[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    alternative key exchange!?
From:       Karsten Fischer <Karsten.Fischer () epost ! de>
Date:       2002-07-28 15:51:39
[Download RAW message or body]

Hi there!

I am currently working on a MIDlet and a server program and I want to use
symmetric encryption. But the key exchange is what makes the problem, since
using RSA encryption takes too long on small devices.

I thought about another alternative to obtain a symmetric key, but I am not
sure, if it is secure or not:

1) client generates a digest d out of the current time t and user password p
2) client sends d + t and a random number r to the server
3) first the server verifies the digest by using t and the password that is
stored local on the server side
4) upon successful verification both client and server generate a new digest
using p, r and some predefined string of size > length of maximum symmetric key.
5) client and server should obtain the same digest and can then take the first
bytes (or better the last!?) as a symmetric key without the need to exchange it
over the network.

Steps 1 - 3 some to be normal when using digests (see e.g. Jonathan Knudsen's
Book on Wireless Java, the chapter dealing with cryptography was btw available
as download).

Step 4 and 5 are what I am not sure about, wether this would work at all and if
it is secure to do so.

Hope someone can help me about this.

Regards,

Karsten Fischer

[prev in list] [next in list] [prev in thread] [next in thread]