Hi,<br><br><div class="gmail_quote">On Wed, Mar 16, 2011 at 10:29 PM, Ian Goldberg <span dir="ltr"><<a href="mailto:ian@cypherpunks.ca">ian@cypherpunks.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div class="h5">
<br>
</div></div>You've got it exactly right. Indeed, at one point in the history of<br>
OTR, checking the "secure session id" (which was exactly a truncated<br>
hash of a few things including the session key) out of band was<br>
something users could explicitly do.<br>
<br>
But in general, it's good crypto hygiene to prevent one party in a key<br>
exchange from being able to control the particular value of the key that<br>
comes out.<br>
<br>
- Ian<br></blockquote><div><br><br>thank you for your fast response, it's good to know that I didn't miss something in respect to the hash commitment.<br><br>Another question I have concerns the actual SIGMA authentication procedure:<br>
1. Initially Alice derives the MAC keys a1, a2, b1, b2 and AES keys a3, b3 from the shared "master" secret s.<br><br>2. She then uses the key a1 to compute the MAC MA over the DH public keys and her long-term public keys (we ignore the keyid engineering requirement here).<br>
<br>3. In the next step she signs MA with her long-term sign key and the message XA is constructed.<br><br>4. The message XA is encrypted and authenticated by computing a MAC tag over the encrypted message with key a2.<br>
<br>While I understand the purpose of the key a2 (which is to authenticate Alice's messages that are sent over an insecure channel), I'm not exactly sure what the purpose of a1 is.<br>Wouldn't the exchange be the same if Alice used an unkeyed hash function like SHA256 to sign the DH public keys and her long-term public key (i.e. she would sign SHA256(g^x,g^y,v_A)) ?<br>
Sure, the whole idea of SIGMA is to SIGn and MAc, but apart from that I do not see the reason why in this case a MAC instead of a reguar unkeyed hash function is used.<br>IMHO in this case it doesn't bring any additional security, right ?<br>
<br>cheers,<br>stefan<br><br></div></div>