New authentication protocol, was Re: Tinc's response to "Linux's answer to MS-PPTP"

Eric Rescorla ekr at rtfm.com
Mon Sep 29 12:35:56 EDT 2003


Guus Sliepen <guus at sliepen.eu.org> writes:

> On Mon, Sep 29, 2003 at 07:53:29AM -0700, Eric Rescorla wrote:
> 
> > I'm trying to figure out why you want to invent a new authentication
> > protocol rather than just going back to the literature and ripping
> > off one of the many skeletons that already exist (
> 
> Several reasons. Because it's fun, because we learn more from doing it
> ourselves (we learn from our mistakes too), because we want something
> that fits our needs. We could've just grabbed one from the shelf, but
> then we could also have grabbed IPsec or PPP-over-SSH from the shelf,
> instead of writing our own VPN daemon. However, we wanted something
> different.

And I'm trying to understand why. This answer sounds a lot
like NIH.

Was there any technical reason why the existing cryptographic
skeletons wouldn't have been just as good?


> > STS,
> 
> If you mean station-to-station protocol, then actually that is pretty
> much what we are doing now, except for encrypting instead of signing
> using RSA.

But that's not a harmless change, which is the point of the potential
attack I just described.


> > JFK, IKE, SKEME, SIGMA, etc.).
> 
> And I just ripped TLS from the list.

Define "ripped". This certainly is not the same as TLS.


> > That would save people from the trouble of having to analyze the
> > details of your new protoocl.
> 
> Several people on this list have already demonstrated that they are very
> willing to analyse new protocols.

Actually, no. People are willing to take a quick look and
then shoot bullets at your protocol. That's not the same as
doing a thorough analysis, which can take years, as Steve
Bellovin has pointed out about Needham-Schroeder.


> > Why are you using RSA encryption to authenticate your DH rather
> > than using RSA signature?
> 
> If we use RSA encryption, then both sides know their message can only be
> received by the intended recipient. If we use RSA signing, then we both
> sides know the message they receive can only come from the assumed
> sender. For the purpose of tinc's authentication protocol, I don't see
> the difference, but...

There's no difference if it's done correctly. If it's not done
correctly...


> > Now, the attacker chooses 0 as his DH public. This makes ZZ always
> > equal to zero, no matter what the peer's DH key is.
> 
> I think you mean it is equal to 1 (X^0 is always 1). This is the first
> time I've heard of this, I've never thought of this myself. In that case
> I see the point of signing instead of encrypting.

Except that the way you compute DH is to do Y^X rather than 
X^Y. 


Look, there's nothing wrong with trying to invent new protocols,
especially as a learning experience. What I'm trying to figure
out is why you would put them in a piece of software rather 
than using one that has undergone substantial analysis unless
your new protocol has some actual advantages. Does it?

-Ekr


-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list