anonymous DH & MITM

Jerrold Leichter jerrold.leichter at smarts.com
Fri Oct 3 16:51:33 EDT 2003 

| From: Anton Stiglic <astiglic at okiok.com>
| From: "Jerrold Leichter" <jerrold.leichter at smarts.com>
| > No; it's false.  If Alice and Bob can create a secure channel between
| > themselves, it's reasonable to say that they are protected from MITM
| > attacks if they can be sure that no third party can read their messages.
|
| How do they create the secure channel in the first place?  We are talking
| about MITM that takes place during the key agreement protocol.
I didn't say I had a protocol that would accomplish this - I said that the
notion was such a protocol was not inherently self-contradictory.

| > That is: If Alice and Bob are anonymous, they can't say *who* can read the
| > messages they are sending, but they might be able to say that, assuming
| > that their peer is following the protocol exactly (and in particular is
| > not releasing the shared secret) *exactly one other party* can read the
| > message.
|
| That's false.  Alice and Bob can follow the basic DH protocol, exactly, but
| Mallory is in the middle, and what you end up with is a shared key between
| Alice and Bob and Mallory.
There's nothing to be true or false:  It's a definition!  (And yes, DH does
not provide a system that meets the definition.)

| The property you are talking about, concerning the *exactly one other party*
| can read the message is related to the *key authentication* property,
| discussed in [1] (among other places), which enables you to construct
| authenticated key agreements.
The reference was missing; I'd be interested in seeing it.

| >
| > Note that if you have this, you can readily bootstrap pseudonymity:  Alice
| > and Bob simply use their secure channel to agree on a shared secret, or on
| > pseudonyms they will henceforth use between themselves.  If there were a
| > MITM, he could of course impersonate each to the other ever afterward.
|
| But how do they share the initial secret?
I have no idea!

|					     And with true anonymity you don't
| want linkability.  Pseudonymity is a different thing, with pseudonymity you
| have linkability.
If Alice and Bob wish to establish pseudonyms for future use, they can.  No
one says they have to.  On the other hand, "linkability" is a funny property.
If Alice and Bob each keep their secrets, and they each believe the other
party keeps their secrets, then if there is *anything* unique in their
conversations with each other that they keep around - like the sessions keys,
or the entire text of the conversation - they can use *that* to link future
conversations to past ones.  (No one without access to the secrets can do
that, of course.)  If you define anonymity as complete lack of linkability,
even to the participants, you're going to end up requiring all participants to
forget, not just their session keys, but everything they learned in their
conversations.  Perhaps there are situations where that's useful, but they
strike me as pretty rare.
							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list