On Tue, May 02, 2006 at 07:07:56PM -0400, Watson Ladd wrote: > First some background: > The NSA's Suit B uses a key negotiation mutual authentication method MQV. > This method was found to be insecure, and so HMQV was created. HMQV uses a > signature protocol called HCR twice in one exchange to generate a key. HCR > can prove identy of one endpoint and negotiate a key in a two message > exchange with great efficiency for both sides. > In Tor the current key generation method is quite expensive. Would it be > possible to change to HCR to improve efficency? Looks promising; we should see if this is standing in 5 years or so. For now, however, this doesn't look like a mature protocol to me. HCR signatures appear to be introduced in the same paper as HMQV, which was published in last year's Crypto [1]. A cursory Google search shows some results (of what importance, I can't say) against HMQV and HCR, with patches to those protocols in a proposed 'HMQV-1' that isn't any faster than HMQV [2]. Moreover, it seems likely that HMQV is covered by the same patents as MQV [3], which I believe are still in force. In any case, I'd want to see a lot more analysis and research on these systems before we used them in the real world; just because something was been published in last year's Crypto doesn't mean it's secure. [1] http://eprint.iacr.org/2005/176.pdf [2] http://eprint.iacr.org/2005/205.pdf [3] http://www.certicom.com/index.php?action=ip,protocol yrs, -- Nick Mathewson
Attachment:
pgpCO87R4qiYP.pgp
Description: PGP signature