One party (master) wants to send data to another party (slave) over an insecure channel using public-key encryption and signature schemes such that:
- master is authenticated,
- data is confidential,
- data cannot be replayed.
The minimal assumptions are:
- master has slave's public encryption key,
- slave has master's public verification key,
- the public keys are trusted (how they were obtained is immaterial).
The data can be chosen by master or not (e.g. maybe use a KEM instead of PKE to transmit random data). I would also like to protect against replay attacks. For an application, think of remotely (re)setting a key on some device without any pre-shared material; don't want adversary to replay previous exchange.
Something like encrypt-then-sign with a nonce:
- master sends request to slave,
- slave generates, stores, and sends nonce $r$ to master,
- master encrypts data $d$ and nonce $c=\texttt{enc}(d\|r)$, signs the ciphertext $\sigma=\texttt{sig}(c)$, and sends both $(c,\sigma)$ to slave,
- slave verifies and decrypts.
Or perhaps sign-then-encrypt with a nonce:
- master sends request to slave,
- slave generates, stores, and sends nonce $r$ to master,
- master signs and encrypts some combination of data and nonce, e.g. $c=\texttt{enc}(d\|\texttt{sig}(d\|r))$, and sends ciphertext to slave,
- slave decrypts and verifies.
Coming up with your own protocol is a bad idea, but I can't find a reference fitting my needs. Can someone give a reference or an outline of such a protocol (asymmetric primitives, one-sided authentication, replay protection)???
EDIT: Why not use TLS? Maybe I should, but I don't know the ins and outs of it. Some considerations:
- There is no PKI; certificates would be self-signed if used.
- There is no secure Diffie-Hellman I can use.
- I don't need mutual authentication.
- Can't use timestamps.
- Don't need baggage like cipher suites etc.
