-@cindex secret key
-Both parties then generate a secret key. A generates a, and computes g^a
-mod p. This is then sent to B; while B computes g^b mod p, and transmits
-this to A, b being generated by B. Both a and b must be smaller than
-p-1.
-
-Both parties then calculate g^ab mod p = k. k is the new, shared, but
-still secret key.
-
-To obtain a key k of a sufficient length (128 bits in our vpnd), p
-should be 2^129-1 or more.
-
-
-@c ==================================================================
-@node Authentication, , Key Management, Security
-@subsection Authentication
-@c FIXME: recheck
-
-@cindex man-in-the-middle attack
-Because the Diffie-Hellman protocol is in itself vulnerable to the
-``man-in-the-middle attack,'' we should introduce an authentication
-system.
-
-We will let A transmit a passphrase that is also known to B encrypted
-with g^a, before A sends this to B. This way, B can check whether A is
-really A or just someone else.
-B will never receive the real passphrase though, because it was
-encrypted using public/private keypairs. This way there is no way an
-imposter could steal A's passphrase.
-
-@cindex passphrase
-@c ehrmz... but we only use 1024 bits passphrases ourselves? [guus]
-This passphrase should be 2304 bits for a symmetric encryption
-system. But since an asymmetric system is more secure, we could do with
-2048 bits. This only holds if the passphrase is very random.
-
-These passphrases could be stored in a file that is non-readable by
-anyone else but root; e.g. @file{/etc/tinc/passphrases} with UID 0
-and permissions mode 700.
-
-The only thing that needs to be taken care of is how A can securely send
-a copy of it's passphrase to B if B doesn't have it yet. This could be
-done via mail with PGP, but you should be really convinced of the
-identity of the person who owns the email address you are sending this to.
-Swapping floppy disks in real life might be the best way to do this!