Re: DSA for encryption
On Sun, 06 Dec 1998 22:25:57 -0600, Bennett Haselton <bennett@peacefire.org> wrote:
I'm working on an enhancement to a Web-based program that allows you to circumvent proxy server censorship by sending a request for a Web page to a computer in the outside world that is not blocked by the proxy, and having that computer re-send a copy of the banned page back to you.
Good idea!
Of course, any manufacturer of Internet censorship proxy server software could easily add ians.ml.org to their list of blocked sites (as they have all already done with Anonymizer), so the idea would be for people to get their friends to set up port-forwarding programs on computers that were not blocked by the censoring proxy, and those could be set up to relay requests between the IANS server and the computer behind the proxy server.
It may not be so easy to get people to set up port-forwarding programs. These could be a target for hackers seeking to cover their tracks as they try break-ins. Also, how many people in this day of commercial ISPs are able to set up port-forwarding programs? It would seem more promising to make your web page script be simple and portable enough that even users of AOL and free webpage hosts like GeoCities would be able to install it.
I am working on a JavaScript form that could be used on the client side to solve this problem. We would like to use DSA to encrypt the requests sent using IANS, since I've heard DSA can be used for encryption without royalties, unlike, for example, RSA.
DSA per se is probably not your best choice - unless you already have a DSA implementation which you want to try to use. DSA is a signature algorithm, and while it is sometimes possible to use a DSA implementation to do encryption, it is not particularly convenient. What you want to do is to use the mathematical principle behind DSA, which is the difficulty of solving the discrete log problem, and use an encryption algorithm which relies on that same math problem, namely Diffie-Hellman or ElGamal encryption. If you need to use DSA, Bruce Schneier describes in his book Applied Cryptography how to get the effect of ElGamal encryption. Here is what he writes, on page 490: : ElGamal Encryption with DSA : : There have been allegations that the government likes the DSA because it is : only a digital signature algorithm and can't be used for encryption. It is, : however, possible to use the DSA function call to do ElGamal encryption. : : Assume that the DSA algorithm is implemented with a single function call: : : DSAsign (p, q, g, k, x, h, r, s) : : You supply the numbers p, q, g, k, x, and h, and the function returns the : signature parameters: r and s. : : To do ElGamal encryption of message m with public key y, choose a random : number k, and call : : DSAsign (p, p, g, k, 0, 0, r, s) : : The value of r returned is a in the ElGamal scheme. Throw s away. Then, : call : : DSAsign (p, p, y, k, 0, 0, r, s) : : Rename the value of r to be u; throw s away. Call : : DSAsign (p, p, m, 1, u, 0, r, s) : : Throw r away. The value of s returned is b in the ElGamal scheme. You now : have the ciphertext, a and b. : : Decryption is just as easy. Using secret key x, and ciphertext messages : a and b, call : : DSAsign (p, p, a, x, 0, 0, r, s) : : The value r is a^x mod p. Call that e. Then call : : DSAsign (p, p, 1, e, b, 0, r, s) : : The value s is the plaintext message, m. : : This method will not work with all implementations of DSA. Some may fix : the value sof p and q, or the lengths of some of the other parameters. : Still, if the implementation is general enough, this is a way to encrypt : using nothing more than digital signature function. If you need more information about what the various values mean, or how to create a DSA and/or ElGamal key, just ask. Really, ElGamal is simple enough that if you have access to a large-number math package, writing your own is probably easier than trying to get DSA to do it. It is unlikely that you will find a DSA implementation which allows you to specify all the needed parameters above, particularly h and k. Usually h is forgotten after key generation and not used during signature, and implementions will probably want to choose k themselves since it is a very sensitive parameter.
At 06:25 AM 12/8/98 +0100, Anonymous wrote:
Of course, any manufacturer of Internet censorship proxy server software could easily add ians.ml.org to their list of blocked sites (as they have all already done with Anonymizer), so the idea would be for people to get their friends to set up port-forwarding programs on computers that were not blocked by the censoring proxy, and those could be set up to relay requests between the IANS server and the computer behind the proxy server.
It may not be so easy to get people to set up port-forwarding programs. These could be a target for hackers seeking to cover their tracks as they try break-ins.
The ports would only forward Web-based traffic, so an attack would have to be carried out over HTTP. The phf exploit is a notorious example; the IANS was modified early to specifically prevent it from being used for phf exploits. But most other attacks cannot be done just with a Web browser as far as I know. One additional option would be to distribute port-forwarding programs that keep logs of traffic. The standard port-forwarding program for Windows which we plan on recommending, Portpipe, does not do this, but we might write our own version that does.
Also, how many people in this day of commercial ISPs are able to set up port-forwarding programs?
Portpipe can be set up in thirty seconds on a Windows machine. What you need though is a machine that is connected more or less permanently to the Internet.
It would seem more promising to make your web page script be simple and portable enough that even users of AOL and free webpage hosts like GeoCities would be able to install it.
The problem with having lots of people run a copy of IANS is not that it couldn't be made easy to install, but in many cases it might not be even possible to install. Low-end Web page accounts do not allow the running of CGI scripts on the Web server.
I am working on a JavaScript form that could be used on the client side to solve this problem. We would like to use DSA to encrypt the requests sent using IANS, since I've heard DSA can be used for encryption without royalties, unlike, for example, RSA. [...] What you want to do is to use the mathematical principle behind DSA, which is the difficulty of solving the discrete log problem, and use an encryption algorithm which relies on that same math problem, namely Diffie-Hellman or ElGamal encryption. [...] If you need more information about what the various values mean, or how to create a DSA and/or ElGamal key, just ask.
Thanks! Some people had already pointed out to me that ElGamal would be an ideal choice, and was probably what I had in mind when I was looking for "a version of DSA that can be used for encryption". I'll follow the outline of the ElGamal algorithm given at http://www1.shore.net/~ws/Extras/Security-Notes/lectures/publickey.html and the outline given in _Applied Cryptography_ unless you have another recommendation.
Really, ElGamal is simple enough that if you have access to a large-number math package, writing your own is probably easier than trying to get DSA to do it. It is unlikely that you will find a DSA implementation which allows you to specify all the needed parameters above, particularly h and k. Usually h is forgotten after key generation and not used during signature, and implementions will probably want to choose k themselves since it is a very sensitive parameter.
I will probably have to write my own large-number package for JavaScript in order to implement ElGamal. You've given me enough to get started though, thanks! (If I have any more questions, I'll have to post them to the list since you're using the re-mailer :-) but maybe the list population will find this interesting anyway.) -Bennett bennett@peacefire.org (615) 421 5432 http://www.peacefire.org
participants (2)
-
Anonymous -
Bennett Haselton