Guus Sliepen <[EMAIL PROTECTED]> writes: > On Mon, Sep 29, 2003 at 07:53:29AM -0700, Eric Rescorla wrote: > > > I'm trying to figure out why you want to invent a new authentication > > protocol rather than just going back to the literature and ripping > > off one of the many skeletons that already exist ( > > Several reasons. Because it's fun, because we learn more from doing it > ourselves (we learn from our mistakes too), because we want something > that fits our needs. We could've just grabbed one from the shelf, but > then we could also have grabbed IPsec or PPP-over-SSH from the shelf, > instead of writing our own VPN daemon. However, we wanted something > different.
And I'm trying to understand why. This answer sounds a lot like NIH. Was there any technical reason why the existing cryptographic skeletons wouldn't have been just as good? > > STS, > > If you mean station-to-station protocol, then actually that is pretty > much what we are doing now, except for encrypting instead of signing > using RSA. But that's not a harmless change, which is the point of the potential attack I just described. > > JFK, IKE, SKEME, SIGMA, etc.). > > And I just ripped TLS from the list. Define "ripped". This certainly is not the same as TLS. > > That would save people from the trouble of having to analyze the > > details of your new protoocl. > > Several people on this list have already demonstrated that they are very > willing to analyse new protocols. Actually, no. People are willing to take a quick look and then shoot bullets at your protocol. That's not the same as doing a thorough analysis, which can take years, as Steve Bellovin has pointed out about Needham-Schroeder. > > Why are you using RSA encryption to authenticate your DH rather > > than using RSA signature? > > If we use RSA encryption, then both sides know their message can only be > received by the intended recipient. If we use RSA signing, then we both > sides know the message they receive can only come from the assumed > sender. For the purpose of tinc's authentication protocol, I don't see > the difference, but... There's no difference if it's done correctly. If it's not done correctly... > > Now, the attacker chooses 0 as his DH public. This makes ZZ always > > equal to zero, no matter what the peer's DH key is. > > I think you mean it is equal to 1 (X^0 is always 1). This is the first > time I've heard of this, I've never thought of this myself. In that case > I see the point of signing instead of encrypting. Except that the way you compute DH is to do Y^X rather than X^Y. Look, there's nothing wrong with trying to invent new protocols, especially as a learning experience. What I'm trying to figure out is why you would put them in a piece of software rather than using one that has undergone substantial analysis unless your new protocol has some actual advantages. Does it? -Ekr -- [Eric Rescorla [EMAIL PROTECTED] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]