Andrew,
At 06:16 PM 12/25/98 -0500, you wrote:
>It's been about 8 months since I did any reading on the state of
>cryptography. I have two questions. Any info is appreciated.
>
>1. Anybody heard anything bad about MD5 or Diffie-Hellman?
Ask Dobbertin about MD5. You might want to use SHA1
instead, or perhaps HMAC-SHA1. As for DH, just
make sure you don't step in a small subgroup.
>2. What's the prevailing wisdom regarding protection against
>man-in-the-middle attacks when using Diffie-Hellman for key exchange?
>I'd love to avoid using a certificate authority, if possible.
In general, to prevent DH middleman attack you authenticate
the exchange. Authentication can be based on both sides
sharing a secret key, or each sharing the other's public key.
EKE and SPEKE are examples of shared-secret authenticated DH
and the Station-to-Station protocol is a digitally signed DH.
I list some papers on methods for authenticated key exchange,
mostly of the shared-secret variety, at:
<http://world.std.com/~dpj/links.html>
While most of the site highlights my special favorite,
this general class of methods offers two benefits:
-- No reliance on a CA, PKI, or pre-stored public-keys.
-- Ability to use small memorized secrets.
While I don't track so closely the research on hash
functions, I'm sure you'll get consensual advice suggesting
SHA1 in preference to MD5 for increased key size and
resistance to attack. And SHA1 has another bonus:
it can be implemented in a few hundred bytes of x86 code,
when you care even less about speed. The HMAC construction
may cover potential weakness in using hashes directly.
Caveat: Patents still cover some authenticated forms of DH.
Mitigation: I've developed work-arounds for the earlier
patents, with much better rates. :-)
Best regards,
David
-------------------------
David P. Jablon
Integrity Sciences, Inc.
[EMAIL PROTECTED]
<http://world.std.com/~dpj/>
