anonymous DH & MITM
Jerrold Leichter
jerrold.leichter at smarts.com
Fri Oct 3 20:19:33 EDT 2003
| From: Tim Dierks <tim at dierks.org>
|
| I'm lost in a twisty page of MITM passages, all alike.
|
| My point was that in an anonymous protocol, for Alice to communicate with
| Mallet is equivalent to communicating with Bob, since the protocol is
| anonymous: there is no distinction. All the concept of MITM is intended to
| convey is that in an anonymous protocol, you don't know who you're talking
| to, period. Mallet having two conversations with Alice & Bob is equivalent
| to Mallet intermediating himself into a conversation between Alice & Bob.
|
| If you have some unintermediated channel to speak with a known someone
| once, you can exchange a value or values which will allow you to
| authenticate each other forevermore and detect any intermediations in the
| past. But the fundamental truth is that there's no way to bootstrap a
| secure communication between two authenticated parties if all direct &
| indirect communications between those parties may be intermediated. (Call
| this the 'brain in a jar' hypothesis.)
OK, let's set up two different scenarios:
1. Non-anonymous communication. Alice talks to Bob. Alice knows
Bob is on the other end, Bob knows Alice is on the other
end. They share some secret data; Alice wishes it to be
known only to her and Bob. Mallet has a bug in Bob's home
and copies the data.
Can Alice or Bob detect that Mallet is there? Clearly not if
Mallet never uses the data in a detectable way. No matter how
many times Alice and Bob communicate, whether or not Mallet
continues to bug Bob, neither Alice nor Bob can never learn of
Mallet's presence.
2. Anonymous communication. Alice and Bob have a conversation.
Mallet plays MITM. Alice and Bob don't know who their
corresponding partner is, but they each tell the other
that they will not reveal the secrets they exchange, and
each believes the other - and indeed neither ever reveals
those secrets. They wish to know if anyone else had a
chance to learn their secret.
On the face of it, there's no difference between these two
cases. In each case, someone receives a copy of the secrets
exchanged between Alice and Bob, but doesn't *do* anything
with them that either Alice or Bob can see.
However, in this case, unlike 1, if Alice and Bob continue to
communicate - using private pseudonyms for each other to
make "continue to communicate" a meaningful phrase - then,
assuming Mallet cannot *always* interpose himself, they will
eventually discover that someone has played a MITM game on
them.
If, indeed, you have a full "brain in a jar", and Mallet *always* manages to
interpose himself, then, yes, this situation is almost certainly undetectable.
I've learned not to make snap judgements on stuff like this - too many
"clearly impossible" things turn out not to be. In fact, I find the
distinction between cases 1 and 2 quite surprising!
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list