undefined | Better HN

0 pointsshin_lao12y ago0 comments

Your answer raises my eyebrows even more.

I ask why you don't use DH and you answer "because we want forward secrecy". DH has been designed for perfect forward secrecy. Therefore I fear we might have some sort of misunderstanding here.

You don't want to permit known plain text attack as "in depth defense" approach. If there is ever any weakness in your software, you want to make it very hard to exploit it. Known plaintext will make exploiting weaknesses in your PRNG very easy for example.

As for your last comment... If someone ever changes the behavior of read_packet, you're dead. So I'm sorry, but you have potential buffer overflow. Think in 4 dimensions Marty! :)

0 comments

tptacek12y ago

DH wasn't designed for forward secrecy.

shin_laoOP12y ago

True, my usage of designed was a little bit liberal here. Mr. Diffie is one of the authors of the first paper to introduce the concept of PFS, but the DH key exchange algorithm hasn't been designed for PFS but rather for 0-knowledge key exchange.

Nevertheless, I stand by my remark regarding the pertinence of DH in that case.

tptacek12y ago

DH is also not a zero-knowledge key exchange algorithm. I think what's confusing you is that DH (a) is a useful building block for forward-secret protocols and (b) generates secrets that often require zero-knowledge proofs.

I'm not sure what paper you're referring to but wouldn't be surprised if Diffie's name was on one of the first "forward secrecy" papers; that stuff is/was kind of Whit Diffie's beat (not "privacy" per se, but the higher-layer implications of public key cryptosystems). But Diffie-Hellman predates any formalized notion of forward secrecy by something like 20 years.

1 more reply

ZoF12y ago

Please explain how DH was designed for perfect forward secrecy...

Please explain why shown plain text in this context would make exploiting weaknesses in their PRNG any easier...

j / k navigate · click thread line to collapse

0 pointsshin_lao12y ago0 comments

Your answer raises my eyebrows even more.

I ask why you don't use DH and you answer "because we want forward secrecy". DH has been designed for perfect forward secrecy. Therefore I fear we might have some sort of misunderstanding here.

As for your last comment... If someone ever changes the behavior of read_packet, you're dead. So I'm sorry, but you have potential buffer overflow. Think in 4 dimensions Marty! :)

0 comments

tptacek12y ago

DH wasn't designed for forward secrecy.

shin_laoOP12y ago

Nevertheless, I stand by my remark regarding the pertinence of DH in that case.

tptacek12y ago

1 more reply

ZoF12y ago

Please explain how DH was designed for perfect forward secrecy...

Please explain why shown plain text in this context would make exploiting weaknesses in their PRNG any easier...

j / k navigate · click thread line to collapse