"Bill Stewart" <[EMAIL PROTECTED]> writes:
> > If we use RSA encryption, then both sides know their message can only
> > be received by the intended recipient. If we use RSA signing, then we
> > both sides know the message they receive can only come from the assumed
> > sender. For the purpose of tinc's authentication protocol, I don't see
> > the difference, but...
> >
> > > Now, the attacker chooses 0 as his DH public. This makes ZZ always
> > > equal to zero, no matter what the peer's DH key is.
>
> You need to validate the DH keyparts even if you're
> corresponding with the person you thought you were.
> This is true whether you're using signatures, encryption, or neither.
Not necessarily.
If you're using fully ephemeral DH keys and a properly designed
key, then you shouldn't need to validate the other public share.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
