On Thu, May 03, 2007 at 07:57:18PM +1000, James A. Donald
wrote:
> Assume Ann's secret key is a, and her public key is A =
G^a mod P
>
> Assume Bob's secret key is b, and his public key is B =
G^b mod P
>
> Bob wants to send Ann a message.
>
> Bob generates a secret random number x, and sends Ann X
= G^x mod P
>
> Ann responds with Y = G^y mod P, where y is another
secret random number.
>
> Ann calculates [(B*X)^(a+y)] mod P
This appears to simplify to:
(G^b * G^x)^(a+y) = (G^(b+x))^(a+y) = G^((b+x)(a+y))
Right?
This doesn't appear to be anything like the latest rev of
the OTR protocol:
http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html
Apparently they key exchange is now a variant of the SIGMA
protocol,
and relies upon the implementation to disclose MAC keys
automagically
as the related session keys are destroyed/expired.
Apparently this fixes an identity-binding flaw:
http://lists.cypherpunks.ca/pipermail/otr-u
sers/2005-July/000316.html
And this illustrates a subtlety:
> For example, if Bob thinks he's talking to Mallory, he
may tell her
> something in confidence he would not want Alice to
hear. Note that
> although Mallory could relate this confidential
information to Alice
> herself, but in the attack scenario Alice has assurance
that the
> message came from Bob rather than having to take
Mallory's word for it.
Contrast this to sign-then-encrypt, where Mallory could
decrypt, then
forward to Alice. Compare with encrypt-then-sign.
But it brings up an interesting point; that when a party
relays a
piece of data it may not be equivalent to receiving it
directly; that
is, authenticity may not be transitive.
Put another way, maybe it's not the information that
matters, but who
says it. The New York Times may say that someone did XYZ,
but that's
not entirely the same as the person admitting it under oath.
In
international politics, many believe that admitting to
having
performed some provocative action can be more provocative
than
actually the action itself, even if everyone already knows
who is
responsible. If you believe this, I suppose the official
lie can be
said to serve the interest of both sides, as the government
receiving
the provocation can allow the story to go unchallenged, and
probably
not be forced into taking an overt retaliatory action. Thus
it
preserves their options, and avoids forcing them into what
could be a
disastrous confrontation. If they are too weak to confront
the
provocateur, they aren't likely to shout this from the
rooftops.
--
Kill dash nine, and its no more CPU time, kill dash nine,
and that
process is mine. -><- <URL:http://www.
subspacefield.org/~travis/>
For a good time on my UBE blacklist, email john subspacefield.org.
|
