Re: Question on transport protocol

[Derek Fawcus <dfawcus%cisco.com@localhost>]

[  I'm adding the list back into this reply ]

On Mon, Jan 14, 2002 at 10:36:37PM -0500, Richard E. Silverman wrote:
> On Tue, 15 Jan 2002, Derek Fawcus wrote:
> 
> > In the transport protocol,  section 8 (Service Request),  the last
> > paragraph states:
> > 
> >    Note that after a key exchange with implicit server authentication,
> >    the client MUST wait for response to its service request message
> >    before sending any further data.
> > 
> > I'd like to ask why is the above contraint there?  I assume it's for some
> > security reason,  but looking at the packet flow,  I can't see a reason
> > for it.
> 
> With implicit authentication, the client verifies server authentication by
> checking that it can decode traffic from the server using the
> just-negotiated shared encryption key.

That's the bit I don't get.

> So it must wait for the next
> message from the server; if it doesn't, then it may be sending (possibly
> sensitive) data to a bogus server.

Surely after the DH exchange,  both ends have the same shared secret,
thus the above authentication will always succeed?  The fact that the
KEX_DH_REPLY had a signed hash seems to provide as good an authentication
as one is going to get.  Thus the client should always be able to decode
the first packet.

Or is the intention that if a non DH exchange is used,  then this delay
is required (i.e in the more general case).

I'll admit that I'm discussing this from a position of ignorance wrt
the key exchange protocol,  it may well be that it's required and
the method of attack it would fall to is just not obvious to me.

DF