[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on Photuris

To: ashar@osmosys.incog.com (Ashar Aziz)
Subject: Re: comments on Photuris
From: "Perry E. Metzger" <perry@imsi.com>
Date: Tue, 07 Feb 1995 13:40:16 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Tue, 07 Feb 1995 10:29:24 PST." <9502071829.AA00288@miraj.>
Reply-To: perry@imsi.com


Ashar Aziz says:
> I think you misunderstood my intent. What I was trying to say was that 
> these special cases were the symptom of a larger problem. The larger
> problem is that if an adversary can steal one single signature
> over a quantity whose discrete log it knows or can compute, (in
> the format that the protocol expects) then this is catastrophic to 
> the protocol, because it allows umlimited impersonation thereafter.

I think I've solved this problem. Here is my strawman:

In Phil's algorithm, instead of signing the D-H components g^x'es
directly, all that is needed is to sign a hash of the g^x concatenated
with the "name" (to be defined in a moment) of the entity that I
intend to authenticate with.

The "name" should be a unique identifier of the party I anticipate
communicating with. By hashing the two together, I prevent the replay
of the signed g^x with another counterparty -- at most I can
impersonate the signer in communicating with myself, which is useless.

Perry

Follow-Ups:

Re: comments on Photuris

From: Phil Karn <karn@unix.ka9q.ampr.org>

References:

Re: comments on Photuris

From: ashar@osmosys.incog.com (Ashar Aziz)

Prev by Date: Re: comments on Photuris
Next by Date: comments on Photuris
Prev by thread: Re: comments on Photuris
Next by thread: Re: comments on Photuris
Index(es):
- Main
- Thread