New authentication protocol, was Re: Tinc's response to 'Linux's answer to MS-PPTP'
Bill Stewart
bill.stewart at pobox.com
Mon Sep 29 13:10:01 EDT 2003
> If we use RSA encryption, then both sides know their message can only
> be received by the intended recipient. If we use RSA signing, then we
> both sides know the message they receive can only come from the assumed
> sender. For the purpose of tinc's authentication protocol, I don't see
> the difference, but...
>
> > Now, the attacker chooses 0 as his DH public. This makes ZZ always
> > equal to zero, no matter what the peer's DH key is.
You need to validate the DH keyparts even if you're
corresponding with the person you thought you were.
This is true whether you're using signatures, encryption, or neither.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list