[OTR-dev] About the draft

Mario mail at marioland.it
Mon Oct 17 13:50:39 EDT 2005


Hi to all,
I've some questions about the AKE from the draft of the new protocol:
I've (hardly) recognized the SIGMA protocol in it, but:
- why do you encrypt the component g^x with AES under a fresh key $r$
when you reveal $r$ under the third message? In this way you are
temporarily hiding the component $g^x$. Why?
- Why do you generate a further MAC_B=MAC_{m1}(g^x,g^y,pub_B,keyid_B)
and then you sign it as sig_B(MAC_B) instead to sign directly
sig_B(g^x,g^y,pub_B,keyid_B)?
- What's the aim of the keyid_B and keyid_A fields in the AKE? For
example, keyid_B is included into MAC_B (with g^x from which it is
derivated).
- In the SIGMA protocol, the part signs only the DH-components and not
the his identity (that is contained into the separated MAC_{Km}(0,A)).
You are signing (indirectly signing the MAC) the identity of the part.

I hope that my comments don't arrive too late. I suggest to keep the
protocol as simple as possible (without unnecessary layer of
complexity). Nevertheless, actually I don't see security problems.

bye,
Mario Di Raimondo

-- 
 Home Page: http://www.marioland.it
 GnuPG/PGP key (ID BAC3EBB1) available on key-servers



More information about the OTR-dev mailing list