anonymous DH & MITM
Anton Stiglic
astiglic at okiok.com
Fri Oct 3 10:14:42 EDT 2003
----- Original Message -----
From: "Tim Dierks" <tim at dierks.org>
>
> I think it's a tautology: there's no such thing as MITM if there's no such
> thing as identity. You're talking to the person you're talking to, and
> that's all you know.
That seems to make sense. In anonymity providing systems often you
want one side to be anonymous, and the other to identify itself (like in
anonymous web surfing). In this case, if you are using DH to exchange
keys, what you want is something like half-certified DH (see for example
section 2.3 of [1]), where the web server authenticates itself. With half
certified DH, Alice (the user that is browsing in my example) can be
assured that she is really talking to Bob (web server she wanted to
communicate with), and not a MITM.
[1] http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list