[Cryptography] Silly Diffie-Hellman question using XOR
Stuart Longland
stuartl at longlandclan.yi.org
Wed Mar 5 16:06:35 EST 2014
On Wed, 05 Mar 2014 19:50:36 +0100, Hanno Böck wrote:
>> Bob signs B2 and sends B2 + signature to Alice.
>> 3. Alice verifies B2+signature, then generates
>> A3 = A1 ^ A2 ^ B2. Alice signs A3 and sends to Bob.
>
> Your protocol breaks already here. Attacker knows A2, B2 and A3.
> So he can calculate A3 ^ B2 ^ A2. And get's A1. Wow!
Yes, of course. I soon realised this as I thought about it… but
naturally enough, only *after* I had clicked Send. (And too early to
send a follow-up pointing out I had realised my error.)
I've been giving some thought as to whether a cryptographic (keyed) hash
would work (in place of XOR), but probably not as the scheme I've been
thinking about relies on associativity and commutativity to work. (And
as we've all realised, it fundamentally breaks at present.)
Exponentiation with primes works of course, that's how D-H is normally
implemented. They need to be big ones to work though. I'm not sure how
to do math with 128-bit+ numbers as yet: best bet would be to use an
existing implementation of D-H.
Not sure if there's small implementations that could fit on embedded
devices. I guess there is somewhere. XOR attracted me as it was mind-
numbingly simple: I now also see it's mind-numbingly easy to crack.
> Honestly, if you didn't see this, you shouldn't even dare to invent any
> crypto yourself.
>
> And rule of thumb: If you make up your own algorithm, it's broken.
> Exceptions only if you are super-intelligent and have studied number
> theory for years.
This is true, which is why I made the assumption that I had overlooked
something, and came here to ask about it. My assumption was correct of
course: I had overlooked something.
The good news is I didn't race off to found a company selling it then. :-)
More information about the cryptography
mailing list