how to defeat MITM using plain DH, Re: anonymous DH & MITM

[Anton Stiglic]

----- Original Message ----- 
From: "Ed Gerck" <egerck at nma.com>
To: "Anton Stiglic" <astiglic at okiok.com>
Cc: "Jerrold Leichter" <jerrold.leichter at smarts.com>; "Cryptography list"
<cryptography at metzdowd.com>; "Tim Dierks" <tim at dierks.org>
Sent: Friday, October 03, 2003 6:44 PM
Subject: how to defeat MITM using plain DH, Re: anonymous DH & MITM


> Anton Stiglic wrote:
>
> > That's false.  Alice and Bob can follow the basic DH protocol, exactly,
but
> > Mallory is in the middle, and what you end up with is a shared key
between
> > Alice and Bob and Mallory.
>
> No. What you get is a shared key between Bob and Mallory and *another*
shared
> key between Alice and Mallory. This is important for many reasons.

You are correct on that point.
>
> First, it provides a way to detect that a MITM attack has occurred. For
example,
> if the MITM is not there at any time forth after key agreement, the
DH-based encryption/decryption will not work since Alice and Bob did NOT
share a
> secret key when under the MITM attack. As another example, if Alice and
Bob can
> communicate using another channel even an ongoing MITM attack can be
likewise
> discovered.

That is true, but doesn't apply in practice when one party wants to remain
anonymous.
Most protocols have it that Alice and Bob verify that they share the same
key once, and
then let them go on with their lives.
If you do some kind of continuous verification, MITM can just disrupt the
communication
between Alice and Bob, and Alice and Bob will then restart a DH agreement
from scratch.
You can't use previous secret since you will break anonymity (could be done
for
pseudonymity however, or when both parties reveal their identity...), Alice
and Bob will
have never realized that there was a MITM.

--Anton

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com