At 12:10 PM 01/19/2000 -0700, [EMAIL PROTECTED] wrote:
>Several people have suggested using a MAC; my problem is that the
>opponent can reverse-engineer the chip and find the key. I was hoping
>to give the chips a public key and have it encrypt a challenge that I'll
>respond to. On my side, I'd need to prevent chosen-cipehrtext attacks.
How about using a hash chain? Assume there is some fixed number of times
the remote side will have to authenticate itself to the chip, like say
1000. Choose a random x_0, compute x_1 = hash(x_0), x_2 = hash(x_1), ...
x_1000 = hash(x_999). Preload the chip with x_1000.
To authenticate itself the other side supplies x_999, the chip verifies
x_1000 = hash(x_999), and overwrites x_1000 with x_999. Then the next
time the remote side supplies x_998. If the remote side is reasonably
powerful it only needs to store x_0 and compute the hash chain on the fly.
