anonymous DH & MITM

Anton Stiglic astiglic at okiok.com
Fri Oct 3 15:07:12 EDT 2003 

----- Original Message ----- 
From: "Jerrold Leichter" <jerrold.leichter at smarts.com>

> [...]
> | > I think it's a tautology: there's no such thing as MITM if there's no
such
> | > thing as identity. You're talking to the person you're talking to, and
> | > that's all you know.
> |
> | That seems to make sense....
> No; it's false.  If Alice and Bob can create a secure channel between
them-
> selves, it's reasonable to say that they are protected from MITM attacks
if
> they can be sure that no third party can read their messages.

How do they create the secure channel in the first place?  We are talking
about
MITM that takes place during the key agreement protocol.

> That is:
> If Alice and Bob are anonymous, they can't say *who* can read the messages
> they are sending, but they might be able to say that, assuming that their
> peer is following the protocol exactly (and in particular is not releasing
the
> shared secret) *exactly one other party* can read the message.

That's false.  Alice and Bob can follow the basic DH protocol, exactly, but
Mallory is in the middle, and what you end up with is a shared key between
Alice and Bob and Mallory.
The property you are talking about, concerning the *exactly one other party*
can read the message is related to the *key authentication*  property,
discussed
in [1] (among other places), which enables you to construct authenticated
key
agreements.

>
> Note that if you have this, you can readily bootstrap pseudonymity:  Alice
> and Bob simply use their secure channel to agree on a shared secret, or on
> pseudonyms they will henceforth use between themselves.  If there were a
> MITM, he could of course impersonate each to the other ever afterward.

But how do they share the initial secret?  And with true anonymity you don't
want linkability.  Pseudonymity is a different thing, with pseudonymity you
have
linkability.

--Anton

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list