Re: New multi6 draft: WIMP

[Erik Nordmark <Erik.Nordmark@sun.com>]

> I believe there is a problem with the gradual release of secret 
> information (such as hash chains) when a man in the middle can trick 
> both sides to become desynchronized such that side A has two messages 
> in transit, messages M+1 and M+2, with an ealier message being M. M, 
> M+1 and M+2 are protected using hashes X, X+1 and X+2, respectively. 
> Side B can check whether message M+1 is authentic by taking X+1, 
> performing a function over it and determining whether the result is 
> equal to X. However, a man in the middle that already has X+2 could 
> create X+1 and then use this value to create an authentic-looking 
> message M+1. Or am I missing something?

I don't see why this is a problem when 
1) the signalling protocol (which advances the hash element to use/reveal)
   has at most one outstanding operation
2) the signalling protocol never gives up on an operation - keeps on 
   retransmitting until the host-pair context is abandoned
3) when a new host-pair context is created the initiator picks a new
   ephemeral ID

I that case, the MiTM that appears after the initial exchange can't force 
either end to reveal an "extra" hash element as you suggest.

  Erik