meet in the middle attacks
Perry E. Metzger
perry at piermont.com
Wed Mar 26 13:36:35 EST 2003
I have to say I've watched this with a bit of puzzlement.
Meet in the middle attacks are perfectly real. I've seen them myself,
and toolkits to perform them are readily available out there. Ian's
vague comments about a lack of evidence of the economic impact
notwithstanding, it is unreasonable to leave one's protocols and
systems open to such attacks.
You do not need an elaborate CA infrastructure to prevent them, of
course. SSH manages to prevent them simply by having both sides sign
exchanges using naked (i.e. uncertified) keys that are pre-shared, for
example. Even use of MACs over exchanged values and pre-shared
conventional keys can prevent many such attacks.
However, not attempting to prevent such attacks -- especially given
that they are very effective -- seems foolish at best.
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list