Scare tactic?

Alexander Klimov alserkli at
Thu Sep 20 05:23:59 EDT 2007

On Wed, 19 Sep 2007, Nash Foster wrote:
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.

>> Not a single IKE implementation [...] were validating the
>> Diffie-Hellman public keys that I sent.

There are many ways to use DH key-agreement. The one described
on the page is as follows: both A and B generate random values,
exponentiate, exchange results, and derive the same value. In
this case there is no point validating the `public key'
A receives from B: if B colludes with an attacker (and generates
the key belonging to a small subgroup), then B can as well tell
the final secret to the attacker.

The attack would make sense if it allows B to learn a long-term
secret of A, but if the `private keys' are randomly generated on
each exchange, then this problem does not exist.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list