Crypto Questions

[Pete Chown]

Peter Fairbrother wrote:

> 1) Is there a way to have reliable authentication that is repudiable? I
> think the concepts are too similar, but it would be useful.

CRAM-MD5 has this property.  The server sends a challenge to the
client which then computes a hash of the challenge and the password.
Because the server knows the password too, it is not possible to prove
that the client authenticated.

You could also replace MD5 with RSA signing.  Normally the client
would sign a random challenge.  However the server could choose a
random number, work out what it is a signature of, and then claim that
that number was the challenge.  Hence the client can repudiate
authentications.

This is a departure from the usual use of RSA signing in that no
padding algorithm is used.  You would have to be careful that this
doesn't create any vulnerabilities.

I *think* that if you used TLS in ADH mode, and used a hash of the
Finished message instead of a server challenge, either of these would
do what you wanted.  The important thing is to tie the authentication
to the TLS session keys so that MITM attacks don't work.

Wow, I started writing this thinking it was easy but it isn't.  I'm
sure I must have got something wrong too -- that's the worst of trying
to make up new crypto.

> 2) Does anyone know of a backwards hash, ie an algorithm that gives a
> previously specified result from a cyphertext but which is infeasible to
> reverse?  How would you generate the cyphertext? No secret keys allowed.

I don't really understand this one -- can you be more specific?

-- 
Pete