anonymous DH & MITM
bear
bear at sonic.net
Thu Oct 2 00:14:00 EDT 2003
On Wed, 1 Oct 2003, Ian Grigg wrote:
>M Taylor wrote:
>>
>> Stupid question I'm sure, but does TLS's anonymous DH protect against
>> man-in-the-middle attacks? If so, how? I cannot figure out how it would,
>
>
>Ah, there's the rub. ADH does not protect against
>MITM, as far as I am aware.
DH is an "open" protocol; it doesn't rely on an initial shared
secret or a Trusted Authority.
There is a simple proof that an open protocol between anonymous
parties is _always_ vulnerable to MITM.
Put simply, in an anonymous protocol, Alice has no way of knowing
whether she is communicating with Bob or Mallory, and Bob has no way
of knowing whether an incoming communication is from Mallory or from
Alice. (that's what anonymous means). If there is no shared secret
and no Trent, then nothing prevents Mallory from being the MITM.
You can have anonymous protocols that aren't open be immune to MITM
And you can have open protocols that aren't anonymous be immune to
MITM. But you can't have both.
Bear
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list