On Fri, Apr 10, 2009 at 02:08:25PM +0200, Mechiel Lukkien wrote:
> On Fri, Apr 10, 2009 at 07:48:54AM -0400, erik quanstrom wrote:
> > > We haven't brought up SSL yet, so Eve can read our exchanged random
> > > numbers... now these values get shoved into SHA-1 (along with the 56 bits of
> > > entropy from Kn derived from p9any authentication) before being used to make
> > > the SSL secrets... but... that doesn't seem to matter much.  Eve sees the
> > > first four, the last four, and knows 1/8th of the middle 8 bytes (p9sk1 gets
> > > an 8-byte secret by unpacking a 7-byte DES key) of the input to the SHA-1
> > > function, meaning...  Eve still only needs to do at most 2^56 SHA-1
> > > operations to search for our SSL secrets [1]...  OK, so Eve can't have
> > > precomputed tables to help her out, fair enough, but this still seems
> > > dubious.
> > > 
> > > Subsequently, having done all of this, the secrets fed into the SSL stream
> > > contain only 80 bits of entropy, which is itself somewhat small (esp.
> > > relative to the ability of rc4 to use 128 or even 256 bit keys).
> > 
> > eve has to do zero computation to get at your plan-text stream.
> > i think they call it transport security for a reason. :-)
> 
> he probably means eve as in eavesdropper.  alice, bob, eve & friends.

Erm, yes, that... the name collision didn't even occur to me.  Sorry. :)
--nwf;