Ivan Krsti? wrote:
On Sep 19, 2007, at 5:01 PM, Nash Foster wrote:
Any actual cryptographers care to comment on this? I don't feel
qualified to judge.
If the affected software is doing DH with a malicious/compromised peer,
the peer can make it arrive at a predictable secret -- which would be
Damien Miller wrote:
> OTOH Racoon/ipsec-tools would benefit from the extra sanity checks
> that Ben Laurie added to OpenSSL for the 0.9.8a release[3], assuming
> it was compiled against that version or later.
I have to say that Nick Mathewson should get all the credit for this, I
was merely a fac
Nate Lawson <[EMAIL PROTECTED]> writes:
>All this attack allows is for one side of a DH exchange to intentionally
>downgrade the security,
You've forgotten Hanlon's razor, "Never attribute to malice that which can be
adequately explained by stupidity". So the comment should really be:
All thi
On Wed, 19 Sep 2007, Nash Foster wrote:
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
I "discovered" this minor weakness in most of the open source IPSec
implementations in
Sidney Markowitz wrote, On 21/9/07 8:24 AM:
> Ben Laurie wrote, On 21/9/07 1:34 AM:
>> "Entity i cannot be coerced into sharing a key with entity j without i’s
>> knowledge, ie, when i believes the key is shared with some entity l != j."
>
> The "without i's knowledge" part is critical to the argu
Ivan Krstic
> ... But hey, if the peer is malicious or compromised to begin with,
> it could just as well do DH normally and explicitly send the secret
> to the listener when it's done. Not much to see here.
But it gets more interesting if the endpoints are not completely and
solely controlled b
Ben Laurie wrote, On 21/9/07 1:34 AM:
> It seems to me that the requirement cited:
>
> "Entity i cannot be coerced into sharing a key with entity j without i’s
> knowledge, ie, when i believes the key is shared with some entity l != j."
The "without i's knowledge" part is critical to the argument
Peter Gutmann wrote:
> "Nash Foster" <[EMAIL PROTECTED]> writes:
>
>> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>>
>> Any actual cryptographers care to comment on this? I don't feel qualified to
>> judge.
>
> It's quite possible that many implementations do this
Nash Foster wrote:
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
It seems to me that the requirement cited:
"Entity i cannot be coerced into sharing a key with entity j with
On Sep 19, 2007, at 5:01 PM, Nash Foster wrote:
Any actual cryptographers care to comment on this? I don't feel
qualified to judge.
If the affected software is doing DH with a malicious/compromised
peer, the peer can make it arrive at a predictable secret -- which
would be known to some pas
On 19 September 2007 22:01, Nash Foster wrote:
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
> Any actual cryptographers care to comment on this?
IANAAC.
> I don't feel qualified to judge.
Nor do I, but I'll have a go anyway. Any errors are all my own w
On Wed, 19 Sep 2007, Nash Foster wrote:
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
>> Not a single IKE implementation [...] were validating the
>> Diffie-Hellman public keys that I sent.
There are many ways to use DH key-agreement. The one described
on
On Wed, Sep 19, 2007 at 02:01:13PM -0700, Nash Foster wrote:
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
>
I am not a cryptographer, but the article appears silly.
First
"Nash Foster" <[EMAIL PROTECTED]> writes:
>http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
>Any actual cryptographers care to comment on this? I don't feel qualified to
>judge.
It's quite possible that many implementations do this. When the Mozilla folks
changed th
On 9/19/07, Nash Foster <[EMAIL PROTECTED]> wrote:
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
It's a real (old) vulnerability in DH, but I don't think it applies
here. If y
http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
Any actual cryptographers care to comment on this? I don't feel
qualified to judge.
--nash
-
The Cryptography Mailing List
Unsubscribe by sending "unsu
16 matches
Mail list logo