New authentication protocol, was Re: Tinc's response to 'Linux's answer to MS-PPTP'
Eric Rescorla
ekr at rtfm.com
Mon Sep 29 14:56:07 EDT 2003
"Bill Stewart" <bill.stewart at pobox.com> writes:
> > If we use RSA encryption, then both sides know their message can only
> > be received by the intended recipient. If we use RSA signing, then we
> > both sides know the message they receive can only come from the assumed
> > sender. For the purpose of tinc's authentication protocol, I don't see
> > the difference, but...
> >
> > > Now, the attacker chooses 0 as his DH public. This makes ZZ always
> > > equal to zero, no matter what the peer's DH key is.
>
> You need to validate the DH keyparts even if you're
> corresponding with the person you thought you were.
> This is true whether you're using signatures, encryption, or neither.
Not necessarily.
If you're using fully ephemeral DH keys and a properly designed
key, then you shouldn't need to validate the other public share.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list