This is a solved problem, under slightly different assumptions.
At 07:34 AM 7/20/00 -0700, James A. Donald wrote:
> --
>Weak user keys.
>
>Suppose the user's key p, may be weak and easily guessed from G^p
>
>Suppose the key server constructs for each user a strong supplementary
>key, q. which the server knows but the user does not know.
>
>We would like the keyserver to protect people who are not so paranoid as
>to protect themselves from the keyserver.
This can be done by using p to establish a password-authenticated secure
channel to the server
and retrieve q through that channel. The client combines p and q to
re-create the private key.
The public key that corresponds with the private key is made public.
>[1] We want a public key system that does not make public G^p, though it
>will make public G^q and G^(pq).
>
>[2] A signature in this public key system should show that the document
>has been signed by someone who knows p, with the assistance of someone who
>knows both q and the shared secret key, G^p.
>
>[3] Someone who knows G^q and G^(pq) should be able to check the signature
>without knowing G^p, p, or q.
>
>[4] Anyone knowing G^q and G^(pq) should be able encrypt a document in
>such a way that only a person who knows p can decrypt it, provided he has
>the assistance of someone who knows q and G^p
>
>I have not been able to design such a system
... Because at least one of your assumptions was wrong. As David Wagner
noted, there is no method
that works in this model. Knowing G^q and G^(pq) one can test and verify
guesses for p.
If you get rid of goals [3] and [4], limiting the public information to the
public key you can make
this work.
>One can achieve almost the same effect by having transient user keys
>separate from the user logon key, random keys which randomly generated by
>the users client software and authenticated by the server, but this
>exposes the client to man in the middle attack from the server, and only
>works for instant messaging and for transactions that either fail or
>complete within a single logon session at the server.
I'm not sure what method you have in mind, but there are several ways to do
achieve
goals [1] and [2] without MITM attack. The general model works like this:
Using a password-authenticated key exchange, the client proves knowledge of
p to
a server that knows f(p) (a special one way transformation of p) and
derives a mutually
authenticated session key K.
K is mutually authenticated by the client's knowledge of p, and the
server's knowledge of f(p).
There are several ways to do this, like B-SPEKE, SRP, A-EKE, AMP, all
described in papers at
<www.integritysciences.com>.
The client then retrieves q through the channel encrypted with K, and then
combines p and q to re-create the private key.
In some of these methods, f(p) is in fact G^p, so you weren't too far off
the mark.
----------------------------------
David P. Jablon
[EMAIL PROTECTED]
www.IntegritySciences.com
