DH with shared secret
Jack Lloyd
lloyd at randombit.net
Fri Oct 3 05:13:34 EDT 2003
This was just something that popped into my head a while back, and I was
wondering if this works like I think it does. And who came up with it
before me, because it's was too obvious. It's just that I've never heard of
something alone these lines before.
Basically, you share some secret with someone else (call it S). Then you
do a standard issue DH exchange, but instead of the shared key being
g^(xy), it's g^(xyS)
My impression is that, unless you know S, you can't do a succesfull MITM
attack on the exchange. Additionaly, AFAICT, it provides PFS, since if
someone later recovers S, there's still that nasty DH exchange to deal
with. Of course after S is known MITM becomes possible.
Given the recent climate around here, I'll add that I'm not planning on
using this for anything (I only use TLS, I swear! :P), I just thought it
was an semi-interesting idea.
-Jack
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list