Guus Sliepen <[EMAIL PROTECTED]> writes:

> On Mon, Sep 29, 2003 at 02:07:04PM +0200, Guus Sliepen wrote:
> > Step 2:
> > Exchange METAKEY messages. The METAKEY message contains the public part
> > of a key used in a Diffie-Hellman key exchange.  This message is
> > encrypted using RSA with OAEP padding, using the public key of the
> > intended recipient.
> After comments and reading up on suggested key exchange schemes, I think
> this step should be changed to send the Diffie-Hellman public key in
> plaintext, along with a nonce (large random number) to prevent replays
> and the effects of bad DH public keys. Instead of encrypting both with
> RSA, they should instead be signed using the private key of the sender
> (the DH public key and nonce wouldn't fit in a single RSA message
> anyway). 
> IKEv2 (as described in draft-ietf-ipsec-ikev2-10.txt) does almost the
> same. However, IKEv2 does not send the signature directly, but first
> computes the shared key, and uses that to encrypt (using a symmetric
> cipher) the signature. I do not see why they do it that way; the
> signature has to be checked anyway, if it can be done before computing
> the shared key it saves CPU time. Encrypting it does not prevent a man
> in the middle from reading or altering it, since a MITM can first
> exchange his own DH public key with both sides (and hence he can know
> the shared keys). So actually, I don't see the point in encrypting
> message 3 and 4 as described at page 8 of that draft at all.
In order to hide the identities of the communicating peers.

Personally, I don't have much use for identity protection,
but this is the reason as I understand it.


[Eric Rescorla                                   [EMAIL PROTECTED]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to