[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
comments on Photuris
Ref: Your note of Tue, 07 Feb 1995 15:44:57 -0500 (attached)
> No -- it only allows the exposure to impersonate the party TO the
> party who's name appears in the signature, which means that at best
Of course. This is what I meant (and not what I wrote - sorry).
This attack looks bad enough to me.
> Well, this is certainly *a* way to guarantee it. I'll point out,
> though, that if you aren't careful you can use nonces to play
> man-in-the-middle; you have to compound the nonce with the D-H key.
I definitely mean that. The signature will contain both the nonce AND the g^x
(btw, the g^x sent from A to B can also be used as a challenge from A to B).
>
> > Nonetheless, notice that when you communicate to somebody with whom
> > you already have communicated before and can keep a state for this
> > party, then the nonces can be exchanged at the end of the previous
> > key exchange round.
>
> True enough; rekeying can make use of such mechanisms.
>
> > BTW, the solution suggested by Perry has another problem. You shouldn't be
> > signing the identity of the party you talk to. This couldrrepused later
> > to *prove* that you talked to that party.
>
> That is certainly true as well.
>
> Perhaps another possibility is simply somehow setting the protocol up
> to help to guarantee that the D-H primes are strong.
>
This only helps with some of the attacks outlined by Ashar but not against
occasional intruders (which are motivated to break-in
depending on the potential gain. A good protocol minimizes such a gain).
Hugo