From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Wed, 13 Apr 2005 08:45:45 -1000
From: Tim Newsham <newsham@lava.net>
To: Bruce Ellis <bruce.ellis@gmail.com>,
	Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: Re: [9fans] crypto question
In-Reply-To: <775b8d19050413085223e10893@mail.gmail.com>
Message-ID: <Pine.BSI.4.61.0504130842300.5044@malasada.lava.net>
References: <Pine.BSI.4.61.0504121245410.5044@malasada.lava.net>
	<425C6552.6090908@Princeton.EDU>
	<Pine.BSI.4.61.0504121735440.5044@malasada.lava.net>
	<035d01c53fdb$1e46c7b0$9efb7d50@kilgore>
	<775b8d19050413085223e10893@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: 
Topicbox-Message-UUID: 377758fc-ead0-11e9-9d60-3106f5b1d025

> I think it's a mute point. "unsuitable for anything
> but authentication" is fair, but it is suitable for p9sk1.
>
> If you really wanta try a man-in-the-middle attack you'll
> need more resources than the user is willing to wait for.
>
> If you are just snooping you won't learn anything to
> compromise the authenticated session or shared key.
>
> Correct me if I'm wrong.

If it is "suitable for authentication" then there's no problem.
I have definitely not figured out a way to abuse the weaknesses
to break the authentication.  My concern is that weaknesses like
this often provide an avenue for an attack and my failure to come
up with one is definitely not a proof that one doesn't exist.
Why use a weak form of chaining that offers an attacker some
extra leverage when stronger forms exist, are well known and
widely examined?

> brucee

Tim Newsham
http://www.lava.net/~newsham/