New authentication protocol, was Re: Tinc's response to "Linux's answer to MS-PPTP"
Eric Rescorla
ekr at rtfm.com
Tue Sep 30 19:47:20 EDT 2003
Guus Sliepen <guus at sliepen.eu.org> writes:
> On Mon, Sep 29, 2003 at 02:07:04PM +0200, Guus Sliepen wrote:
>
> > Step 2:
> > Exchange METAKEY messages. The METAKEY message contains the public part
> > of a key used in a Diffie-Hellman key exchange. This message is
> > encrypted using RSA with OAEP padding, using the public key of the
> > intended recipient.
>
> After comments and reading up on suggested key exchange schemes, I think
> this step should be changed to send the Diffie-Hellman public key in
> plaintext, along with a nonce (large random number) to prevent replays
> and the effects of bad DH public keys. Instead of encrypting both with
> RSA, they should instead be signed using the private key of the sender
> (the DH public key and nonce wouldn't fit in a single RSA message
> anyway).
>
> IKEv2 (as described in draft-ietf-ipsec-ikev2-10.txt) does almost the
> same. However, IKEv2 does not send the signature directly, but first
> computes the shared key, and uses that to encrypt (using a symmetric
> cipher) the signature. I do not see why they do it that way; the
> signature has to be checked anyway, if it can be done before computing
> the shared key it saves CPU time. Encrypting it does not prevent a man
> in the middle from reading or altering it, since a MITM can first
> exchange his own DH public key with both sides (and hence he can know
> the shared keys). So actually, I don't see the point in encrypting
> message 3 and 4 as described at page 8 of that draft at all.
In order to hide the identities of the communicating peers.
Personally, I don't have much use for identity protection,
but this is the reason as I understand it.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list