[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on Photuris

To: ashar@osmosys.incog.com (Ashar Aziz)
Subject: Re: comments on Photuris
From: "Perry E. Metzger" <perry@imsi.com>
Date: Mon, 06 Feb 1995 19:40:06 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Mon, 06 Feb 1995 15:04:42 PST." <9502062304.AA29895@miraj.>
Reply-To: perry@imsi.com


Ashar Aziz says:
> >From: "William Allen Simpson" <bill.simpson@um.cc.umich.edu>
> > So?  Value 0 is simply disallowed.  A pretty easy check.
> > ...
> > OK.  Value 1 is also disallowed.  Straight-forward arithmetic so far.
> 
> While special purpose checks may prevent some of the scenarios I
> described, I think it is a bad idea to proceed with a protocol that 
> permits the kinds of scenarios that were described in my message.

DES, 3DES, IDEA and most other conventional ciphers I know of have weak
keys. I say we abandon conventional ciphers!

Seriously, though, bounds checking is needed almost whatever one does.

> Here are two examples of why special purpose checks may
> not always work.
> 
> First. Suppose adversary picks random x, computes g^x enough times
> so that it looks like the format of an RSA public key.

It can't. The magic numbers on the data won't be the same in
practice. No one was proposing "naked" keys and g^xes you know.

> She then presents this g^x to the party she wishes to impersonate,
> requesting that that the party act as "introducer" for her "RSA
> public key" (read g^x) by signing it.

What they could get you to sign would be a formatted data structure
containing an RSA key, not just some raw RSA key, so the attack isn't
feasable.

> Second. Intruder picks as her personal prime a Pohlig-Hellman-weak prime for
> which discrete logs are feasible.  She presents this to party she
> wishes to impersonate by initiating a Photuris key exchange, along 
> with a public DH value computed using the weak prime. The responding 
> party then provides its public DH value g^x computed using the same weak 
> prime, and then follows by providing Signed(g^x) value over the encrypted 
> channel. 
> 
> All intruder now needs to do afterwards (at her leisure) is to compute
> the discrete log of the responding party's public DH value to know x
> and thereby {x, g^x, Signed(g^x)}, after which she can safely impersonate the
> responding party.

This is a more serious objection. I would suggest that we can avoid
this either by specifying the primes used in the algorithm or by
making the protocol more interactive.

Perry

References:

Re: comments on Photuris

From: ashar@osmosys.incog.com (Ashar Aziz)

Prev by Date: Re: comments on Photuris
Next by Date: Re: How to authenticate ESP (was risks of MACs)
Prev by thread: Re: comments on Photuris
Next by thread: Re: comments on Photuris
Index(es):
- Main
- Thread