anonymous DH & MITM
David Honig
dahonig at cox.net
Mon Oct 6 17:22:17 EDT 2003
At 03:38 PM 10/6/03 -0400, Ian Grigg wrote:
>I'm asking myself whether "anonymous DH" is confusingly named.
>Perhaps it should be called psuedonymous DH because it creates
>psuedonyms for the life of the session? Or, we need a name
>that describes the creation of psuedonyms, de novo, from
>an anonymous starting position?
Think of an "identity" is one endpoint of a communication link.
Identities can have varying degrees of persistance
and varying degrees of association with meatspace/bank accounts.
These are orthogonal dimensions.
An endpoint can maintain a reputation (persistant "identity")
but need not be linked to meatspace entity. A nom-de-plume
is a traditional example.
By itself, DH exchange only assures that the endpoints
remain constant (plus, via the typical symmetric key
exchange, also provides confidentiality) for the session.
If there is a MITM, the endpoints are not what the
distal endpoints (Alice & Bob) might think.
RSA-certs as administered by Verislime have very little
meatspace linkage --you can't sue Verislime if their
signed-claims about a meatspace entity are untrue, and
the certholder ran off with your money, or if the
cert was copied and your DNS cache poisoned.
Similarly, publishing a RSA public key and email address
does not guarantee anything. And since trust is *not*
transitive, the so-called "web of trust" does little
to help, because your personally trusted associates may have
been compromised.
And of course single meatspace entities may have several RSA
keys which others do not know have a common user.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list