OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Weak user keys, strong servers.
From: halfinney.org
Date: Sat Jul 22 2000 - 14:15:35 CDT

You didn't specify whether q was the same or different for everyone.
q must be different for every person, because if it were the same,
each user could deduce G^q by knowing p and G^(p+q), and from that
they can find other people's p values.

You could have a slightly simpler system by just letting G^q be the user's
public key, and also retain a password for each user that authenticates
him. You don't need a numerical p value, just a password (and use a
secure authentication system like SPEKE). This is essentially what DPJ
suggested, except that instead of downloading q to the user, your system
has the server exponentiate by q upon request, which doesn't reveal q to
a possibly insecure client.

However if you are worried about this, you still have a problem, as it
reveals the password (or the p value in your original system). If stolen,
this would still allow thiefs to decrypt future data, by connecting to the
server with the stolen password (p) and requesting decryption services.
This is a slightly riskier attack as the connection request might be
traced if the true owner becomes suspicious.

It's a little unclear what your security model is, whether the client
is trusted or not.

Hal