[curves] Forward secrecy with "triple Diffie-Hellman"
bascule at gmail.com
Tue Apr 8 18:17:40 PDT 2014
Trevor described this idea to me once and I haven't really seen it written
down anywhere. It's an alternative to something like the CurveCP handshake
for a transport encryption protocol which provides forward secrecy by
deriving a unique session key each time using ephemeral D-H keys. It
couples authentication to confidentiality in ways that might bother some,
but at the same time is incredibly simple and I think that's an advantage
in and of itself.
Let's say Alice has the following elliptic curve D-H keys:
a: long-lived private key
A: long-lived public key
Alice will also generate a' and A' for each session, which are short-lived
Bob likewise has b, B , b', and B' respectively.
Alice can do:
a * B' || a' * B' || a' * B
(The "*" character here represents Curve25519 scalar multiplication)
Bob can do the reciprocal operation and derive the same shared secret
b * A' || b' * A' || b' * A
These secret strings can then be used as input to a KDF to create a session
If these keys haven't been tampered with in-flight, Alice and Bob should
derive the same session key, and can authenticate each other via their
long-lived public keys.
Does this seem correct, and if so, does anyone know of any literature on
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves