I haven't read the original paper, and I have a great deal of respect for Markus Jakobsson. However, techniques that establish that the parties share a weak secret without leaking that secret have been around for years -- Bellovin and Merritt's DH-EKE, David Jablon's SPEKE. And they don't require either party to send the password itself at the end.
William > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 23, 2005 7:30 AM > To: cryptography@metzdowd.com; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: I'll show you mine if you show me, er, mine > > > "R.A. Hettinga" <[EMAIL PROTECTED]> forwarded: > > >Briefly, it works like this: point A transmits an encrypted > message to point > >B. Point B can decrypt this, if it knows the password. The > decrypted text is > >then sent back to point A, which can verify the decryption, > and confirm that > >point B really does know point A's password. Point A then > sends the password > >to point B to confirm that it really is point A, and knows > its own password. > > Isn't this a Crypto 101 mutual authentication mechanism (or at least a > somewhat broken reinvention of such)? If the exchange to > prove knowledge of > the PW has already been performed, why does A need to send > the PW to B in the > last step? You either use timestamps to prove freshness or > add an extra > message to exchange a nonce and then there's no need to send > the PW. Also in > the above B is acting as an oracle for password-guessing > attacks, so you don't > send back the decrypted text but a recognisable-by-A > encrypted response, or > garbage if you can't decrypt it, taking care to take the same > time whether you > get a valid or invalid message to avoid timing attacks. Blah > blah Kerberos > blah blah done twenty years ago blah blah a'om bomb blah blah. > > (Either this is a really bad idea or the details have been > mangled by the > Register). > > Peter. > > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] >
