[832] in cryptography@c2.net mail archive
Re: Tea Leaves: Ephemeral Shared Entropy
daemon@ATHENA.MIT.EDU (David P. Jablon)
Thu May 15 10:44:42 1997
Date: Thu, 15 May 1997 08:33:26 -0400
To: Nick Szabo <szabo@best.com>, cryptography@c2.net
From: "David P. Jablon" <dpj@world.std.com>
In-Reply-To: <199705150142.SAA21862@shell7.ba.best.com>
At 06:42 PM 5/14/97, Nick Szabo wrote:
> If Alice meets Bob at a party, how many bits of entropy can they
privately generate
> to use for future remote communications between them? What I'm after
> is "shared entropy": unguessable numbers known only to Alice and Bob.
> With this we can construct an add-on to public key cryptosystems which
> provides forward secrecy and parallel fallback mechanisms for
confidentiality and
> authentication. [...snip snip...]
> So a general benefit, besides forward secrecy, we get is that we have
independent
> parallel mechanisms for confidentiality and authentication between Alice
and Bob if the
> public key system breaks down (key escrow, timing attacks, bad PRNG, ...).
In fact, they only need a small number of bits to get things started.
Forget about exotic tea-leaf preparations. A small secret whispered
in the ear should be sufficient, since they can use a Bellovin & Merritt style
exchange to later "amplify" the initial secret.
Let's say the pre-shared secret is one-in-a-million secret, with only 20 bits
of entropy. Alice and Bob can only be spoofed with an active attack
involving at least one of them, and either party is presumed likely to
notice the hundreds of thousands of bad on-line guesses that are required
to successfully attack the exchange. The result of the exchange is a new
shared key that can be arbitrarily large.
As an extra independent factor in authentication, shared keys can make a
lot of
sense in some applications. The simplest examples of these methods are the
password-authenticated Diffie-Hellman exchanges (SPEKE, DH-EKE).
These exchanges offer an improved level of forward secrecy which can at any
time be invoked to get as much fresh keying material as they want,
assuming of course that Alice and Bob can generate random numbers.
------------------------------------
David P. Jablon
dpj@world.std.com
http://world.std.com/~dpj/
