1
$\begingroup$

Let's consider that Alice and Bob both know a shared secret $secret$ and don't know each other DH public keys. They want to authenticate each other and their keys using only $secret$. Let's also forget about an existence of SMP. Can the following scheme be considered secure?

First, Alice and Bob perform Diffie-Hellman KE:

$Alice: send(g^a)$
$Bob: recv(g^a);\ send(g^b)$
$Alice: recv(g^b)$ // Now both Alice and Bob has a shared $dh\_key$

Next, they want to be sure that their companion:
a) Knows a shared secret.
b) Is the owner of the corresponding DH private key.

$Alice: send(HMAC(g^a, secret))$
$Bob: recv\_and\_check(msg, secret); send(HMAC(g^b, secret))$ $Alice: recv\_and\_check(msg, secret)$

If all checks are passed Alice and Bob can start a secure data exchange. They also can save DH-public keys for future conversations.

So:

  1. Is the scheme secure?
  2. If the answer to the first question is 'yes' what are pros and cons in comparison with SMP (like in OTR SMP)?
Improve this question
$\endgroup$

1 Answer 1

Reset to default
1
$\begingroup$

Since you tagged the question with "man-in-the-middle" then the answer is that the protocol is not secure after its first use because the eavesdropper can record the exchange and repeat it. Instead, each party should challenge the other party with a random value that will be used by the other party to construct the HMAC.

Improve this answer
$\endgroup$
3
  • 1
    $\begingroup$ An attacker still can't MITM the connection: he doesn't have private keys corresponding to the signed public keys. Moreover, after the first use, Alice and Bob can save each other public keys for future conversations. $\endgroup$ Commented May 3, 2017 at 17:52
  • $\begingroup$ @Enr1g My answer relates to the protocol as described by OP. Under this protocol, after the first round the attacker can impersonate either Alice or Bob, because the exchange does not change from one session to the next one. Saving each other's keys will not prevent such impersonation unless the protocol is modified. $\endgroup$ Commented May 3, 2017 at 19:53
  • $\begingroup$ If you change "also can" in the description to must remember and never use this protocol again than it would be secure against the described attack. But most of us would prefer seing a different key used for each session. A challenge mixed into the hmac would be a better mechanism. $\endgroup$ Commented Jun 1, 2017 at 18:00

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.