Scare tactic?

Ian G iang at
Sun Sep 23 07:48:17 EDT 2007

Ivan Krsti? wrote:
> On Sep 19, 2007, at 5:01 PM, Nash Foster wrote:
>> Any actual cryptographers care to comment on this? I don't feel
>> qualified to judge.
> If the affected software is doing DH with a malicious/compromised peer, 
> the peer can make it arrive at a predictable secret -- which would be 
> known to some passive listener. But hey, if the peer is malicious or 
> compromised to begin with, it could just as well do DH normally and 
> explicitly send the secret to the listener when it's done. Not much to 
> see here.

I agree that this is minutia, but there is a difference.  If 
the peer can arrange the key to be some predictable secret, 
it can do so without revealing itself.  Eve is happy.  If 
however it has to leak the key some other way, it needs some 
covert channel.  This channel is the sort of thing that 
security reviews might more easily stumble over.  E.g., IDS 
guy asking why these strange packets emanate from the crypto 

Which is to say, it's worth closing off this particular form 
of attack if it can be done without undue cost.  When I did 
a key exchange last in a protocol design, I attempted to 
address it by inserting some hashing steps.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list