"R.A. Hettinga" <rah@shipwright.com> forwarded:
Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password.
Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). Peter.