[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP Unix encrypted session protocol software



> > Right - using DH exchange is probably appropriate in situations where
> > there is no pre-established credentials for the party on the other
> > machine.
> 
> D-H also provides perfect forward secrecy, which is a reason to use it
> even if there is already an established set of credentials.

How about public-key signing the D-H exchange?  Public key to eliminate[*]
the man-in-the-middle attack, and D-H for forward secrecy.

* Almost eliminate.  A sufficiently powerful man in the middle could 
  conceivably subvert the public keys.

--apb (Alan Barrett)