<p dir="ltr"><br>
Den 29 nov 2015 23:11 skrev "U.Mutlu" <<a href="mailto:for-gmane@mutluit.com">for-gmane@mutluit.com</a>>:<br>
><br>
> So, in summarizing the replies so far: it is not possible<br>
> without a central authority, or an a priori shared secret,<br>
> or PKI certificates.<br>
><br>
> Ok, let's say the only missing link here is just a missing shared secret,<br>
> ie. a password. If that were given then it will function.<br>
><br>
> Now, going a step further: is it not possible to exchange<br>
> a temporary password (OTP) on-the-fly during the protocol<br>
> in a secure way with the other party?<br>
> That is, one would need to embed such an algorithm into the protocol.<br>
><br>
> Could for example the Interlock Protocol not be used for this?<br>
> Or maybe in a combination with SMP? As said, the task is "just"<br>
> to create and exchange on-the-fly an ephemeral secret between the parties.</p>
<p dir="ltr">Not OTP, that's a different beast, because the definition of that is full unpredictable randomness (entropy) and no reuse of keys and much more.</p>
<p dir="ltr">(There's however a version of message authentication provably secure if keyed using an OTP, so to use two pads, one for the ciphertext and one to key the authentication tags, is pretty much perfectly secure. Key management is still ridiculously impractical.) </p>
<p dir="ltr">But yes, SRP + Diffie-Hellman does exactly what you describe here. There's also other pairs of protocols capable of achieving the same thing. </p>
<p dir="ltr">OTR (IM) uses a variant of this (socialist millionaires protocol), and so does ZRTP (VoIP). I think even SSH can be made to do it, and it is in the TLS (SSL) spec AFAIK but rarely used and thus not implemented in most places. </p>
<p dir="ltr">But nowadays the preference is for mutual public key authentication. It is just more practical. </p>