anonymous DH & MITM

[Tim Dierks]

At 02:16 PM 10/3/2003, Jerrold Leichter wrote:
>From: Anton Stiglic <astiglic at okiok.com>
>| From: "Tim Dierks" <tim at dierks.org>
>| > I think it's a tautology: there's no such thing as MITM if there's no such
>| > thing as identity. You're talking to the person you're talking to, and
>| > that's all you know.
>|
>| That seems to make sense....
>No; it's false.  If Alice and Bob can create a secure channel between them-
>selves, it's reasonable to say that they are protected from MITM attacks if
>they can be sure that no third party can read their messages.  That is:
>If Alice and Bob are anonymous, they can't say *who* can read the messages
>they are sending, but they might be able to say that, assuming that their
>peer is following the protocol exactly (and in particular is not releasing the
>shared secret) *exactly one other party* can read the message.

They've got exactly that same assurance in a MITM situation: unfortunately, 
Mallet is the one other party who can read the message. If you extend the 
concept to say "but I want Bob to be the one who can read the message", 
you've discarded anonymity. And saying that "I want only one party to have 
access to my message" is digital rights management.

>Note that if you have this, you can readily bootstrap pseudonymity:  Alice
>and Bob simply use their secure channel to agree on a shared secret, or on
>pseudonyms they will henceforth use between themselves.  If there were a
>MITM, he could of course impersonate each to the other ever afterward.

Even if you could make this assertion, how would you avoid something that 
I'll call the "Cyrano attack": that the person you're communicating with is 
not, in fact, the source of the witticisms you associate with his 
pseudonym? And how is that attack distinct from MITM?

  - Tim


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com