[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: compare-jfk-sigma.txt
Derek Atkins <warlord@mit.edu> writes:
> Hugo Krawczyk <hugo@ee.technion.ac.il> writes:
>
> > Note that the poor initiator cannot amortize the costs of this
> > signature verification!
>
> This is actually a feature for DoS protection -- you want the
> initiator to do as much if not more work than the responder.
I don't see that this really works. Attackers can pretty
much ignore the server's signature. Legitimate servers don't
usually generate bogus signatures on their DH shares :)
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
References: