Prev: C(n,r) in C using libgmp
Next: AES round structure paper
From: skillzero on 29 Jan 2010 00:10
Are there security holes with using RSA signing to establish an
authenticated and secure communication channel?

I want computer A to send secrets to computer B, but I want to make
sure only computer B can read it. Computer B has a hardware IC that
can only do RSA signing (I have its public key to verify signatures).
I can't change the hardware IC nor can I exchange any other public
keys ahead of time. Basically, the hardware IC is my only means of
authenticating computer B.

Are there holes in the following process?

1. Computer A generates a random, Diffie-Hellman (DH) public/private
key pair.
2. Computer A sends <random data and computer A's DH public key> to
computer B.
3. Computer B signs a hash of <random data and computer A's HD public
key> with RSA (via the hardware IC).
4. Computer B generates a random DH public/private key pair.
5. Computer B generates a DH shared secret using computer B's DH
private key and computer A's DH public key.
6. Computer B hashes the DH shared secret to form an AES key.
7. Computer B encrypts the signature (from step 3) with the AES key.
8. Computer B sends the AES-encrypted signature (from step 7) and
computer B's DH public key to computer A.
9. Computer A generates the DH shared secret using its own DH private
key and computer B's DH public key.
10. Computer A hashes the DH shared secret to form an AES key (should
match key from step 6).
11. Computer A decrypts the AES-encrypted signature (from step 7) with
the AES key.
12. Computer A verifies the RSA signature with computer B's RSA public
key. If this fails, stop.
13. Computer A generates an AES session key from random data.
14. Computer A encrypts AES session key with AES key (from step 10).
15. Computer B decrypts AES session key with AES key (from step 6).
Computer B can this to decrypt data from computer A.

Is that a valid way to use an RSA signing function to generate an
authenticated and secure channel? If not, is there a secure way to do
this given my constraints?
From: Kristian Gj�steen on 29 Jan 2010 05:42
skillzero(a)gmail.com <skillzero(a)gmail.com> wrote:
>I want computer A to send secrets to computer B, but I want to make
>sure only computer B can read it. Computer B has a hardware IC that
>can only do RSA signing (I have its public key to verify signatures).
>I can't change the hardware IC nor can I exchange any other public
>keys ahead of time. Basically, the hardware IC is my only means of
>authenticating computer B.

I didn't read your overlong protocol, but you should know that RSA
signing and the ability to do DH should be enough to do TLS key agreement.

Unless you can give A's public key to B, you can only get one-sided key
agreement, of course. (A knows he's talking to B, but B does not know
who he is talking to.)

--
Kristian Gj�steen
 | 
Pages: 1
Prev: C(n,r) in C using libgmp
Next: AES round structure paper