On Mon, Sep 29, 2003 at 07:53:29AM -0700, Eric Rescorla wrote: > I'm trying to figure out why you want to invent a new authentication > protocol rather than just going back to the literature and ripping > off one of the many skeletons that already exist (
Several reasons. Because it's fun, because we learn more from doing it ourselves (we learn from our mistakes too), because we want something that fits our needs. We could've just grabbed one from the shelf, but then we could also have grabbed IPsec or PPP-over-SSH from the shelf, instead of writing our own VPN daemon. However, we wanted something different. > STS, If you mean station-to-station protocol, then actually that is pretty much what we are doing now, except for encrypting instead of signing using RSA. > JFK, IKE, SKEME, SIGMA, etc.). And I just ripped TLS from the list. > That would save people from the trouble of having to analyze the > details of your new protoocl. Several people on this list have already demonstrated that they are very willing to analyse new protocols. Also, I don't *expect* you to do so, if you don't want to ignore me. > Why are you using RSA encryption to authenticate your DH rather > than using RSA signature? If we use RSA encryption, then both sides know their message can only be received by the intended recipient. If we use RSA signing, then we both sides know the message they receive can only come from the assumed sender. For the purpose of tinc's authentication protocol, I don't see the difference, but... > Now, the attacker chooses 0 as his DH public. This makes ZZ always > equal to zero, no matter what the peer's DH key is. I think you mean it is equal to 1 (X^0 is always 1). This is the first time I've heard of this, I've never thought of this myself. In that case I see the point of signing instead of encrypting. -- Met vriendelijke groet / with kind regards, Guus Sliepen <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature