anonymous DH & MITM
Jerrold Leichter
jerrold.leichter at smarts.com
Fri Oct 3 15:28:22 EDT 2003
| From: Tim Dierks <tim at dierks.org>
| >No; it's false. If Alice and Bob can create a secure channel between them-
| >selves, it's reasonable to say that they are protected from MITM attacks if
| >they can be sure that no third party can read their messages. That is:
| >If Alice and Bob are anonymous, they can't say *who* can read the messages
| >they are sending, but they might be able to say that, assuming that their
| >peer is following the protocol exactly (and in particular is not releasing
| >the shared secret) *exactly one other party* can read the message.
|
| They've got exactly that same assurance in a MITM situation: unfortunately,
| Mallet is the one other party who can read the message.
But Mallet is violating a requirement: He is himself passing along the
information Alice and Bob send him to Bob and Alice. No notion of secrecy
can make any sense if one of the parties who legitimately *has* the secret
chooses to pass it along to someone else!
| If you extend the
| concept to say "but I want Bob to be the one who can read the message",
| you've discarded anonymity. And saying that "I want only one party to have
| access to my message" is digital rights management.
Yes - but an interactive form of it.
| >Note that if you have this, you can readily bootstrap pseudonymity: Alice
| >and Bob simply use their secure channel to agree on a shared secret, or on
| >pseudonyms they will henceforth use between themselves. If there were a
| >MITM, he could of course impersonate each to the other ever afterward.
|
| Even if you could make this assertion, how would you avoid something that
| I'll call the "Cyrano attack": that the person you're communicating with is
| not, in fact, the source of the witticisms you associate with his
| pseudonym? And how is that attack distinct from MITM?
As long as Mallet continues to interpose himself in *all* subsequent sessions
between Alice and Bob, he can't be detected. But suppose each of them keeps
a hash value that reflects all the session keys they think they ever used in
talking to each other. Every time they start a session, they exchange hashes.
Whenever Mallet is present, he modifies the messages to show the hash values
for the individual sessions that he held with each party seperately. Should
they ever happen to form a session *without* Mallet, however, the hashes
will not agree, and Mallet will have been detected. So the difference isn't
just notional - it's something the participants can eventually find out about.
In fact, if we assume there is a well-known "bulletin board" somewhere, to
which anyone can post but on which no one can modify or remove messages, we
can use it as to force a conversation without Mallet. Alice and Bob can:
- Compute a hash code H over the entire conversation, concatenated
with the session key.
- Post to the bulletin board "I just had a conversion with hash code
H"
- Check that, within a short time, there are exactly two postings with
the same H.
If not, Mallet was at work. (For this to work, the bulletin must have a
verifiable identity - but it's not necessary for anyone to identify himself to
the bulletin board.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list