0

Assume that sender and recipient both already have each others public keys(certificates). Sender needs to generate session key to encrypt some data and sends encrypted data to recipient. All offline - without interaction steps. But Sender must be authenticated. Could you advise well-known key management protocol to solve this problem?

I asked this question some times ago but it was deleted. Now I have found the exact answer and want to publish it.

Updated: I answered my own question but would be great if somebody comment or give alternative answer. I want to emphasize that protocol should be offline - interactive protocols like TLS doesn't fit. If such offline protocol without TLS-like handshakes are not possible without additional threats/attacks (replay and others) - please specify most secure protocol and its threats that it has but TSL doesn't. authentication of source is necessary. non repudiation is optional.

Vlad
  • 81
  • 9
  • my answer is from PKCS#7 but I may publish answer only in 10 hours after question according to local policy. – Vlad Sep 28 '13 at 20:55
  • Does a standard public-key signing algorithm not suffice? If the recipient has the sender's public key, the sender can just sign with their private key and the recipient can verify the signature. – B-Con Sep 28 '13 at 21:44
  • There are subtleties. $;$ –  Sep 28 '13 at 22:06
  • The question is what to sign(that is encrypt with private key). Data should not be encrypted with private key. Data should be encrypted by symmetric algorithm using some session key. By the way for this problem it is not important the concrete implementation of algorithm(RSA, ecdsa, ...) – Vlad Sep 29 '13 at 00:31
  • On the other hand, whether or not one needs non-repudiation is important. $;$ –  Sep 29 '13 at 00:37
  • The solution is intuitive. When I was asking the question I was rather looking for standard document that recommends safe solution. – Vlad Sep 29 '13 at 00:40
  • authentication of source is necessary. non repudiation is optional – Vlad Sep 29 '13 at 00:45

1 Answers1

1

There is an answer in PKCS#7 in section 11. Signed-and-enveloped-data content type. Below encryption with the signer's private key means signing process.

"The signed-and-enveloped-data content type consists of encrypted content of anytype, encrypted content-encryption keys for one or more recipients, and doubly encrypted message digests for one or more signers. The "double encryption" consists of an encryption with a signer's private key followed by an encryption with the content- encryption key.

The process by which signed-and-enveloped data is constructed involves the following steps:

    1.   A content-encryption key for a particular content-
         encryption algorithm is generated at random.

    2.   For each recipient, the content-encryption key is
         encrypted with the recipient's public key.

    3.   For each recipient, the encrypted content-
         encryption key and other recipient-specific
         information are collected into a RecipientInfo
         value, defined in Section 10.2.

    4.   For each signer, a message digest is computed on
         the content with a signer-specific message-digest
         algorithm. (If two signers employ the same message-
         digest algorithm, then the message digest need be
         computed for only one of them.)

    5.   For each signer, the message digest and associated
         information are encrypted with the signer's
         private key, and the result is encrypted with the
         content-encryption key. (The second encryption may
         require that the result of the first encryption be
         padded to a multiple of some block size; see
         Section 10.3 for discussion.)

    6.   For each signer, the doubly encrypted message
         digest and other signer-specific information are
         collected into a SignerInfo value, defined in
         Section 9.2.

    7.   The content is encrypted with the content-
         encryption key.

A recipient opens the envelope and verifies the signatures in two steps. First, the one of the encrypted content-encryption keys is decrypted with the recipient's private key, and the encrypted content is decrypted with the recovered content-encryption key. Second, the doubly encrypted message digest for each signer is decrypted with the recovered content-encryption key, the result is decrypted with the signer's public key, and the recovered message digest is compared to an independently computed message digest..."

Vlad
  • 81
  • 9