BYR Achieve · 镜像论坛

Socialist Millionare Protocol(社会主义百万富翁协议？)认证用

2008/7/15镜像同步12 回复

关于Yegle提出的OTR协议如何防止中间人攻击，我在维基上找到了这篇文章。但是，算法有些复杂，不太明白召唤高手帮我们解释一下 Socialist millionaire From Wikipedia, the free encyclopedia Jump to: navigation, search This cryptography-related article is a stub. You can help Wikipedia by expanding it. The Socialist Millionaire Protocol is a cryptographic protocol that allows two parties to verify the identity of the remote party and avoid a man in the middle attack without the inconvenience of manually comparing public key fingerprints through an outside channel. In effect a relatively weak password/passphrase in natural language can be used. Brute force attacks are avoided by demanding user input on both sides prior to the check itself. It is a part of Off-the-Record Messaging. [edit] Example While data messages are being exchanged, either Alice or Bob may run Socialist Milllionaire Protocol (SMP) to detect impersonation or man-in-the-middle attacks. All exponentiations are done modulo a particular 1536-bit prime, and g1 is a generator of that group. All sent values include zero-knowledge proofs that they were generated according to this protocol, as indicated in the detailed description below. Suppose Alice and Bob have secret information x and y respectively, and they wish to know whether x = y. The Socialist Millionaires' Protocol allows them to compare x and y without revealing any other information than the value of (x == y). For OTR, the secrets contain information about both parties' long-term authentication public keys, as well as information entered by the users themselves. If x = y, this means that Alice and Bob entered the same secret information, and so must be the same entities who established that secret to begin with. Assuming that Alice begins the exchange: * Alice: 1. Picks random exponents a2 and a3 2. Sends Bob g2a = g1a2 and g3a = g1a3 * Bob: 1. Picks random exponents b2 and b3 2. Computes g2b = g1b2 and g3b = g1b3 3. Computes g2 = g2ab2 and g3 = g3ab3 4. Picks random exponent r 5. Computes Pb = g3r and Qb = g1r g2y 6. Sends Alice g2b, g3b, Pb and Qb * Alice: 1. Computes g2 = g2ba2 and g3 = g3ba3 2. Picks random exponent s 3. Computes Pa = g3s and Qa = g1s g2x 4. Computes Ra = (Qa / Qb)a3 5. Sends Bob Pa, Qa and Ra * Bob: 1. Computes Rb = (Qa / Qb)b3 2. Computes Rab = Rab3 3. Checks whether Rab == (Pa / Pb) 4. Sends Alice Rb * Alice: 1. Computes Rab = Rba3 2. Checks whether Rab == (Pa / Pb) If everything is done correctly, then Rab should hold the value of (Pa / Pb) times (g2a3b3)(x - y), which means that the test at the end of the protocol will only succeed if x == y. Further, since g2a3b3 is a random number not known to any party, if x is not equal to y, no other information is revealed.

订阅后，新回复会通过你的通知中心匿名送达。