[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on Photuris



Ref:  Your note of Tue, 07 Feb 1995 15:44:57 -0500 (attached)

 > No -- it only allows the exposure to impersonate the party TO the
 > party who's name appears in the signature, which means that at best

Of course. This is what I meant (and not what I wrote - sorry).
This attack looks bad enough to me.

 > Well, this is certainly *a* way to guarantee it. I'll point out,
 > though, that if you aren't careful you can use nonces to play
 > man-in-the-middle; you have to compound the nonce with the D-H key.

I definitely mean that. The signature will contain both the nonce AND the g^x
(btw, the g^x sent from A to B can also be used as a challenge from A to B).

 >
 > > Nonetheless, notice that when you communicate to somebody with whom
 > > you already have communicated before and can keep a state for this
 > > party, then the nonces can be exchanged at the end of the previous
 > > key exchange round.
 >
 > True enough; rekeying can make use of such mechanisms.
 >
 > > BTW, the solution suggested by Perry has another problem. You shouldn't be
 > > signing the identity of the party you talk to. This couldrrepused later
 > > to *prove* that you talked to that party.
 >
 > That is certainly true as well.
 >
 > Perhaps another possibility is simply somehow setting the protocol up
 > to help to guarantee that the D-H primes are strong.
 >

This only helps with some of the attacks outlined by Ashar but not against
occasional intruders (which are motivated to break-in
depending on the potential gain. A good protocol minimizes such a gain).

Hugo