Hi Dennis,
>> You say, "[d]ue to the group generator SKE, a pluralty of key
>> distribution techniques is defined - one for each possible (and secret)
>> value of SKE." That's not what the patent is talking about. The
>> "plurality
>> of key distribution techniques" describes different techniques of key
>> distribution not a single technique being used with different
>> passwords--
>> and therefore different SKEs.
>
> ...based on the password??? Strange interpretation, but I don't think that
> we'll find consens on that and therefore I skip this discussion here.
The strange interpretation is all yours. You said "one for each possible
(and secret) value of SKE." Different values of SKE occur through different
passwords.
I agree there is no consensus on your view of this matter because it
is not supported by descriptive text in the rest of the patent.
>> Down at the bottom of this email you mention that this method is
>> "cryptographically not sound". First of all, I will note that this means
>> you are, in fact, treating this technique differently than the others,
>> since I don't believe you are claiming that Diffie-Hellman or El Gamal
>> is "cryptographically not sound". That buttresses my statement above
>> that this technique is different. Thank you for helping to prove my
>> point.
>
> You're welcome. Although I don't think that it'll help you to convince the
> patent holder.
Thank you for offering your personal opinion. Let me return the favor:
I think it's more convincing that making irrelevant remarks ("the password
is only temporarily used") followed by incorrect statements ("the key
derivation is completely independent of the password").
>> Regarding your claim, one has to know SKE to generate SKE^private
>> and "anyone" does not know the password, so "anyone" cannot generate
>> SKE^private.
>>
>> Also, you say the private key can be leaked. If you can show how a
>> passive attacker can determine a private key in dragonfly-- even if
>> you tell the passive attacker the password!-- I will show you how that
>> very same attacker can solve the Computational Diffie-Hellman (CDH)
>> problem with the same computational advantage. Since it is assumed that
>> the CDH problem is computationally infeasible it can safely be assumed
>> that the attack you suggest is also computationally infeasible.
>
> I'm looking forward to that.
And I'm looking forward to giving it to you :-) But I said "if you
can show me how a passive attacker can determine a private key...." so
the proverbial ball is in your court. Show me how a passive attack can
successfully obtain either private key in dragonfly (not something that
begins "well, if he uses a bad random number generator..." which is not
an attack against the protocol) and I'll show you how you can solve
the CDH.
> When can we expect a full paper?
Real Soon Now (tm). I know you are aware that it is time consuming and
not a trivial task.
But something that is much easier is for you to do a full and
adequate response to my previous statement on PACE-- it infringes on
claims 1 and 10 of US 6,792,533. When can we expect that?
It is quite telling that you apparently do not wish to engage in the
same sort of detailed analysis of PACE that you do with dragonfly.
regards,
Dan.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
