[14340] in cryptography@c2.net mail archive
Re: New authentication protocol, was Re: Tinc's response to 'Linux's answer to MS-PPTP'
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Tue Sep 30 16:52:49 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "Bill Stewart" <bill.stewart@pobox.com>
Cc: <guus@sliepen.eu.org>, <cryptography@metzdowd.com>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 29 Sep 2003 11:56:07 -0700
In-Reply-To: <4427.216.240.32.1.1064855401.squirrel@smirk.idiom.com>
"Bill Stewart" <bill.stewart@pobox.com> writes:
> > If we use RSA encryption, then both sides know their message can only
> > be received by the intended recipient. If we use RSA signing, then we
> > both sides know the message they receive can only come from the assumed
> > sender. For the purpose of tinc's authentication protocol, I don't see
> > the difference, but...
> >
> > > Now, the attacker chooses 0 as his DH public. This makes ZZ always
> > > equal to zero, no matter what the peer's DH key is.
>
> You need to validate the DH keyparts even if you're
> corresponding with the person you thought you were.
> This is true whether you're using signatures, encryption, or neither.
Not necessarily.
If you're using fully ephemeral DH keys and a properly designed
key, then you shouldn't need to validate the other public share.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
