DH with shared secret
Eric Rescorla
ekr at rtfm.com
Fri Oct 3 13:49:50 EDT 2003
Jack Lloyd <lloyd at randombit.net> writes:
> This was just something that popped into my head a while back, and I was
> wondering if this works like I think it does. And who came up with it
> before me, because it's was too obvious. It's just that I've never heard of
> something alone these lines before.
>
> Basically, you share some secret with someone else (call it S). Then you
> do a standard issue DH exchange, but instead of the shared key being
> g^(xy), it's g^(xyS)
>
> My impression is that, unless you know S, you can't do a succesfull MITM
> attack on the exchange. Additionaly, AFAICT, it provides PFS, since if
> someone later recovers S, there's still that nasty DH exchange to deal
> with. Of course after S is known MITM becomes possible.
The problem with this protocol is that a single MITM allows
a dictionary attack. There are better ways to do this.
Keywords: EKE, SRP, SPEKE
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list