Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:10 ADT
Matt Blaze (mab@crypto.com)
Sun, 22 Mar 1998 16:15:18 -0500
It's a cute idea. While it's not clear that it's especially
practical as described, it does provide a nice proof-of-concept
that traditional encryption isn't the only way to achieve message
secrecy. It also illustrates a basic internal conflict in government
encryption policy: the government says it wants to promote
high-integrity authenticated computing because that is essential
for electionic commerce, but discourages the deployment of encryption
for confidentiality. Unfortunately for the government's policy, they
can't have it both ways - if people have the ability to tell where messages
come from, it turns out to be easy for them to use that ability to
communicate secretly with each other.
The notion that autenticity can be used to bootstrap confidentiality is not
especially new in cryptographic protocols. For example, if we know the
public keys for each other's signatures, we can get a secret channel by doing
a signed Diffie-Hellman key exhange. A passive attacker, even one who knows
our secret signing keys, still wouldn't be able to read our traffic.
We've also seen examples of ways to turn signature schemes designed only
to be useful for signature (like DSA) into encryption schemes.
Rivest's approach is novel in that it doesn't actually requre the use of an
encryption function; the "noise" can even be added by a third party who
doesn't know the secret MAC key.
The policy implication of these observations is that key escrow systems,
especially those that attempt to enforce access to encryption keys but
not authentication/signature keys, are as nonsensical from a technical point
of view as they are from a policy point of view.
-matt
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:10 ADT