> If we use RSA encryption, then both sides know their message can only > be received by the intended recipient. If we use RSA signing, then we > both sides know the message they receive can only come from the assumed > sender. For the purpose of tinc's authentication protocol, I don't see > the difference, but... > > > Now, the attacker chooses 0 as his DH public. This makes ZZ always > > equal to zero, no matter what the peer's DH key is.

You need to validate the DH keyparts even if you're corresponding with the person you thought you were. This is true whether you're using signatures, encryption, or neither. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]