[16975] in cryptography@c2.net mail archive
Re: I'll show you mine if you show me, er, mine
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Mar 3 14:39:00 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, cypherpunks@al-qaeda.net,
rah@shipwright.com
In-Reply-To: <p0611044dbe42228f351f@[68.167.57.91]>
Date: Thu, 24 Feb 2005 02:29:46 +1300
"R.A. Hettinga" <rah@shipwright.com> forwarded:
>Briefly, it works like this: point A transmits an encrypted message to point
>B. Point B can decrypt this, if it knows the password. The decrypted text is
>then sent back to point A, which can verify the decryption, and confirm that
>point B really does know point A's password. Point A then sends the password
>to point B to confirm that it really is point A, and knows its own password.
Isn't this a Crypto 101 mutual authentication mechanism (or at least a
somewhat broken reinvention of such)? If the exchange to prove knowledge of
the PW has already been performed, why does A need to send the PW to B in the
last step? You either use timestamps to prove freshness or add an extra
message to exchange a nonce and then there's no need to send the PW. Also in
the above B is acting as an oracle for password-guessing attacks, so you don't
send back the decrypted text but a recognisable-by-A encrypted response, or
garbage if you can't decrypt it, taking care to take the same time whether you
get a valid or invalid message to avoid timing attacks. Blah blah Kerberos
blah blah done twenty years ago blah blah a'om bomb blah blah.
(Either this is a really bad idea or the details have been mangled by the
Register).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
