anonymous DH & MITM

Jerrold Leichter jerrold.leichter at smarts.com
Fri Oct 3 14:16:22 EDT 2003


| Date: Fri, 3 Oct 2003 10:14:42 -0400
| From: Anton Stiglic <astiglic at okiok.com>
| To: Cryptography list <cryptography at metzdowd.com>,
|      Tim Dierks <tim at dierks.org>
| Subject: Re: anonymous DH & MITM
|
|
| ----- Original Message -----
| From: "Tim Dierks" <tim at dierks.org>
|
| >
| > I think it's a tautology: there's no such thing as MITM if there's no such
| > thing as identity. You're talking to the person you're talking to, and
| > that's all you know.
|
| That seems to make sense....
No; it's false.  If Alice and Bob can create a secure channel between them-
selves, it's reasonable to say that they are protected from MITM attacks if
they can be sure that no third party can read their messages.  That is:
If Alice and Bob are anonymous, they can't say *who* can read the messages
they are sending, but they might be able to say that, assuming that their
peer is following the protocol exactly (and in particular is not releasing the
shared secret) *exactly one other party* can read the message.

Note that if you have this, you can readily bootstrap pseudonymity:  Alice
and Bob simply use their secure channel to agree on a shared secret, or on
pseudonyms they will henceforth use between themselves.  If there were a
MITM, he could of course impersonate each to the other ever afterward.

The Interlock Protocol doesn't provide this - it prevents the MITM from
modifying the exchanged messages, but can't prevent him from reading them.
It's not clear if it can be achieved at all.  But it does make sense as a
security spec.
							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list