anonymous DH & MITM

bear bear at sonic.net
Thu Oct 2 14:48:53 EDT 2003 


On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:

>
> Bear wrote:
>>
>> DH is an "open" protocol; it doesn't rely on an initial shared
>> secret or a Trusted Authority.
>>
>> There is a simple proof that an open protocol between anonymous
>> parties is _always_ vulnerable to MITM.
>>
>> Put simply, in an anonymous protocol, Alice has no way of knowing
>> whether she is communicating with Bob or Mallory, and Bob has no way
>> of knowing whether an incoming communication is from Mallory or from
>> Alice.  (that's what anonymous means).  If there is no shared secret
>> and no Trent, then nothing prevents Mallory from being the MITM.

> I think it depends on what you mean by "MITM".  Take the Chess
> Grandmaster Problem: can Alice and Bob play a game of chess against
> one another while preventing Mitch (the Man In The CHannel) from
> "proxying" their moves to one another while taking the credit for
> being a good chess player?

If it's an anonymous protocol, then "credit" for being a good chess
player is a misnomer at best; the channel cannot provide credit to
any particular person.

> To make it concrete, suppose we limit it to the first two moves of a
> chess game.  One player is going to make the first move for White,
> and the other player is going to make the first move for Black.

> Now, obviously Mitch could always act as a passive proxy, forwarding
> exactly the bits he receives, but in that case he can be defeated by
> e.g. DH.  To make it concrete, suppose that the first player
> includes both his move and his public key (or his public DH
> parameters) in his message, and the second player encrypts his
> message with the public key that arrived in the first message.

Public key? I thought we were talking about an open protocol between
anonymous entities.  If Alice and Bob can identify each other's public
keys, we're not talking about anonymous entities.  If there is a
trusted authority to say "these keys are okay" without identities
being known to each other then we're not talking about an open
protocol.  And if there's neither, then there is room for Mitch.

If this is an open protocol between anonymous entities, then Alice and
Bob can be using asymmetric keys, but must be using key pairs neither
part of which is known to the other at the beginning of the protocol.
In that case nothing prevents Mitch from deriving two new key pairs
and using one in communication with Alice, the other in communication
with Bob, and forwarding their moves to one another.

> Now, you might intuitively believe that this is one of those
> situations where Mitch can't lose.  But there are several protocols
> published in the literature that can help the players against Mitch,
> starting with Rivest & Shamir's Interlock Protocol from 1984.

Hmmm.  I'll go read, and thanks for the pointer.  But I'm confident
that if Mitch can be kept out, then either it's not fully anonymous
participants, or it's not a fully open protocol.

				Bear

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list