I'll show you mine if you show me, er, mine

Whyte, William WWhyte at ntru.com
Thu Mar 3 19:24:24 PST 2005

I haven't read the original paper, and I have a great deal of
respect for Markus Jakobsson. However, techniques that establish
that the parties share a weak secret without leaking that secret
have been around for years -- Bellovin and Merritt's DH-EKE,
David Jablon's SPEKE. And they don't require either party to
send the password itself at the end.


> -----Original Message-----
> From: pgut001 at cs.auckland.ac.nz [mailto:pgut001 at cs.auckland.ac.nz] 
> Sent: Wednesday, February 23, 2005 7:30 AM
> To: cryptography at metzdowd.com; cypherpunks at al-qaeda.net; 
> rah at shipwright.com
> Subject: Re: I'll show you mine if you show me, er, mine
> "R.A. Hettinga" <rah at shipwright.com> forwarded:
> >Briefly, it works like this: point A transmits an encrypted 
> message to point
> >B. Point B can decrypt this, if it knows the password. The 
> decrypted text is
> >then sent back to point A, which can verify the decryption, 
> and confirm that
> >point B really does know point A's password. Point A then 
> sends the password
> >to point B to confirm that it really is point A, and knows 
> its own password.
> Isn't this a Crypto 101 mutual authentication mechanism (or at least a
> somewhat broken reinvention of such)?  If the exchange to 
> prove knowledge of
> the PW has already been performed, why does A need to send 
> the PW to B in the
> last step?  You either use timestamps to prove freshness or 
> add an extra
> message to exchange a nonce and then there's no need to send 
> the PW.  Also in
> the above B is acting as an oracle for password-guessing 
> attacks, so you don't
> send back the decrypted text but a recognisable-by-A 
> encrypted response, or
> garbage if you can't decrypt it, taking care to take the same 
> time whether you
> get a valid or invalid message to avoid timing attacks.  Blah 
> blah Kerberos
> blah blah done twenty years ago blah blah a'om bomb blah blah.
> (Either this is a really bad idea or the details have been 
> mangled by the
> Register).
> Peter.
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to 
> majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list