From: Adam Shostack <adam@bwh.harvard.edu>
To: kentborg@world.std.com (Kent Borg)
Message Hash: 01391b58bd20110f2461b9c1846d943d841667ef4a5dcf45745f1d0a87e1df9c
Message ID: <199407081353.JAA20694@duke.bwh.harvard.edu>
Reply To: <199407080551.AA04892@world.std.com>
UTC Datetime: 1994-07-08 13:58:09 UTC
Raw Date: Fri, 8 Jul 94 06:58:09 PDT
From: Adam Shostack <adam@bwh.harvard.edu>
Date: Fri, 8 Jul 94 06:58:09 PDT
To: kentborg@world.std.com (Kent Borg)
Subject: Re: Question: Key Distr. in realtimeo applications?
In-Reply-To: <199407080551.AA04892@world.std.com>
Message-ID: <199407081353.JAA20694@duke.bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain
Kent writes:
| One-time key, how to distribute to both participants: don't. Let each
| pick a random key and sent it to the other using the other's public
| key--no need to use the same key in both directions, in fact seems a
| bad idea.
Sending your otp by RSA reduces the security of your OTP to
that of RSA, since if your RSA key can be broken, the otp can be
obtained. Since the problem is barely more difficult than factoring
your rsa key (or craking the one time idea password in use), there is
no security gain to the otp.
otp's require that they be securely distributed. Usually,
this means a courier with a briefcase full of cd-roms handcuffed to
his wrist, or some other similarly paranoid means.
Adam
--
Adam Shostack adam@bwh.harvard.edu
Politics. From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.
Return to July 1994
Return to “kentborg@world.std.com (Kent Borg)”