[OTR-dev] purpose of hash commitment in OTR authenticated key exchange
Ian Goldberg
ian at cypherpunks.ca
Sun Apr 10 16:40:35 EDT 2011
On Thu, Mar 17, 2011 at 10:58:09AM +0100, Stefan Schönleitner wrote:
> While I understand the purpose of the key a2 (which is to authenticate
> Alice's messages that are sent over an insecure channel), I'm not exactly
> sure what the purpose of a1 is.
> Wouldn't the exchange be the same if Alice used an unkeyed hash function
> like SHA256 to sign the DH public keys and her long-term public key (i.e.
> she would sign SHA256(g^x,g^y,v_A)) ?
> Sure, the whole idea of SIGMA is to SIGn and MAc, but apart from that I do
> not see the reason why in this case a MAC instead of a reguar unkeyed hash
> function is used.
> IMHO in this case it doesn't bring any additional security, right ?
If you just did the above (with SHA256), there's no evidence that Alice
has actually computed (or was able to compute) the shared secret g^{xy}.
In such a case, there are identity misbinding attacks that are possible,
where Alice makes Bob think he's talking to her, when he's really taking
to Carol.
- Ian
More information about the OTR-dev
mailing list