"Bill Stewart" <[EMAIL PROTECTED]> writes: > > If we use RSA encryption, then both sides know their message can only > > be received by the intended recipient. If we use RSA signing, then we > > both sides know the message they receive can only come from the assumed > > sender. For the purpose of tinc's authentication protocol, I don't see > > the difference, but... > > > > > Now, the attacker chooses 0 as his DH public. This makes ZZ always > > > equal to zero, no matter what the peer's DH key is. > > You need to validate the DH keyparts even if you're > corresponding with the person you thought you were. > This is true whether you're using signatures, encryption, or neither.

Not necessarily. If you're using fully ephemeral DH keys and a properly designed key, then you shouldn't need to validate the other public share. -Ekr -- [Eric Rescorla [EMAIL PROTECTED] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]