Open Stack

On Fri, 2013-04-26 at 16:23 -0400, Eric Windisch wrote:
> > 
> > HMAC(metadata, Ea(SEK, Eb(SEK)))
> > 
> 
> The problem is that Eb(SEK) isn't signed. You sign Ea(), but you can't
> send that to B, because B can't decrypt it. Thus, you're only sending
> Eb(SEK).
> 
> When B receives Eb(SEK), it cannot validate it.  You would need to
> receive from the keyserver:

> Sa(metadata, Ea(SEK, Sb(Eb(SEK))))
> 
> Then, you can send to B:  Sb(Eb(SEK)))

Signing Eb(SEK) is unnecessary, as I wrote Eb(SEK) is a *simplification*
it really is: Eb(RKey, NameA, NameB, Exp.Time)

What this means is that The sender cannot replace it with an arbitrary
token, it also cannot be stolen and used by a different service because
on the receiving side the SEK will be created using NameA and NameB and
therefore bound to A -> B it also cannot be reused at a later time
because the expiration timestamp is sent as well so older tokens are
invalidated.

And the very fact Eb() can be decrypted by B is proof this token came
from the Key Sever, because the Key server is the only one that knows
the shared key, so signing it does not add anything that I can see.

What is the attack that A can perform on B here that A cannot already
do ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York