Re: Scare tactic?

2007-09-23 Thread Ian G
Ivan Krsti? wrote: On Sep 19, 2007, at 5:01 PM, Nash Foster wrote: Any actual cryptographers care to comment on this? I don't feel qualified to judge. If the affected software is doing DH with a malicious/compromised peer, the peer can make it arrive at a predictable secret -- which would be

Re: Scare tactic?

2007-09-21 Thread lists
Ivan Krstic ... But hey, if the peer is malicious or compromised to begin with, it could just as well do DH normally and explicitly send the secret to the listener when it's done. Not much to see here. But it gets more interesting if the endpoints are not completely and solely controlled by

Re: Scare tactic?

2007-09-21 Thread Sidney Markowitz
Sidney Markowitz wrote, On 21/9/07 8:24 AM: Ben Laurie wrote, On 21/9/07 1:34 AM: Entity i cannot be coerced into sharing a key with entity j without i’s knowledge, ie, when i believes the key is shared with some entity l != j. The without i's knowledge part is critical to the argument, as

Re: Scare tactic?

2007-09-21 Thread Damien Miller
On Wed, 19 Sep 2007, Nash Foster wrote: http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ Any actual cryptographers care to comment on this? I don't feel qualified to judge. I discovered this minor weakness in most of the open source IPSec implementations in May

Re: Scare tactic?

2007-09-21 Thread Peter Gutmann
Nate Lawson [EMAIL PROTECTED] writes: All this attack allows is for one side of a DH exchange to intentionally downgrade the security, You've forgotten Hanlon's razor, Never attribute to malice that which can be adequately explained by stupidity. So the comment should really be: All this

RE: Scare tactic?

2007-09-20 Thread Dave Korn
On 19 September 2007 22:01, Nash Foster wrote: http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ Any actual cryptographers care to comment on this? IANAAC. I don't feel qualified to judge. Nor do I, but I'll have a go anyway. Any errors are all my own

Re: Scare tactic?

2007-09-20 Thread Ivan Krstić
On Sep 19, 2007, at 5:01 PM, Nash Foster wrote: Any actual cryptographers care to comment on this? I don't feel qualified to judge. If the affected software is doing DH with a malicious/compromised peer, the peer can make it arrive at a predictable secret -- which would be known to some

Re: Scare tactic?

2007-09-20 Thread Ben Laurie
Nash Foster wrote: http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ Any actual cryptographers care to comment on this? I don't feel qualified to judge. It seems to me that the requirement cited: Entity i cannot be coerced into sharing a key with entity j without

Re: Scare tactic?

2007-09-20 Thread Victor Duchovni
On Wed, Sep 19, 2007 at 02:01:13PM -0700, Nash Foster wrote: http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ Any actual cryptographers care to comment on this? I don't feel qualified to judge. I am not a cryptographer, but the article appears silly. First the

Re: Scare tactic?

2007-09-20 Thread Taral
On 9/19/07, Nash Foster [EMAIL PROTECTED] wrote: http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ Any actual cryptographers care to comment on this? I don't feel qualified to judge. It's a real (old) vulnerability in DH, but I don't think it applies here. If you

Re: Scare tactic?

2007-09-20 Thread Alexander Klimov
On Wed, 19 Sep 2007, Nash Foster wrote: Any actual cryptographers care to comment on this? I don't feel qualified to judge. Not a single IKE implementation [...] were validating the Diffie-Hellman public keys that I sent. There are many ways to use DH key-agreement. The one described on the

Re: Scare tactic?

2007-09-20 Thread Nate Lawson
Peter Gutmann wrote: Nash Foster [EMAIL PROTECTED] writes: http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ Any actual cryptographers care to comment on this? I don't feel qualified to judge. It's quite possible that many implementations do this. When the

Re: Scare tactic?

2007-09-20 Thread Sidney Markowitz
Ben Laurie wrote, On 21/9/07 1:34 AM: It seems to me that the requirement cited: Entity i cannot be coerced into sharing a key with entity j without i’s knowledge, ie, when i believes the key is shared with some entity l != j. The without i's knowledge part is critical to the argument, as