Author: Timo Hanke 2013-11-03 06:23:09
Published on: 2013-11-03T06:23:09+00:00
A discussion on the security of token signing was initiated by bitcoingrant, where Johnathan Corgan expressed concern over signing an arbitrary string that could be a hash of an evil document. Several replies came suggesting that the client should modify or add something to the token or give it some structure. However, if the client's key is (EC)DSA, then signing a token is not recommended in the first place. The standard way is the Diffie-Hellman key exchange protocol in the form of a challenge-response, which avoids producing any unintentional signatures. In this protocol, suppose the clients want to prove ownership of private key p, belonging to public key P, where P=p*G and G is the "base" of the (EC)DSA signature system. The server generates a new keypair (a,A), where a is private and A is public, and sends A to the client as a challenge. The client computes and sends p*A back. The server verifies whether p*A = a*P. Only public keys are exchanged in this protocol, leaving nothing that can be mistaken for an (EC)DSA signature.The discussion was concluded by Timo Hanke, who provided his contact details in the signature at the end of the email.
Updated on: 2023-06-07T18:58:19.569316+00:00