[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DSA for encryption



On Sun, 06 Dec 1998 22:25:57 -0600, Bennett Haselton <[email protected]>
wrote:

>I'm working on an enhancement to a Web-based program that allows you to
>circumvent proxy server censorship by sending a request for a Web page to a
>computer in the outside world that is not blocked by the proxy, and having
>that computer re-send a copy of the banned page back to you.

Good idea!

>Of course, any manufacturer of Internet censorship proxy server software
>could easily add ians.ml.org to their list of blocked sites (as they have
>all already done with Anonymizer), so the idea would be for people to get
>their friends to set up port-forwarding programs on computers that were not
>blocked by the censoring proxy, and those could be set up to relay requests
>between the IANS server and the computer behind the proxy server.

It may not be so easy to get people to set up port-forwarding programs.
These could be a target for hackers seeking to cover their tracks as they
try break-ins.  Also, how many people in this day of commercial ISPs are
able to set up port-forwarding programs?

It would seem more promising to make your web page script be simple
and portable enough that even users of AOL and free webpage hosts like
GeoCities would be able to install it.

>I am working on a JavaScript form that could be used on the client side to
>solve this problem.  We would like to use DSA to encrypt the requests sent
>using IANS, since I've heard DSA can be used for encryption without
>royalties, unlike, for example, RSA.

DSA per se is probably not your best choice - unless you already have a
DSA implementation which you want to try to use.  DSA is a signature
algorithm, and while it is sometimes possible to use a DSA implementation
to do encryption, it is not particularly convenient.

What you want to do is to use the mathematical principle behind DSA, which
is the difficulty of solving the discrete log problem, and use an encryption
algorithm which relies on that same math problem, namely Diffie-Hellman or
ElGamal encryption.

If you need to use DSA, Bruce Schneier describes in his book Applied
Cryptography how to get the effect of ElGamal encryption.  Here is what
he writes, on page 490:

: ElGamal Encryption with DSA
: 
: There have been allegations that the government likes the DSA because it is
: only a digital signature algorithm and can't be used for encryption.  It is,
: however, possible to use the DSA function call to do ElGamal encryption.
: 
: Assume that the DSA algorithm is implemented with a single function call:
: 
:     DSAsign (p, q, g, k, x, h, r, s)
: 
: You supply the numbers p, q, g, k, x, and h, and the function returns the
: signature parameters: r and s.
: 
: To do ElGamal encryption of message m with public key y, choose a random
: number k, and call
: 
:     DSAsign (p, p, g, k, 0, 0, r, s)
: 
: The value of r returned is a in the ElGamal scheme.  Throw s away.  Then,
: call
: 
:     DSAsign (p, p, y, k, 0, 0, r, s)
: 
: Rename the value of r to be u; throw s away.  Call
: 
:     DSAsign (p, p, m, 1, u, 0, r, s)
: 
: Throw r away.  The value of s returned is b in the ElGamal scheme.  You now
: have the ciphertext, a and b.
: 
: Decryption is just as easy.  Using secret key x, and ciphertext messages
: a and b, call
: 
:     DSAsign (p, p, a, x, 0, 0, r, s)
: 
: The value r is a^x mod p.  Call that e.  Then call
: 
:     DSAsign (p, p, 1, e, b, 0, r, s)
: 
: The value s is the plaintext message, m.
: 
: This method will not work with all implementations of DSA.  Some may fix
: the value sof p and q, or the lengths of some of the other parameters.
: Still, if the implementation is general enough, this is a way to encrypt
: using nothing more than digital signature function.

If you need more information about what the various values mean, or how
to create a DSA and/or ElGamal key, just ask.

Really, ElGamal is simple enough that if you have access to a large-number
math package, writing your own is probably easier than trying to get DSA
to do it.  It is unlikely that you will find a DSA implementation which
allows you to specify all the needed parameters above, particularly h
and k.  Usually h is forgotten after key generation and not used during
signature, and implementions will probably want to choose k themselves
since it is a very sensitive parameter.