[147604] in cryptography@c2.net mail archive
Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was:
daemon@ATHENA.MIT.EDU (Richard Outerbridge)
Thu Oct 10 18:47:12 2013
X-Original-To: cryptography@metzdowd.com
From: Richard Outerbridge <outer@sympatico.ca>
In-Reply-To: <CF0FBADC-6371-421F-94C1-F48C6BAA42BC@cs.tcd.ie>
Date: Thu, 10 Oct 2013 17:15:33 -0400
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: John Kelsey <crypto.jmk@gmail.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Bill Frantz <frantz@pwpconsult.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 2013-10-10 (283), at 15:29:33, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> On 10 Oct 2013, at 17:06, John Kelsey <crypto.jmk@gmail.com> wrote:
>>
>> Just thinking out loud....
>>
[....]
>> c. Both sides derive the shared key abG, and then use SHAKE512(abG) to generate an AES key for messages in each direction.
How does this prevent MITM? Where does G come from?
I'm also leery of using literally the same key in both directions. Maybe a simple transform would suffice; maybe not.
>> d. Each side keeps a sequence number to use as a nonce. Both sides use AES-CCM with their sequence number and their sending key, and keep track of the sequence number of the most recent message received from the other side.
If the same key is used, there needs to be a simple way of ensuring the sequence numbers can never overlap each other.
__outer
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
