adam Shostack wrote:
> >I agree with Perry on this one. Any system that uses a keyed hash
> >fails to provide non-repudiation, unless you create a TTP to be the
> >verifier of all signatures. That TTP would be a fat target for a
> >vareity of attacks, technical and otherwise.
>
> So would the communications between any user and the TTP ...
> Keyed hashes are useful for session continuity, but don't really
> extend well outside that arena.
Of course, this can be a feature. Sometimes you want to authenticate
yourself without being held to non-repudiation of everything you say.
A shared secret key can allow this.
There are also some public-key based authentication protocols which have
similar effects. For example, one of the "group signature" schemes
(Chen and Pederson, Eurocrypt 94(?)) allows you to prove knowledge of
one of two different discrete logs, without showing which, a variant
on the Schnorr identification protocol. Following an idea by Chaum,
Alice authenticates herself to Bob by proving knowledge of either or
Bob's secret key. Bob knows she doesn't know his secret, so it must be
Alice (similar to a keyed hash; he knows he didn't create it, so it must
be her). But when he shows the transcript to a third party, he could
have forged it himself since he also knows one of the two secret keys.
So he can't prove that Alice was involved.
Hal
