[Cryptography] Client certificates as a defense against MITM attacks

Guido Witmond guido at witmond.nl
Mon Mar 17 07:51:59 EDT 2014

On 03/17/14 06:46, Richard Outerbridge wrote:

> Use case: two Ugandan gay males, under sentance of life
> imprisonment, who merely wish to ”hook up” to have sex with each
> other. How now?

I assume you mean threat, not sentence of imprisonment? Otherwise it's
easy, just do it.

Here it goes for two, still free men:

A gay rights organisation sets up a free dating site, hosted somewhere
safe, say Amsterdam. They create their own Root CA and set up DNSSEC and
DANE. It uses a subCA of their Root to create client certificates. The
site only accepts their certificates, signed using their own subCA.

The men use only Tor to connect, preferable within Tails. They do need
to store a private key for a while, for that they use a usb-stick.

Man A connects. He verifies the server cert against the DNSSEC/DANE
entries. He creates a nick name (not his real name) and his user agent
requests a client certificate that will be signed by the site with a
SubCA of the gay rights org's Root CA.

A publishes his certificate at the global registry, a an append-only log
of each certificate signed. The registry can be queried with the tuple
(nickname, site) and returns all certificates bearing that name. Think
Certificate-transparency.org with some extra querying.

A posts a message on the site that he's in the market. The message is
signed using A's private key. The signature and A's certificate are
published alongside the message.

B connects to the site without logging in, finds A's offer interesting.
B verifies the message signature and validates the public key against
the site's certificate chain (subCA -> RootCA -> DNSSEC/DANE record,
DNSSEC-chain to the ICANN-root.)

B then queries the Registry, there must be only one certificate
returned, it must be the one from A's message. If it differs it means
that A has fallen victim to a MitM attack by the Site. B submits the
certificate from the message to the Registry for A to find it later.
B might also contact some journalists to point it out that the gay
rights org's server is hacked, subverted or otherwise untrustworthy. The
proof is the two certificates bearing the same nick.

When all is well, B creates an account for himself and sends a private
message, signed with his private key, encrypted using A's public key. B
hands it to the site for delivery to A.

A retrieves the message, performs all the same verification and
validations on B's certificate. If A detects a different certificate at
the registry than what's used at the message, he posts the certificate
at the Registry for B to find. A bails out, and might contact journalists.

A now queries his own nick at the registry. He expects only his own
certificate to be returned. If he sees two certificates, it means that
the one that's not his, is one that the site has created. The site
performed a Man-in-the-middle attack. Something even gays would object to.

A writes a new message, suggesting a date and place and a pass phrase
that he will use to identify himself to A. It should be innocuous that
it can be said in normal conversation but not too out of place. Think
movie-style pass phrases.

B upon receiving this message, queries the registry for his nick,
expecting only one. If there are more, it would be the one that A has
detected and published at the registry.

Now, after both message round trips, they've established that there is
no MitM.

B confirms the date and place and his pass phrase.

Both take a big leap of faith that the other is not a investigator. To
protect themselves, both men delete their private key and all traces of
their communication with the dating site. Best to wipeout the usb-stick
that contained the Tails software too. Better, destroy the stick.

They go out to the agreed meeting place, and if they trust the
situation, mention the passphrase in casual conversation where one thing
may lead to another....

In case one of the men is an investigator to apprehend the other, there
is no proof other than the circumstance that a man is at the right place
at the right time and utters the right pass phrase. If he deleted the
private key, there is no hard evidence. But that little evidence might
already be enough. There is no technological solution to make people honest.

This dating site already exists. I've designed it in a less politically
tense theme of aliens of the extra terrestial kind sending Vogon Poems
to each other. Something even Ugandan ministers of health can accept.

The software is here:

It does all the key management mentioned above. I need to write the
registry part.

Best run it in a VM, if you don't trust my binary.

With Regards,

Guido Witmond.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140317/91f320be/attachment.pgp>

More information about the cryptography mailing list