On Thu, Aug 12, 1999 at 07:54:22AM -0700, [EMAIL PROTECTED] wrote:
>> This is not secure. The master secret is derived from data
>> transmitted in clear and the premaster secret, which is just the
>> result of the DH exchange, which *can* be influenced by an attacker in
>> a way such that the client and server agree on its value and the
>> attacker knows it too.
> Really? How are you guys calculating themaster secret from the DH
> exchange?
For non-anonymous DH, the DH share of the server is signed, which
avoids man-in-the-middle attacks and assures that you can just use the
result of the DH exchange as a secret value without special care. For
anonymous DH, no authentication is planned anyway, so the protocol
does not bother to prevent small-subgroup attacks.
> IPSEC IKE does an anonymous DH exchange, and then the DH shared keyis
> authenticated under the DH exchange using Certificates (or Kerberos, if
> you're Microsoft).
If draft-ieft-ipsec-ike-01.txt is the relevant specification for this,
your description is inaccurate:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b)
R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b)
For authentication with digital signatures, I and R are digitally
signed and the resulting signature is passed as a SIG payload during
the exchange. For authentication with pre-shared keys and both types
of public key encryption I and R are passed as a HASH payload during
the exchange.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
I.e. not the shared key derived from the DH shares (g^ir) is used
authenticated, but the individual shares (g^i and g^r) are.
> This kind of thing *can* work, if you're using
> normal DH, which is what I thought TLS was using.
It could work without authentication for the two shares, but you'd
need some extra parameters (order of g in (Z/pZ)*) and extra
computation to avoid attacks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
