New authentication protocol, was Re: Tinc's response to 'Linux's answer to MS-PPTP'

Bill Stewart bill.stewart at pobox.com
Mon Sep 29 12:51:20 EDT 2003


> =========Step 1:
> Exchange ID messages. An ID message contains the name of the tinc
> daemon which sends it, the protocol version it uses, and various
> options (like which cipher and digest algorithm it wants to use).

By "name of the tinc daemon", do you mean identification information?
That data should be encrypted, and therefore in step 2.
(Alternatively, if you just mean "tincd version 1.2.3.4", that's fine.

> Step 2:
> Exchange METAKEY messages. The METAKEY message contains the public part
> of a key used in a Diffie-Hellman key exchange.  This message is
> encrypted using RSA with OAEP padding, using the public key of the
> intended recipient.

You can't encrypt the DH keyparts using RSA unless you first exchange
RSA public key information, which the server can't do without knowing
who the client is (the client presumably knows who the server is,
so you _could_ have the client send the key encrypted to annoy MITMs.)
To make the protocol generally useful for privacy protection,
you shouldn't exchange this information unencrypted.
So do a Diffie-Hellman exchange first, then exchange any other information,
including RSA signatures on the DH keyparts.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list