how to defeat MITM using plain DH, Re: anonymous DH & MITM

Ed Gerck egerck at nma.com
Fri Oct 3 18:44:01 EDT 2003 

Anton Stiglic wrote:

> That's false.  Alice and Bob can follow the basic DH protocol, exactly, but
> Mallory is in the middle, and what you end up with is a shared key between
> Alice and Bob and Mallory.

No. What you get is a shared key between Bob and Mallory and *another* shared
key between Alice and Mallory. This is important for many reasons.

First, it provides a way to detect that a MITM attack has occurred. For example,
if the MITM is not there at any time forth after key agreement, the DH-based encryption/decryption will not work since Alice and Bob did NOT share a
secret key when under the MITM attack. As another example, if Alice and Bob can
communicate using another channel even an ongoing MITM attack can be likewise
discovered.

Second, and most importantly, this provides a provable way to defeat MITM using
plain DH. For a set of communication channels, not necessarily 100% independent
from each other, if the probability of successfully mounting a MITM attack is
a(i) < 1 for each channel i, then by using N channels of communication we can
make the probability of a successful MITM attack as small as we desire and, thus,
defeat a MITM attack even using plain DH [1]. Moreover, this method can present
an increasing challenge to Mallory's computing resources and timing, such that
the probability a(i) itself should further decrease with more channels. In other
words, Mallory can only juggle so many balls. I pointed this out some years ago at
the MCG list. It's possible to have at least one open and anonymous protocol
immune to MITM -- which I called multi-channel DH.

Cheers,
Ed Gerck


[1] In a stronger form, we can allow the probability of successfully mounting a
MITM attack to be a(i) = 1 for all except for one channel in the set and still can
make the probability of a succesfull MITM attack as small as we desire, so that
we can still defeat a MITM attack using plain DH.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list