Re: [STDS-802-Privacy] Proposal on a MAC mediator protocol
> Simple version of suggested exchange below …. Minus some other features:
>
> csi = cipher suite identifier
> H = secure hash determined by cipher suite
> f = key derivation function determined by cipher suite
> s_i + secret for ‘i’
> G = group generator (using additive notation)
> P_i = s_i*G
> m_j = scalar random mask value (jth for i)
> Q_ij = m_j*P_i
> MAC_ij = H(csi, Q_ij, f(TSF))[0:6]
>
> MAC_kl = same as above but kth MAC of P_l
>
> Exchange
>
> MAC_ij —- csi, Q_ij —> MAC_kl
> MAC_ij <—- Q_kl —- MAC_kl
>
> Keys now calculated on both sides
> K_ij=K_kl= f(csi, m_j*s_i*Q_kl) = f(csi, m_k*s_l*Q_kij)
>
> Sharing m_j encrypted under derived key shows binding of Q_ij to P_i
>
> MAC_ij —- encr(k_ij, m_j, P_i, etc) —> MAC_kl
>
> MAC_kl can validate that
> Q_ij = m_j*P_i
The problem of course is that when you do that, you reveal the public key P_i to the other party. This has an obvious privacy effect, which depends on the lifetime of that public key. If the lifetime is "forever," then we have a long term identifier and a privacy issue. Of course, the privacy effect could be mitigated by picking a different public key for each "session," but that supposes cipher suites in which picking such random keys is easy.
Before we go further, we should be clear about what problem we are trying to solve. Clearly, this type of exchanges can be used to prove that the device "owns" a particular random number. But what does that ownership mean? If two devices claim the same key, who wins? Who decides?
-- Christian Huitema