DH Support Optional on Servers?
Paul Crowley
paul at ciphergoth.org
Mon Jun 20 22:20:18 PDT 2005
Nathan D. Bowen wrote:
> Is this correct? Servers are not required to support DH at all, and a
> consumer requesting a DH session is only suggesting the use of DH,
> regardless of whether the connection is otherwise protected from
> eavesdropping?
That's my intent. Note that anywhere the attacker can perform a
protocol rollback attack, they can tamper with the DH session parameters
and sniff the session that way.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list