[608] in cryptography@c2.net mail archive
Re: 56 bit crypto exportable?
daemon@ATHENA.MIT.EDU (Greg Broiles)
Mon Apr 21 13:33:07 1997
Date: Sat, 19 Apr 1997 16:02:07 -0700
To: Adam Shostack <adam@homeport.org>
From: Greg Broiles <gbroiles@netbox.com>
Cc: cryptography@c2.net
In-Reply-To: <199704191551.KAA01879@homeport.org>
-----BEGIN PGP SIGNED MESSAGE-----
At 10:51 AM 4/19/97 -0500, Adam Shostack wrote:
>
>V-One uses a challenge response mechanism with previously exchanged
>long lived secret keys (done via RSA) to generate session keys. My
>suspicion is that they're logging those session keys into a database
>somewhere, and making it easy to get the key to a given session.
Seems like one way to achieve the results that V-One is describing would be
to modify the process for generating session keys - instead of generating
them randomly, they'd be a hash of a random cookie plus a local secret. The
cookie is sent/stored with the ciphertext. A random eavesdropper who knows
only the cookie isn't meaningfully closer to guessing the session key, but
the holder of the local secret can, given the cookie, recreate the session
key and provide it to an outsider without compromising the security of other
communications which used the same local secret.
-----BEGIN PGP SIGNATURE-----
Version: 4.5
iQEVAgUBM1lO0v37pMWUJFlhAQHXhAf/YG/5ENKhXTgF/A+UdbStUOivouzg2laQ
yyQOSXGEcnJ5P1lcWQu6uCX1Ma2WjzIKRKWKxPiUcVw31K04wD4dsOxQuObPrNZ6
S0SFuK/kNVq6ecc7WGQxeV6zB4vaSQSVIPjYrQ+v+FS/Y+0hWL0uDbVwNLa4hGa7
RKd4r9uZJLO/TZlnTltF2ldE1A0ITSwShemO/JKMkZ8y/JOOLLETqHYyAEwFwGC9
T7lBLCktveItSUukRkaVggsMIhWEsp+JbFZH3/FBhRB14g2dfyOMayALjNIBtfaU
AgTHM9/FpSVfZDC7osm3KCZN45X/1YtkZFk7v8fe7gKwTa+Wwqrp2A==
=uk5L
-----END PGP SIGNATURE-----
--
Greg Broiles | US crypto export control policy in a nutshell:
gbroiles@netbox.com |
http://www.io.com/~gbroiles | Export jobs, not crypto.
|
