gnunet-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] key exchanges [updated, resend]

From: Jeff Burdges
Subject: Re: [GNUnet-developers] key exchanges [updated, resend]
Date: Thu, 27 Aug 2015 15:26:08 +0200 
On Thu, 2015-08-27 at 14:14 +0200, Christian Grothoff wrote:
> > I found a limited attack on that combined scheme : 
> > 
> > Eve wishes to prove Alice initiated a specific key exchange.  Eve
> > somehow compromises Alice's z and (r,s) from the key exchange session,
> > say by performing an MITM attack after compromising Bob's private key.
> 
> Doesn't work, she'd have to have gotten Bob's ephemeral key from the KX
> as well. As Bob destroys that after the KX (and possible ratcheting),
> the answer is that you're considering Eve being really a Mallory posing
> as Bob during the KX.  

By this argument, DT's protocols are all deniable too, as the signatures
always travel encrypted.  It's a fine argument, but it'll never justify
our proposed modifications to ECDSA.

I'm arguing that an attacker who can violate deniability in DT's
protocol 5, meaning they can obtain z and (r,s), can also violate
deniability in our modified ECDSA scheme by compromising Alice's
long-term private key at a later date. 

Jeff

p.s.  Anyways doing DoubleDH+TripleDH is slightly faster than DT's
protocol 5, offers better deniability in that no signatures are used,
and provides an equivalent level authentications, assuming Bob's
ephemeral key is not compromised.  That seems optimal.

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to
[Prev in Thread] Current Thread [Next in Thread]