From: skillzero on 29 Jan 2010 00:10 Are there security holes with using RSA signing to establish an authenticated and secure communication channel? I want computer A to send secrets to computer B, but I want to make sure only computer B can read it. Computer B has a hardware IC that can only do RSA signing (I have its public key to verify signatures). I can't change the hardware IC nor can I exchange any other public keys ahead of time. Basically, the hardware IC is my only means of authenticating computer B. Are there holes in the following process? 1. Computer A generates a random, Diffie-Hellman (DH) public/private key pair. 2. Computer A sends <random data and computer A's DH public key> to computer B. 3. Computer B signs a hash of <random data and computer A's HD public key> with RSA (via the hardware IC). 4. Computer B generates a random DH public/private key pair. 5. Computer B generates a DH shared secret using computer B's DH private key and computer A's DH public key. 6. Computer B hashes the DH shared secret to form an AES key. 7. Computer B encrypts the signature (from step 3) with the AES key. 8. Computer B sends the AES-encrypted signature (from step 7) and computer B's DH public key to computer A. 9. Computer A generates the DH shared secret using its own DH private key and computer B's DH public key. 10. Computer A hashes the DH shared secret to form an AES key (should match key from step 6). 11. Computer A decrypts the AES-encrypted signature (from step 7) with the AES key. 12. Computer A verifies the RSA signature with computer B's RSA public key. If this fails, stop. 13. Computer A generates an AES session key from random data. 14. Computer A encrypts AES session key with AES key (from step 10). 15. Computer B decrypts AES session key with AES key (from step 6). Computer B can this to decrypt data from computer A. Is that a valid way to use an RSA signing function to generate an authenticated and secure channel? If not, is there a secure way to do this given my constraints?
From: Kristian Gj�steen on 29 Jan 2010 05:42 skillzero(a)gmail.com <skillzero(a)gmail.com> wrote: >I want computer A to send secrets to computer B, but I want to make >sure only computer B can read it. Computer B has a hardware IC that >can only do RSA signing (I have its public key to verify signatures). >I can't change the hardware IC nor can I exchange any other public >keys ahead of time. Basically, the hardware IC is my only means of >authenticating computer B. I didn't read your overlong protocol, but you should know that RSA signing and the ability to do DH should be enough to do TLS key agreement. Unless you can give A's public key to B, you can only get one-sided key agreement, of course. (A knows he's talking to B, but B does not know who he is talking to.) -- Kristian Gj�steen
|
Pages: 1 Prev: C(n,r) in C using libgmp Next: AES round structure paper |