[Standards-JIG] Re: The Great Encryption Debate

Jesus Cea jcea at argo.es
Mon Aug 8 16:32:46 UTC 2005

Justin Karneges wrote:
> Both SSH and TLS use Diffie-Hellman without risk, because they use public key 
> signatures to protect the Diffie-Hellman values.  JEP-0116 is no different.

SSH has no signatures. It simply verify that the host you are connecting 
is the very same that last time. So, if you first connection is 
"secure", you can be sure that everything is right.

But since client jabber connections ALWAYS go thru the same server path, 
security can be trivially compromised. For example, if the user's server 
is tampered with, previously the first key exchange.

Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
                                       _/_/    _/_/          _/_/_/_/_/
PGP Key Available at KeyServ   _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

More information about the Standards mailing list