New authentication protocol, was Re: Tinc's response to "Linux's answer to MS-PPTP"
Guus Sliepen
guus at sliepen.eu.org
Tue Sep 30 12:09:59 EDT 2003
On Mon, Sep 29, 2003 at 02:07:04PM +0200, Guus Sliepen wrote:
> Step 2:
> Exchange METAKEY messages. The METAKEY message contains the public part
> of a key used in a Diffie-Hellman key exchange. This message is
> encrypted using RSA with OAEP padding, using the public key of the
> intended recipient.
After comments and reading up on suggested key exchange schemes, I think
this step should be changed to send the Diffie-Hellman public key in
plaintext, along with a nonce (large random number) to prevent replays
and the effects of bad DH public keys. Instead of encrypting both with
RSA, they should instead be signed using the private key of the sender
(the DH public key and nonce wouldn't fit in a single RSA message
anyway).
IKEv2 (as described in draft-ietf-ipsec-ikev2-10.txt) does almost the
same. However, IKEv2 does not send the signature directly, but first
computes the shared key, and uses that to encrypt (using a symmetric
cipher) the signature. I do not see why they do it that way; the
signature has to be checked anyway, if it can be done before computing
the shared key it saves CPU time. Encrypting it does not prevent a man
in the middle from reading or altering it, since a MITM can first
exchange his own DH public key with both sides (and hence he can know
the shared keys). So actually, I don't see the point in encrypting
message 3 and 4 as described at page 8 of that draft at all.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20030930/f04f38dd/attachment.pgp>
More information about the cryptography
mailing list