New authentication protocol, was Re: Tinc's response to "Linux's answer to MS-PPTP"

Guus Sliepen guus at sliepen.eu.org
Mon Sep 29 11:57:46 EDT 2003


On Mon, Sep 29, 2003 at 07:53:29AM -0700, Eric Rescorla wrote:

> I'm trying to figure out why you want to invent a new authentication
> protocol rather than just going back to the literature and ripping
> off one of the many skeletons that already exist (

Several reasons. Because it's fun, because we learn more from doing it
ourselves (we learn from our mistakes too), because we want something
that fits our needs. We could've just grabbed one from the shelf, but
then we could also have grabbed IPsec or PPP-over-SSH from the shelf,
instead of writing our own VPN daemon. However, we wanted something
different.

> STS,

If you mean station-to-station protocol, then actually that is pretty
much what we are doing now, except for encrypting instead of signing
using RSA.

> JFK, IKE, SKEME, SIGMA, etc.).

And I just ripped TLS from the list.

> That would save people from the trouble of having to analyze the
> details of your new protoocl.

Several people on this list have already demonstrated that they are very
willing to analyse new protocols. Also, I don't *expect* you to do so,
if you don't want to ignore me.

> Why are you using RSA encryption to authenticate your DH rather
> than using RSA signature?

If we use RSA encryption, then both sides know their message can only be
received by the intended recipient. If we use RSA signing, then we both
sides know the message they receive can only come from the assumed
sender. For the purpose of tinc's authentication protocol, I don't see
the difference, but...

> Now, the attacker chooses 0 as his DH public. This makes ZZ always
> equal to zero, no matter what the peer's DH key is.

I think you mean it is equal to 1 (X^0 is always 1). This is the first
time I've heard of this, I've never thought of this myself. In that case
I see the point of signing instead of encrypting.

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20030929/bcc4b917/attachment.pgp>


More information about the cryptography mailing list