-Instead of doing RSA encryption again, tinc will use a part of the random
-string that was exchanged during the authentication phase as the key for the
-symmetric cipher. Some symmetric ciphers require a random initialisation vector
-for improved security. This vector can be taken from the random string as well.
-
-Is this secure? I (Guus Sliepen) think at this moment that it is:
-
-- Since the random string cannot be decrypted by anyone eavesdropping or
- playing man-in-the-middle, the symmetric key cannot be known by sniffing.
-- The unencrypted returned hash value is supposed to be cryptographically
- secure. Furthermore, it can only at most give a way 160 bits of information
- from the complete random string which is longer than the key for the
- symmetric cipher, so very few bits will actualy contain information about
- the symmetric cipher key alone, if any.
-- If the RSA encryption is cracked, the rest of the communications can be
- decrypted anyway.
-- If the symmetric cipher encryption is cracked without using the information
- from the encrypted random strings or the hash values, this still won't give
- the full plaintext for the random string, so it won't facilitate a known-
- plaintext attack on the RSA encryption.
-- RSA and symmetric ciphers are fundamentally different. It is very unlikely
- that the overlap of both will create any interference that will facilitate
- an easier-than-brute-force attack.
-
-Other options for key exchange could be:
-
-* A second exchange of RSA encrypted random strings.
- This is equal to the former scheme just without knowing the hash value of
- the unecrypted random string. Information theory tells that two seperate
- RSA messages are as secure as one if the total amount of bits sent is the
- same, so enlarging the challenge will make one exchange just as secure as
- two seperate exchanges.
-
-* Diffie-Hellman with RSA signing.
- This should be very secure, but there are a lot of pitfalls with using both
- encryption with public keys and private keys together with the same keypair.
-
-* Diffie-Hellman with passphrases.
- This is what tinc <= 1.0pre2 used to do. Passphrases are secret, exchanging
- them must be done with great care, nobody may eavesdrop. Exchanging public
- keys on the other hand is much safer, everybody may eavesdrop, just as long
- as you are sure that the public key itself belongs to the right owner.
-