[OTR-dev] question regarding the AKE protocol
Stefan Schoenleitner
dev.c0debabe at gmail.com
Mon Jun 21 09:53:30 EDT 2010
Hi Ian,
Ian Goldberg wrote:
> On Fri, Jun 18, 2010 at 08:01:52PM +0200, Stefan Schoenleitner wrote:
> The answer to all three questions lies in the SIGMA protocol. In SIGMA,
> the important thing is that you *SIG*n something fresh (including a nonce
> or the ephemeral DH keys or something), and *MA*C your own name. The
> MAC proves to the other party that you actually were able to compute the
> shared secret s, and by including that in the signature, you prove it's
> really you. Otherwise, there are all sorts of subtle attacks.
>
> There's not actually "double hashing" going on, though. The spec says:
>
> sigB(MB) (SIG)
> This is the signature, using the private part of the key pubB, of
> the 32-byte MB (which does not need to be hashed again to produce
> the signature).
>
> Now, it turns out that's annoying, since a number of crypto libraries
> will *automatically* hash your input for you, and you have to do all
> sorts of nonsense to get it to skip the hash. So it may change in some
> future version to actually double hashing, just for convenience.
thank you for your precise answer.
Both the background for the SIGMA protocol and the actual signing
process in OTR's AKE is clearer to me now.
cheers,
stefan
More information about the OTR-dev
mailing list