Hi. I'm working on specifying a security mechanism which assumes that
the parties involved can retrieve static information about each other
(public keys and supported algorithms) via an out-of-band secure
database lookup. All of the literature I've read and all of the
existing mechanisms I know about don't seem to make this assumption,
so I feel a little short on guidance. My goal is to negotiate a
channel with bidirectional secrecy and integrity. I'm not currently
worried about forward secrecy.
My current is quite simple. Given an initiator Alice and a receiver
Bob:
1. Alice generates a symmetric encryption key she will use and
a symmetric signing key Bob will use. She sends these keys
to Bob, encrypted in Bob's public key.
2. Bob does the same thing in reverse.
I've ignored the details of key and algorithm selection. For
algorithm selection, I assume that Alice can simply look up what
public keys Bob has and what symmetric encryption/signing algorithms
Bob supports, pick something in the overlap for each area, and declare
which public key and what algorithms she is using in the blob she
sends. Bob will use the same symmetric algorithms as Alice, and
declare which of Alice's public keys he chose in his blob.
Once symmetric keys are chosen, all traffic is signed and encrypted
(in that order) using the appropriate keys. Replay attacks shouldn't
be possible since each side chooses the other side's signing key. I
don't think reflection attacks should be possible since each side
chooses its own encryption key.
Have I missed anything? Maybe this problem isn't widely written about
because it's so simple. But given the many mistakes made in security
protocols in the recent past, I'd like some reassurance that I'm on
the right track.
Thanks.
