[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on Photuris

To: bill.simpson@um.cc.umich.edu
Subject: Re: comments on Photuris
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Mon, 6 Feb 1995 15:04:42 -0800
Cc: ipsec@ans.net

>From: "William Allen Simpson" <bill.simpson@um.cc.umich.edu>
> So?  Value 0 is simply disallowed.  A pretty easy check.
> ...
> OK.  Value 1 is also disallowed.  Straight-forward arithmetic so far.

While special purpose checks may prevent some of the scenarios I
described, I think it is a bad idea to proceed with a protocol that 
permits the kinds of scenarios that were described in my message.

Here are two examples of why special purpose checks may
not always work.

First. Suppose adversary picks random x, computes g^x enough times
so that it looks like the format of an RSA public key. She then
presents this g^x to the party she wishes to impersonate, requesting
that that the party act as "introducer" for her "RSA public
key" (read g^x) by signing it. The introducer may ask for identification 
etc.  and check the hash of the key, as may be the norm for that party. 
Once party signs the "RSA public key", intruder now has the tuple 
{x, g^x, Signed(g^x)} and can therefore impersonate the introducer. 
This now is a completely random x, and cannot be special purpose 
checked.

Second. Intruder picks as her personal prime a Pohlig-Hellman-weak prime for
which discrete logs are feasible.  She presents this to party she
wishes to impersonate by initiating a Photuris key exchange, along 
with a public DH value computed using the weak prime. The responding 
party then provides its public DH value g^x computed using the same weak 
prime, and then follows by providing Signed(g^x) value over the encrypted 
channel. 

All intruder now needs to do afterwards (at her leisure) is to compute
the discrete log of the responding party's public DH value to know x
and thereby {x, g^x, Signed(g^x)}, after which she can safely impersonate the 
responding party. This is possible because PH-weak primes were used.

This points to another problem with the protocol. It is unwise
to allow the use of unauthenticated primes, which may not have the
property one requires for a DH exchange. Photuris allows the initiator
to pick her own primes. In order to rely on the believed intractability
of the DH problem, it must be ensured that suitable DH parameters are
in fact used. This is especially unwise when one is relying on the party 
who picks the prime not to be able to compute discrete logs over that 
prime field.

(Real time checking of strong primality is not practical).

Fundamentally, the notion that an adversary can plan successful 
attacks in advance (as shown above) is disturbing. A widely used
protocol must not allow such freedom to the adversary where
it becomes increasingly difficult to safeguard against all such
attacks. 

Kind regards,
Ashar.

Follow-Ups:

Re: comments on Photuris

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: risks of MACs associated with packets
Next by Date: Re: comments on Photuris
Prev by thread: Re: comments on Photuris
Next by thread: Re: comments on Photuris
Index(es):
- Main
- Thread