I kept wondering : Is the wildcard attack that bad? In DT's Protocol 4, trip 4 has Bob using TripleDH for encryption, so Eve cannot impersonate Alice past this point, even if she possesses Bob's private key. At best, a wildcard attack can reveal that Bob processed trip 3 correctly and liked A_p, right?
Is there a reason why Bob needs to hangup immediately if decryption
fails in trip 3? If not, then Bob gives up nothing to a wildcard
attack.
Alright, imagine that Bob should hangup immediately if decryption failed
in trip 3. Can we protect Bob without using a signature? I think yes :
Alice can prove she possesses her public key not by signing but by
encrypting :
A? -> B? : a_p
A? <- B? : b_p
A -> B : E(hash(ab++aB), A_p), E(hash(ab++aB++Ab), ...)
It appears this DoubleDH + TripleDH protocol has the same properties as
DH's Protocol 5, except it lacks any signatures, thus offering deniability.
Am I missing something? It's only three DH operations too, as opposed
to the 7ish in our protocols with signing.
Jeff
p.s. We should also ask if Alice and Bob have a long term relationship.
Appears not too much in DT's later protocols. If Alice and Bob had a
long term ratchet state, then they should use the ratchet for
authentication :
A? -> B? | a_p
A? <- B? | b_p
A -> B | E(hash(ab++aB), hash(K++prev_root_key))
It's certainly possible that Bob already knows Alice of course, but "not
that well". I donno much about dealing with bad peers, etc. though.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ GNUnet-developers mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnunet-developers
