[curves] The SPEKE Protocol Revisited
feng.hao at newcastle.ac.uk
Mon Sep 29 13:24:06 PDT 2014
I think yours and Michael's method should also work. It is a bit odd though to compare the identity and the message, as they are two different types of data. But that is just me.
In the countermeasure proposed in the paper, I think there should be not confusion as who sent the messages, as there are only two (distinct) identities and two (distinct) messages and each party know its own identity and message.
I think your main point is that there is more than one way to fix the issue - yes, I agree.
>From: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net]
>Sent: 29 September 2014 20:59
>To: Michael Hamburg; Feng Hao
>Cc: curves at moderncrypto.org
>Subject: Re: [curves] The SPEKE Protocol Revisited
>On 09/29/2014 03:13 PM, Michael Hamburg wrote:
>> What do you think of a KDF that amounts to H(minmax((Alice’s
>identity,Alice’s message),(Bob’s identity,Bob’s message), shared secret)
>For clarification, the above is missing a close-paren, and "minmax()" i
>probably more simply described as sort()
>so i think Mike is asking about:
> H(sort((Alice's identity, Alice's message),
> (Bob's identity, Bob's message)),
> shared secret)
>> It seems safer than the method you proposed, because it associates Alice’s
>identity to her message, but the wormhole attack you proposed worked
>because it confuses who sent which message.
More information about the Curves