Scare tactic?
Ian G
iang at systemics.com
Sun Sep 23 07:48:17 EDT 2007
Ivan Krsti? wrote:
> On Sep 19, 2007, at 5:01 PM, Nash Foster wrote:
>> Any actual cryptographers care to comment on this? I don't feel
>> qualified to judge.
>
> If the affected software is doing DH with a malicious/compromised peer,
> the peer can make it arrive at a predictable secret -- which would be
> known to some passive listener. But hey, if the peer is malicious or
> compromised to begin with, it could just as well do DH normally and
> explicitly send the secret to the listener when it's done. Not much to
> see here.
I agree that this is minutia, but there is a difference. If
the peer can arrange the key to be some predictable secret,
it can do so without revealing itself. Eve is happy. If
however it has to leak the key some other way, it needs some
covert channel. This channel is the sort of thing that
security reviews might more easily stumble over. E.g., IDS
guy asking why these strange packets emanate from the crypto
server...
Which is to say, it's worth closing off this particular form
of attack if it can be done without undue cost. When I did
a key exchange last in a protocol design, I attempted to
address it by inserting some hashing steps.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list