[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on Photuris

To: hugo@watson.ibm.com
Subject: Re: comments on Photuris
From: "Perry E. Metzger" <perry@imsi.com>
Date: Tue, 07 Feb 1995 15:44:57 -0500
Cc: karn@qualcomm.com, ipsec@ans.net
In-Reply-To: Your message of "Tue, 07 Feb 1995 15:37:39 EST." <199502072037.PAA08516@wintermute.imsi.com>
Reply-To: perry@imsi.com


hugo@watson.ibm.com says:
> This is a step in the right direction. Now the exposure of this signature
> will only allow the intruder to impersonate that particular party whose name
> appears in the signature.

No -- it only allows the exposure to impersonate the party TO the
party who's name appears in the signature, which means that at best
that party can impersonate the other party to themselves -- a dubious
accomplishment at best.

> The right way to guarantee freshness is by nonces (challenge/response).

Well, this is certainly *a* way to guarantee it. I'll point out,
though, that if you aren't careful you can use nonces to play
man-in-the-middle; you have to compound the nonce with the D-H key.

> Nonetheless, notice that when you communicate to somebody with whom
> you already have communicated before and can keep a state for this
> party, then the nonces can be exchanged at the end of the previous
> key exchange round.

True enough; rekeying can make use of such mechanisms.

> BTW, the solution suggested by Perry has another problem. You shouldn't be
> signing the identity of the party you talk to. This could be used later
> to *prove* that you talked to that party.

That is certainly true as well.

Perhaps another possibility is simply somehow setting the protocol up
to help to guarantee that the D-H primes are strong.

Perry

Prev by Date: comments on Photuris
Next by Date: comments on Photuris
Prev by thread: comments on Photuris
Next by thread: comments on Photuris
Index(es):
- Main
- Thread