Re: question about Diffie Hellman key exchange ??

From: Tom St Denis (tom_at_securescience.net)
Date: 04/12/04 

Date: Mon, 12 Apr 2004 15:46:19 GMT

AE wrote:

> Tom St Denis wrote:
>> mark wrote:
>>>...
>>>Here is the question:
>>>So everytime I communicate with the same partner, then according to
>>>above I am generating a session key which would be same again !!
>>>Clearly I am missing something here.
>>
>> Not a huge problem. All you have to do is have each side share a nonce
>> which you mix into the pot. E.g. one trivial solution...
>>
>> 1. compute k = g^xy, hash it down to 256-bits via SHA-256 call that H
>> 2. Make up a random 128-bit and encrypt it with AES-256 call that R
>> 3. Share R with the other dude and they send you their R, call it R'
>> 4. decrypt R/R', xor R with R' and H and call that SK [or hash them
>> which might be better]
>>
>> SK is now your session key.
>> ...
>
> I don't like that solution: An attacker calculating or otherwise getting
> access to x or y will be able to decrypt all past messages (and all
> future ones until you find out what happened).
>
> Better change x and y every time and sign them or use KEA: In case the
> signature gets broken the attacker still isn't able to decrypt past
> messages and to get future message keys a man-in-the-middle attack is
> necessary.

Personally I would just have the client make up a key with every connection.
The server can't change keys but at least such an approach would avoid the
problem you mentioned.

I was speaking in general though [e.g. peer networks].

Tom

Loading