[14460] in cryptography@c2.net mail archive
Re: DH with shared secret
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Fri Oct 3 13:56:57 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Jack Lloyd <lloyd@randombit.net>
Cc: cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 03 Oct 2003 10:49:50 -0700
In-Reply-To: <Pine.LNX.4.44.0310030505100.28309-100000@centaur.acm.jhu.edu>
Jack Lloyd <lloyd@randombit.net> writes:
> This was just something that popped into my head a while back, and I was
> wondering if this works like I think it does. And who came up with it
> before me, because it's was too obvious. It's just that I've never heard of
> something alone these lines before.
>
> Basically, you share some secret with someone else (call it S). Then you
> do a standard issue DH exchange, but instead of the shared key being
> g^(xy), it's g^(xyS)
>
> My impression is that, unless you know S, you can't do a succesfull MITM
> attack on the exchange. Additionaly, AFAICT, it provides PFS, since if
> someone later recovers S, there's still that nasty DH exchange to deal
> with. Of course after S is known MITM becomes possible.
The problem with this protocol is that a single MITM allows
a dictionary attack. There are better ways to do this.
Keywords: EKE, SRP, SPEKE
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
