[Cryptography] Non-Authenticated Key Agreement
Guus Sliepen
guus at sliepen.org
Wed Sep 23 03:16:40 EDT 2015
On Wed, Sep 23, 2015 at 12:11:01AM -0500, Davy Durham wrote:
> Given an encrypt (and decrypt, for that matter) function based the one-time
> pad idea:
> E(d, k) = d xor k
A one-time pad is only a one-time pad if you use it once. You are using
them twice in your protocol.
> d = data
> ka = random bits
> d' = E(d, ka)
> d'
> ---------------------------------------->
> kb = random bits
> d'' = E(d', kb)
> d''
> <----------------------------------------
> d''' = E(d'', ka)
> d'''
> ---------------------------------------->
> d = E(d''', kb)
An eavesdropper can see d', d'' and d'''. Using your equation for E, the
eavesdropper can easily calculate:
d' xor d'' = kb
d'' xor d''' = ka
d' xor d'' xor d''' = d
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.org>
More information about the cryptography
mailing list