On 10 October 2013 17:06, John Kelsey <crypto....@gmail.com> wrote: > Just thinking out loud.... > > The administrative complexity of a cryptosystem is overwhelmingly in key > management and identity management and all the rest of that stuff. So > imagine that we have a widely-used inner-level protocol that can use strong > crypto, but also requires no external key management. The purpose of the > inner protocol is to provide a fallback layer of security, so that even an > attack on the outer protocol (which is allowed to use more complicated key > management) is unlikely to be able to cause an actual security problem. On > the other hand, in case of a problem with the inner protocol, the outer > protocol should also provide protection against everything. > > Without doing any key management or requiring some kind of reliable identity > or memory of previous sessions, the best we can do in the inner protocol is > an ephemeral Diffie-Hellman, so suppose we do this: > > a. Generate random a and send aG on curve P256 > > b. Generate random b and send bG on curve P256 > > c. Both sides derive the shared key abG, and then use SHAKE512(abG) to > generate an AES key for messages in each direction. > > d. Each side keeps a sequence number to use as a nonce. Both sides use > AES-CCM with their sequence number and their sending key, and keep track of > the sequence number of the most recent message received from the other side. > > The point is, this is a protocol that happens *inside* the main security > protocol. This happens inside TLS or whatever. An attack on TLS then leads > to an attack on the whole application only if the TLS attack also lets you do > man-in-the-middle attacks on the inner protocol, or if it exploits something > about certificate/identity management done in the higher-level protocol. > (Ideally, within the inner protcol, you do some checking of the identity > using a password or shared secret or something, but that's application-level > stuff the inner and outer protocols don't know about. > > Thoughts?
AIUI, you're trying to make it so that only active attacks work on the combined protocol, whereas passive attacks might work on the outer protocol. In order to achieve this, you assume that your proposed inner protocol is not vulnerable to passive attacks (I assume the outer protocol also thinks this is true). Why should we believe the inner protocol is any better than the outer one in this respect? Particularly since you're using tainted algorithms ;-). _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
