[17006] in cryptography@c2.net mail archive
RE: I'll show you mine if you show me, er, mine
daemon@ATHENA.MIT.EDU (Whyte, William)
Sat Mar 5 10:31:55 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Whyte, William" <WWhyte@ntru.com>
To: pgut001@cs.auckland.ac.nz, cryptography@metzdowd.com,
cypherpunks@al-qaeda.net, rah@shipwright.com
Date: Thu, 3 Mar 2005 22:24:24 -0500
I haven't read the original paper, and I have a great deal of
respect for Markus Jakobsson. However, techniques that establish
that the parties share a weak secret without leaking that secret
have been around for years -- Bellovin and Merritt's DH-EKE,
David Jablon's SPEKE. And they don't require either party to
send the password itself at the end.
William
> -----Original Message-----
> From: pgut001@cs.auckland.ac.nz [mailto:pgut001@cs.auckland.ac.nz]
> Sent: Wednesday, February 23, 2005 7:30 AM
> To: cryptography@metzdowd.com; cypherpunks@al-qaeda.net;
> rah@shipwright.com
> Subject: Re: I'll show you mine if you show me, er, mine
>
>
> "R.A. Hettinga" <rah@shipwright.com> forwarded:
>
> >Briefly, it works like this: point A transmits an encrypted
> message to point
> >B. Point B can decrypt this, if it knows the password. The
> decrypted text is
> >then sent back to point A, which can verify the decryption,
> and confirm that
> >point B really does know point A's password. Point A then
> sends the password
> >to point B to confirm that it really is point A, and knows
> its own password.
>
> Isn't this a Crypto 101 mutual authentication mechanism (or at least a
> somewhat broken reinvention of such)? If the exchange to
> prove knowledge of
> the PW has already been performed, why does A need to send
> the PW to B in the
> last step? You either use timestamps to prove freshness or
> add an extra
> message to exchange a nonce and then there's no need to send
> the PW. Also in
> the above B is acting as an oracle for password-guessing
> attacks, so you don't
> send back the decrypted text but a recognisable-by-A
> encrypted response, or
> garbage if you can't decrypt it, taking care to take the same
> time whether you
> get a valid or invalid message to avoid timing attacks. Blah
> blah Kerberos
> blah blah done twenty years ago blah blah a'om bomb blah blah.
>
> (Either this is a really bad idea or the details have been
> mangled by the
> Register).
>
> Peter.
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo@metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
