anonymous DH & MITM

Anton Stiglic astiglic at okiok.com
Mon Oct 6 11:27:23 EDT 2003 

----- Original Message ----- 
From: "Jerrold Leichter" <jerrold.leichter at smarts.com>
To: "Anton Stiglic" <astiglic at okiok.com>
Cc: "Jerrold Leichter" <jerrold.leichter at smarts.com>; "Cryptography list"
<cryptography at metzdowd.com>; "Tim Dierks" <tim at dierks.org>
Sent: Friday, October 03, 2003 4:51 PM
Subject: Re: anonymous DH & MITM


> | From: Anton Stiglic <astiglic at okiok.com>
> | From: "Jerrold Leichter" <jerrold.leichter at smarts.com>
> | > No; it's false.  If Alice and Bob can create a secure channel between
> | > themselves, it's reasonable to say that they are protected from MITM
> | > attacks if they can be sure that no third party can read their
messages.
> |
> | How do they create the secure channel in the first place?  We are
talking
> | about MITM that takes place during the key agreement protocol.
> I didn't say I had a protocol that would accomplish this - I said that the
> notion was such a protocol was not inherently self-contradictory.

Seems to be an important part, especially in an anonymous network...
My point was that you can't do that, thus making the rest of your proposal
infeasable.

>
> | > That is: If Alice and Bob are anonymous, they can't say *who* can read
the
> | > messages they are sending, but they might be able to say that,
assuming
> | > that their peer is following the protocol exactly (and in particular
is
> | > not releasing the shared secret) *exactly one other party* can read
the
> | > message.
> |
> | That's false.  Alice and Bob can follow the basic DH protocol, exactly,
but
> | Mallory is in the middle, and what you end up with is a shared key
between
> | Alice and Bob and Mallory.
> There's nothing to be true or false:  It's a definition!  (And yes, DH
does
> not provide a system that meets the definition.)

I didn't see this as being a definition, I saw this as a suggestion for a
protocol
which I believe cannot be achieved (again, assuming both parties want to
remain anonymous).

The best you could probably do is have a system where users are anonymous
and detain anonymous credentials when they register, and have users use
these
credentials to demonstrate that they registered, but without having them
reveal
exactly who they are.  This way, you can probably prevent MITM who did
not register...

>
> | The property you are talking about, concerning the *exactly one other
party*
> | can read the message is related to the *key authentication* property,
> | discussed in [1] (among other places), which enables you to construct
> | authenticated key agreements.
> The reference was missing; I'd be interested in seeing it.

Sorry I forgot, here it is:

[1]  Authenticated Diffie-Hellman Key Agreement Protocols.  Simon
Blake-Wilson, Alfred Menezes.
http://citeseer.nj.nec.com/blake-wilson98authenticated.html

--Anton

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list