Feng Bao, Robert H. Deng, Wenbao Mao
IEEE Symposium on Security and Privacy 1998
Protocol
1 Fair Exchange of Signatures on A Common File
PK+ public encryption key, + indicates public
Sk- signing encryption key, - indicates private
Cert value that can be used to prove that a ciphertext was encrypted with a PK
And the value encrypted was M signed by sk
Veri(Cert, CT, M, PKT, pkA) Determines whether the message within M was signed by
pka and then encrypted by PKT, with the help of Cert.
SB(x) B signs x with signing key skB-.
dSB(x) decrypt x with signing decryption key skB+
CT PT(m)
PT(x) public key encrytion of x with T’s PKT+
dPT(x) public key decrytion of x with T’sPKT- key
A and B want to exchange signatures of a document that is not valid until both parties have signed the document. However, neither party wants to be denied a copy of the other’s signature.
A -> B: CT, Cert
B: if Veri(Cert, CT, M, PKT, pkA) = yes then
B -> A: SB(M)
A: if (SB(M) correct) then
A -> B: SA(M)
B: if not(correct SA(M)) then
B -> T: MA, MB, CT, SB(M)
T: if ((SB(M) correct) & (SA(M) correct)) then
T -> A: SB(M)
T -> B: SA(M)
Notes:
* ? How does T know what M is in order to determine whether contracts are valid?
Does this mean that M must be plaintext? Or Does it mean that T just compares
the contents of the two signatures to see that they are the same?
signA SA(MA, hash(MB))
signB SB(MB, hash(MA))
CT PT(signA)
A -> B: CT, Cert
B: if Veri(Cert, CT, MA, PKT, pkA) = yes then
B -> A: SB(M)
A: if (SB(M) correct) then
A -> B: SA(M)
B: if not(correct SA(M)) then
B -> T: MA, MB, CT, SB(M)
T: if ((SB(M) correct) & (SA(M) correct)) then
T -> A: SB(M)
T -> B: SA(M)
signA SA(hash(M))
A -> B: CT, Cert
B: if Veri(Cert, CT, M, PKT, pkA) = yes then
B -> A: M
A: if (M correct) then
A -> B: SA(M)
B: if not(correct SA(M)) then
B -> T: M, CT
T: if (SA(M) correct) then
T -> A: M
T -> B: SA(M)
Notes:
Assumes that A already possesses a one-way hash of the message desired so that A knows it is signing the correct item.