"Bill Stewart" <[EMAIL PROTECTED]> writes:

> > If we use RSA encryption, then both sides know their message can only
> > be received by the intended recipient. If we use RSA signing, then we
> > both sides know the message they receive can only come from the assumed
> > sender. For the purpose of tinc's authentication protocol, I don't see
> > the difference, but...
> >
> > > Now, the attacker chooses 0 as his DH public. This makes ZZ always
> > > equal to zero, no matter what the peer's DH key is.
> You need to validate the DH keyparts even if you're
> corresponding with the person you thought you were.
> This is true whether you're using signatures, encryption, or neither.

Not necessarily.

If you're using fully ephemeral DH keys and a properly designed
key, then you shouldn't need to validate the other public share.


[Eric Rescorla                                   [EMAIL PROTECTED]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to