[Security] ESessions Feedback

Ian Paterson ian.paterson at clientside.co.uk
Sat Mar 24 11:47:19 CDT 2007

It seems we can at least be confident that ESessions is a good protocol. 
Peter wrote to Hugo Krawczyk, who is probably the world's leading expert 
on SIGMA-based protocols like ESessions. He said:

"I was impressed by the level of undestanding of the crypto part that
you show. At a high level your design made a lot of sense to me."

"The complexity does not come from your specific solutions
but from the multiple functionalities and scenarios you support such
as initiator/responder protection, public keys and SAS, retained
secrets, deniability, etc. Once you decide that you want to support
all these scenarios, your solutions are perfectly ok, and I do not see
any way to significantly simplify the design."

"I see no way to make things simpler by using TLS. I am not even sure
if you can provide all the functionality that you have based on TLS
(well, of course, you can always depart enough from TLS and get it,
but it won't be simpler)."

"The analysis is not trivial but since you seem to stay close enough to
the sigma basic design and principles that part should not be too hard
to do, at least for someone with enough experience in this type of
protocol design."

"As for the implementation complexity,  you may want to decide on a
subset of options/functionalities and start implementing/deploying
that subset. Then, with more working experience you may add more
elements. Even in such a case it is good that you have the more
ambitious design in place so you can really build the right basic
blocks from start."

That makes a lot of sense to me. If we decide to go the ESessions route 
then I'd be happy to produce an option-free "subset" version of 
ESessions. I'd cut out major features like public keys (SAS and retained 
secrets would stay), and the optional 3-message negotiation.

- Ian

More information about the Security mailing list