DH with shared secret
Xunhua Wang
wangxx at jmu.edu
Fri Oct 3 13:45:26 EDT 2003
Your scheme might work for a long random secret. However, if the shared
secret is a short one (say a password), depending on how the key
confirmation is performed, it would still be vulnerable to off-line
dictionary attacks. More related information can be found at
http://grouper.ieee.org/groups/1363/passwdPK/index.html. Steve
-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Jack Lloyd
Sent: Friday, October 03, 2003 5:14 AM
To: cryptography at metzdowd.com
Subject: DH with shared secret
This was just something that popped into my head a while back, and I was
wondering if this works like I think it does. And who came up with it
before me, because it's was too obvious. It's just that I've never heard
of
something alone these lines before.
Basically, you share some secret with someone else (call it S). Then
you
do a standard issue DH exchange, but instead of the shared key being
g^(xy), it's g^(xyS)
My impression is that, unless you know S, you can't do a succesfull MITM
attack on the exchange. Additionaly, AFAICT, it provides PFS, since if
someone later recovers S, there's still that nasty DH exchange to deal
with. Of course after S is known MITM becomes possible.
Given the recent climate around here, I'll add that I'm not planning on
using this for anything (I only use TLS, I swear! :P), I just thought it
was an semi-interesting idea.
-Jack
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list