Re: [GNUnet-developers] key exchanges [updated, resend]

[Jeff Burdges]

I kept wondering : Is the wildcard attack that bad?  

In DT's Protocol 4, trip 4 has Bob using TripleDH for encryption, so Eve
cannot impersonate Alice past this point, even if she possesses Bob's
private key.  At best, a wildcard attack can reveal that Bob processed
trip 3 correctly and liked A_p, right?

Is there a reason why Bob needs to hangup immediately if decryption
fails in trip 3?  If not, then Bob gives up nothing to a wildcard
attack.

Alright, imagine that Bob should hangup immediately if decryption failed
in trip 3.  Can we protect Bob without using a signature?  I think yes :

Alice can prove she possesses her public key not by signing but by
encrypting : 
   A? ->  B? : a_p
   A? <-  B? : b_p
   A  ->  B  : E(hash(ab++aB), A_p), E(hash(ab++aB++Ab), ...)

It appears this DoubleDH + TripleDH protocol has the same properties as
DH's Protocol 5, except it lacks any signatures, thus offering deniability.
Am I missing something?  It's only three DH operations too, as opposed 
to the 7ish in our protocols with signing.

Jeff

p.s.  We should also ask if Alice and Bob have a long term relationship.
Appears not too much in DT's later protocols.  If Alice and Bob had a 
long term ratchet state, then they should use the ratchet for
authentication : 
        A? -> B? | a_p
        A? <- B? | b_p
        A  -> B  | E(hash(ab++aB), hash(K++prev_root_key))
It's certainly possible that Bob already knows Alice of course, but "not
that well".  I donno much about dealing with bad peers, etc. though.

signature.asc
Description: This is a digitally signed message part