shared secret using diffie-hellman

Brad Fitzpatrick brad at
Sun Jun 5 11:20:26 PDT 2005

Okay, I'm back on track with you.

Will think through details now that I'm not totally confused.

For instance, if we do XOR the HMAC secret using the DH secret (which I'd
much prefer over AES), then what do you do about padding/repeating if the
HMAC secret and DH secret are different lengths?  Things like that.

> Brad Fitzpatrick wrote:
> > I thought the shared secret produced as a result of Diffie-Hellman _was_
> > the key used in the HMAC.  That's what I was assuming when I sent the
> > first email in this thread.
> If we do that, then the server has to either remember it, incurring
> unnecessary storage, or it has to reconstruct it every time it's needed,
> incurring unecessary computation.  I wanted the HMAC shared secret to be
> generated and managed using LJ::get_secret as before, so the server only
> has to think about DH when it's asked for a fresh HMAC secret, and it
> can forget the whole transaction as soon as it's over.
> > I don't see where even XOR comes into play.  What's wrong with sending the
> > secret key's ID (I called it "handle") and expiry in the clear?
> Sending the handle and expiry in the clear is fine.
> > What?  I thought the whole point of DH was that you never sent the
> > shared-secret... it's inferred from both side's advertised public keys
> > (you named then "gx", and "gy", probably by convention)
> As above - there are two shared secrets, the DH shared secret and the
> HMAC shared secret.  The DH shared secret is used to encrypt the HMAC
> shared secret for transmission.
> --
>    __
> \/ o\ Paul Crowley, paul at
> /\__/

More information about the yadis mailing list