[Previous] [Next] [Index]
[Thread]
HP e-commerce protocol
Ref: Your note of Mon, 15 May 1995 09:06:53 -0700 (attached)
> Wenbo,
>
> This is yet another use of a Diffie-Hellman key exchange. All such system
> are known to suffer from a man-in-the-middle attack. For example, someone
> can be inthe middle of the traffic between a user and a bank, claiming to be
> a bank to the user and a user to the bank. They can then send bigus x and y
> values without being detected. You still need someone to bind the h(x) value
> to the user's name. This is basically a DH certificate.
>
> Taher Elgamal
> Chief Scientist
> Netscape Communications Corp.
I completely agree with Taher. The HP protocol "avoids" DH certificates by
having the financial institution (F) working as a CA for its customers.
Instead of signing certificates with expiration time, it on-line signs
the public-key of the customers (called "one-way hashed passwords" in the
paper), e.g., when sending these public-keys to another financial institution
(step 3 of the protocol). This "on-line CA"
avoids expiration times and revokation lists but pays with more signature
computation in F. It is also not clear how acceptable is from a legal point
of view to have so many CA's (will these locally maintained PK databases
acceptable in case of dispute?).
If one goes to a centralized/hierarchical management of these databases,
one gets exactly a CA.
If desired, the model of local on-line CA can be supported by much simpler
protocols like iKP. In particular, this model does not depend on the form of the
signatures. For example, it can support traditional RSA signatures,
thus avoiding the significant added complexity of the exponentiation-based
undeniable signatures in the HP protocol.
Hugo
Follow-Ups: