This is an idea to secure http much as https aspires to. It is based on Diffie-Helman in order to avoid a cost of testing for primality. Diffie-Helman presumes a large enough public prime prime P to make the discrete logarithm practically impossible. P is roughly 1500 bits long. A primitive root R is also chosen and published. Every body knows both P and R.

A site chooses a secret number S less than P and publishes PKS = RS mod P which serves as a public key corresponding to the private key S. A 128 bit hash HS is also significant and anyone who knows RS mod P can compute HS.

An URL for the site can be either:

long
and include the public key in place of the domain name, or
short
and include HS as the domain name.

When a browser comes upon a long URL to the site it finds the sites public key, PKS, it computes HS and consults DNS with that. It then encrypts a request to the site with RSB mod P where B is the browser’s private key. Included in the request is the plain text of the browser’s public key RB mod P. No extra round trips are required.

When a browser comes upon a short URL to the site it consults a cache it maintains of maps from hashes to public keys. If it is not there it queries the site asking for its full public key. The browser hashes the response and insures that the the proffered public key has the right hash. It adds the pair to the cache.

Perhaps some DNS servers might provide a public key along with an IP address.


I have not decided on whether this is an improvement on other schemes that rely on RSA or other public key protocols to supplant X.509.