Re: correcting URL of HP e-commerce protocol

• To: Wenbo Mao <wm@hplb.hpl.hp.com>, e-payment@ccbellcore.com, owner-www-security@ns2.rutgers.edu, www-security@ns2.rutgers.edu, www-buyinfo@allegra.att.com
• Subject: Re: correcting URL of HP e-commerce protocol
• From: elgamal@netscape.com (Taher ElGamal)
• Date: Mon, 15 May 1995 09:06:53 -0700

At 01:50 PM 5/15/95 BST, Wenbo Mao wrote:
>A few hours ago I posted a wrong URL regarding the HP's e-commerce
>protocol. Here is the corrected one:
>
>http://www.hpl.hp.co.uk/projects/vishnu/main.htm
>
>Terribly sorry for my mistake, especially to some of you who subscribe
>several mailing lists and therefore may have received a dozen copies of
>my post.
>
>Cheers,
>
>Wenbo Mao
>Hewlett-Packard Laboratories
>Filton Road
>Bristol
>BS12 6QZ
>Tel:    +44 (0)117 922 9528
>Fax:    +44 (0)117 922 8924
>Email:  wm@hplb.hpl.hp.com
>
>

Wenbo,

This is yet another use of a Diffie-Hellman key exchange. All such system
are known to suffer from a man-in-the-middle attack. For example, someone
can be inthe middle of the traffic between a user and a bank, claiming to be
a bank to the user and a user to the bank. They can then send bigus x and y
values without being detected. You still need someone to bind the h(x) value
to the user's name. This is basically a DH certificate.

Taher Elgamal                   
Chief Scientist
Netscape Communications Corp.
501 E Middlefield Road, Mountain View Ca 94043.
(415) 528 2898 (Tel)
(415) 528 4122 (Fax)
elgamal@netscape.com            

• Previous: Re: Credit Card privacy
• Next: Re: Credit Card privacy
• Index(es):
  • Index
  • Thread