[Cryptography] upgrade mechanisms and policies

Michael Kjörling michael at kjorling.se
Fri Apr 17 05:39:04 EDT 2015 

On 16 Apr 2015 22:59 +0100, from iang at iang.org (ianG):
> For most traffic on the net, I'd say auth is highly dependent.  For
> some things we want auth.  But for other things we want the opposite
> of auth, call it anti-auth or unauth.  This is the notion of
> sexchat, snapchat, OTR, etc in principle, not in implementation.

Confidentiality is meaningless if you don't know that you are
communicating with the entity that you believe you are communicating
with, and not someone passing traffic along.

Suppose Alice and Bob want to communicate in such a way that Eve and
Mallory cannot know _what_ is being communicated. (For simplicity's
sake, let's say that Alice and Bob are fine with Eve and Mallory
knowing _that_ they are communicating with each other; they want
message confidentiality, not communications secrecy.) By having an
authenticated, encrypted channel to transport the data, this is easy,
but Alice and Bob somehow need to authenticate each other initially.
If this authentication is persistent at the endpoints and is tied to
something that only each of Alice and Bob knows (such as their
respective private keys), then they can be confident that after they
have verified that the other endpoint is the intended one, as long as
that value (say, a key fingerprint) remains the same, everything is
very likely fine; Eve the passive attacker can see that they are
communicating (which was okay in their threat model), and Mallory the
active attacker could in theory insert himself in the middle but that
would invalidate the previous endpoint authentication between Alice
and Bob, alerting both.

If Mallory can insert himself in the middle, to Alice _appearing_ as
Bob and to Bob _appearing_ as Alice, then you have no real
confidentiality, even if the link is encrypted. That's the situation
you get with encryption without authentication. Incidentally, it's
also what you have with e-mail opportunistic transport-level
encryption without certificate validation; it protects against passive
eavesdropping, which is a step up from everything being in plain text,
but it does not offer protection against active attackers.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list