[14357] in cryptography@c2.net mail archive
Re: New authentication protocol, was Re: Tinc's response to "Linux's answer to MS-PPTP"
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Tue Sep 30 22:00:34 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Guus Sliepen <guus@sliepen.eu.org>
Cc: Cryptography list <cryptography@metzdowd.com>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 30 Sep 2003 16:47:20 -0700
In-Reply-To: <20030930160959.GK715@sliepen.eu.org>
Guus Sliepen <guus@sliepen.eu.org> writes:
> On Mon, Sep 29, 2003 at 02:07:04PM +0200, Guus Sliepen wrote:
>
> > Step 2:
> > Exchange METAKEY messages. The METAKEY message contains the public part
> > of a key used in a Diffie-Hellman key exchange. This message is
> > encrypted using RSA with OAEP padding, using the public key of the
> > intended recipient.
>
> After comments and reading up on suggested key exchange schemes, I think
> this step should be changed to send the Diffie-Hellman public key in
> plaintext, along with a nonce (large random number) to prevent replays
> and the effects of bad DH public keys. Instead of encrypting both with
> RSA, they should instead be signed using the private key of the sender
> (the DH public key and nonce wouldn't fit in a single RSA message
> anyway).
>
> IKEv2 (as described in draft-ietf-ipsec-ikev2-10.txt) does almost the
> same. However, IKEv2 does not send the signature directly, but first
> computes the shared key, and uses that to encrypt (using a symmetric
> cipher) the signature. I do not see why they do it that way; the
> signature has to be checked anyway, if it can be done before computing
> the shared key it saves CPU time. Encrypting it does not prevent a man
> in the middle from reading or altering it, since a MITM can first
> exchange his own DH public key with both sides (and hence he can know
> the shared keys). So actually, I don't see the point in encrypting
> message 3 and 4 as described at page 8 of that draft at all.
In order to hide the identities of the communicating peers.
Personally, I don't have much use for identity protection,
but this is the reason as I understand it.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
