On Tue, Jan 31, 2017 at 2:32 AM, Antonio Sanso <asa...@adobe.com> wrote: > Of course even if I was able to calculate an equivalent public key there is > no chance I can retrieve the associate > private key (of course this would be like breaking DH, right?). > > Said that, last silly question on the topic is: > > in which situation not checking for the “right” public key can be a problem? > Trevor mentioned already one situation, but I fail to see without the > knowledge > of the associated private key, where this could be an harm….
A key exchange protocol might want to guarantee that if the protocol completes successfully, both parties have the same secret key *and* agree on things like the identities of the two parties. So if an attacker can change a transmitted public key into a different-but-equivalent public key, a protocol might complete successfully despite the parties having a different view of the public keys. This type of issue is often called "unknown key share" or "identity misbinding". Avoiding it motivates things like hashing public keys (and maybe other identity info) into session keys, or MAC'ing them with session keys, etc. As far as cases where equivalent DH public keys are a concrete security problem: Maybe you meet someone online, they authenticate with identity public key Y, but then when you meet them in person they claim public key X, so you don't believe they're the same person. But they are!, an attacker just changed X to Y. With some creativity you could perhaps think of other cases where this causes minor confusion. Trevor _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves