----- Original Message ----- From: "Ed Gerck" <[EMAIL PROTECTED]> To: "Anton Stiglic" <[EMAIL PROTECTED]> Cc: "Jerrold Leichter" <[EMAIL PROTECTED]>; "Cryptography list" <[EMAIL PROTECTED]>; "Tim Dierks" <[EMAIL PROTECTED]> Sent: Friday, October 03, 2003 6:44 PM Subject: how to defeat MITM using plain DH, Re: anonymous DH & MITM
> Anton Stiglic wrote: > > > That's false. Alice and Bob can follow the basic DH protocol, exactly, but > > Mallory is in the middle, and what you end up with is a shared key between > > Alice and Bob and Mallory. > > No. What you get is a shared key between Bob and Mallory and *another* shared > key between Alice and Mallory. This is important for many reasons. You are correct on that point. > > First, it provides a way to detect that a MITM attack has occurred. For example, > if the MITM is not there at any time forth after key agreement, the DH-based encryption/decryption will not work since Alice and Bob did NOT share a > secret key when under the MITM attack. As another example, if Alice and Bob can > communicate using another channel even an ongoing MITM attack can be likewise > discovered. That is true, but doesn't apply in practice when one party wants to remain anonymous. Most protocols have it that Alice and Bob verify that they share the same key once, and then let them go on with their lives. If you do some kind of continuous verification, MITM can just disrupt the communication between Alice and Bob, and Alice and Bob will then restart a DH agreement from scratch. You can't use previous secret since you will break anonymity (could be done for pseudonymity however, or when both parties reveal their identity...), Alice and Bob will have never realized that there was a MITM. --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
