[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on Photuris

To: ipsec@ans.net
Subject: Re: comments on Photuris
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Wed, 8 Feb 1995 11:53:34 -0800

>From: "Perry E. Metzger" <perry@imsi.com>
> No -- it only allows the exposure to impersonate the party TO the
> party who's name appears in the signature, which means that at best
> that party can impersonate the other party to themselves -- a dubious
> accomplishment at best.

I am not convinced that this is the case. You haven't really described
how the protocol would ensure that the party attempting to connect to you
is really who they claim to be, *prior* to providing the signature
of g^x and the name of the connecting party. That is, what prevents 
me from claiming to be the party who I intend to attack as you, getting 
your signature on g^x and that party's name, and then later providing 
the site under attack with (x, g^x, Signed(g^x, attack site's name))?
(Where x is obtained by one of the several scenarios outlined earlier).

Furthermore, including in the signature the name of the party makes
precomputation far less feasible, since you dont know in advance
all the parties you are going to talk to. (By contrast g^x and
Signed(g^x) are all purely random, and dont bear any relationship
with who you might communicate with in the future).

Regards,
Ashar.

Prev by Date: comments on Photuris
Next by Date: Re: comments on Photuris
Prev by thread: comments on Photuris
Next by thread: Re: comments on Photuris
Index(es):
- Main
- Thread