I'll show you mine if you show me, er, mine
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Feb 23 05:29:46 PST 2005
"R.A. Hettinga" <rah at shipwright.com> forwarded:
>Briefly, it works like this: point A transmits an encrypted message to point
>B. Point B can decrypt this, if it knows the password. The decrypted text is
>then sent back to point A, which can verify the decryption, and confirm that
>point B really does know point A's password. Point A then sends the password
>to point B to confirm that it really is point A, and knows its own password.
Isn't this a Crypto 101 mutual authentication mechanism (or at least a
somewhat broken reinvention of such)? If the exchange to prove knowledge of
the PW has already been performed, why does A need to send the PW to B in the
last step? You either use timestamps to prove freshness or add an extra
message to exchange a nonce and then there's no need to send the PW. Also in
the above B is acting as an oracle for password-guessing attacks, so you don't
send back the decrypted text but a recognisable-by-A encrypted response, or
garbage if you can't decrypt it, taking care to take the same time whether you
get a valid or invalid message to avoid timing attacks. Blah blah Kerberos
blah blah done twenty years ago blah blah a'om bomb blah blah.
(Either this is a really bad idea or the details have been mangled by the
Register).
Peter.
More information about the cypherpunks-legacy
mailing list