Guus Sliepen <[EMAIL PROTECTED]> writes: > On Mon, Sep 29, 2003 at 02:07:04PM +0200, Guus Sliepen wrote: > > > Step 2: > > Exchange METAKEY messages. The METAKEY message contains the public part > > of a key used in a Diffie-Hellman key exchange. This message is > > encrypted using RSA with OAEP padding, using the public key of the > > intended recipient. > > After comments and reading up on suggested key exchange schemes, I think > this step should be changed to send the Diffie-Hellman public key in > plaintext, along with a nonce (large random number) to prevent replays > and the effects of bad DH public keys. Instead of encrypting both with > RSA, they should instead be signed using the private key of the sender > (the DH public key and nonce wouldn't fit in a single RSA message > anyway). > > IKEv2 (as described in draft-ietf-ipsec-ikev2-10.txt) does almost the > same. However, IKEv2 does not send the signature directly, but first > computes the shared key, and uses that to encrypt (using a symmetric > cipher) the signature. I do not see why they do it that way; the > signature has to be checked anyway, if it can be done before computing > the shared key it saves CPU time. Encrypting it does not prevent a man > in the middle from reading or altering it, since a MITM can first > exchange his own DH public key with both sides (and hence he can know > the shared keys). So actually, I don't see the point in encrypting > message 3 and 4 as described at page 8 of that draft at all. In order to hide the identities of the communicating peers.
Personally, I don't have much use for identity protection, but this is the reason as I understand it. -Ekr -- [Eric Rescorla [EMAIL PROTECTED] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]