I'll show you mine if you show me, er, mine
Whyte, William
WWhyte at ntru.com
Thu Mar 3 22:24:24 EST 2005
I haven't read the original paper, and I have a great deal of
respect for Markus Jakobsson. However, techniques that establish
that the parties share a weak secret without leaking that secret
have been around for years -- Bellovin and Merritt's DH-EKE,
David Jablon's SPEKE. And they don't require either party to
send the password itself at the end.
William
> -----Original Message-----
> From: pgut001 at cs.auckland.ac.nz [mailto:pgut001 at cs.auckland.ac.nz]
> Sent: Wednesday, February 23, 2005 7:30 AM
> To: cryptography at metzdowd.com; cypherpunks at al-qaeda.net;
> rah at shipwright.com
> Subject: Re: I'll show you mine if you show me, er, mine
>
>
> "R.A. Hettinga" <rah at shipwright.com> forwarded:
>
> >Briefly, it works like this: point A transmits an encrypted
> message to point
> >B. Point B can decrypt this, if it knows the password. The
> decrypted text is
> >then sent back to point A, which can verify the decryption,
> and confirm that
> >point B really does know point A's password. Point A then
> sends the password
> >to point B to confirm that it really is point A, and knows
> its own password.
>
> Isn't this a Crypto 101 mutual authentication mechanism (or at least a
> somewhat broken reinvention of such)? If the exchange to
> prove knowledge of
> the PW has already been performed, why does A need to send
> the PW to B in the
> last step? You either use timestamps to prove freshness or
> add an extra
> message to exchange a nonce and then there's no need to send
> the PW. Also in
> the above B is acting as an oracle for password-guessing
> attacks, so you don't
> send back the decrypted text but a recognisable-by-A
> encrypted response, or
> garbage if you can't decrypt it, taking care to take the same
> time whether you
> get a valid or invalid message to avoid timing attacks. Blah
> blah Kerberos
> blah blah done twenty years ago blah blah a'om bomb blah blah.
>
> (Either this is a really bad idea or the details have been
> mangled by the
> Register).
>
> Peter.
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list