Diffie-Hellman and MITM
Jack Lloyd
lloyd at acm.jhu.edu
Fri Jun 28 08:09:33 PDT 2002
On Thu, 27 Jun 2002, Mike Rosing wrote:
> On Thu, 27 Jun 2002, Marcel Popescu wrote:
>
> > Is there a defense against MITM for Diffie-Hellman? Is there another
> > protocol with equivalent properties, with such a defense? (Secure
> > communications between two parties, with no shared secret and no out-of-band
> > abilities, on an insecure network.)
>
> What do you mean by no shared secret? The point of DH is that you
> get a shared secret.
I think the original poster meant no shared secrets at the beginning of the
protocol.
> Check out MQV protocol for MITM defense and forward secrecy. It
> uses permenent public keys and ephemeral public keys for each
> session. In any protocol, the out-of-band check of the public
> keys is still a "good thing".
You can also do this with DH (use a pair of DH keys, one long term and the
other for that single exchange). IEEE 1363 includes this as well as MQV. I
don't know how the security compares between these two options, though.
-J
More information about the cypherpunks-legacy
mailing list