This sounds like what KDF:s were invented for. You can send public key hashes before the public keys in your key exchange to verify that the keypairs was generated prior to learning the public key of the counterpart, then use a KDF like scrypt or the new Argon2 on the shared secret which was generated to derive the SAS.
- Sent from my tablet Den 20 feb 2016 21:21 skrev "Van Gegel" <[email protected]>: > I want to perform DH on the EC25519 and verify the secret using a short > fingerprint (32 bits SAS). Typically in this case the commitment needed for > preventing MitM by influence the responder's key after originator's key was > received. > To be securely the following scheme instead commitment: > first exchange parts of the keys (first 224 bits) and then the remaining > 32 bits during second pass? > > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > >
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
