[cryptography] Security Discussion: Password Based Key Derivation for Elliptic curve Diffie–Hellman key agreement

ianG iang at iang.org
Wed Dec 18 02:35:21 EST 2013

On 17/12/13 21:38 PM, Joseph Birr-Pixton wrote:
> In very general terms, you cannot hope to achieve confidentiality
> without authenticity.

Actually, you can achieve confidentiality, you just can't prove it in 
cryptographic terms.

The original poster should not be dissuaded by claims that no MITM 
solution makes it worthless.  The same trick was done to SSL and look at 
where that got us:  mass surveillance because it is too hard to deploy 
in 100% of circumstances.

Also, look at Greg Rose's post.  The bar is very very low because anyone 
who wants to MITM a facebook user can also slip in many other approaches.

Doing just enough to force the attacker to go active -- by *any means* 
-- is a really good tool.

In the alternate, add some MITM protection as a second generation. 
There are some easy, sorta maybe methods like sharing the number over 
another channel (phone, SMS, skype).  You can much better appreciate 
what works for your design once it is up and running, and once your 
users start telling you what they can do.  This you cannot achieve at 
all if you design in some cold-war PKI design from the get-go.


More information about the cryptography mailing list