----- Original Message ----- From: "Jerrold Leichter" <[EMAIL PROTECTED]> To: "Anton Stiglic" <[EMAIL PROTECTED]> Cc: "Jerrold Leichter" <[EMAIL PROTECTED]>; "Cryptography list" <[EMAIL PROTECTED]>; "Tim Dierks" <[EMAIL PROTECTED]> Sent: Friday, October 03, 2003 4:51 PM Subject: Re: anonymous DH & MITM
> | From: Anton Stiglic <[EMAIL PROTECTED]> > | From: "Jerrold Leichter" <[EMAIL PROTECTED]> > | > No; it's false. If Alice and Bob can create a secure channel between > | > themselves, it's reasonable to say that they are protected from MITM > | > attacks if they can be sure that no third party can read their messages. > | > | How do they create the secure channel in the first place? We are talking > | about MITM that takes place during the key agreement protocol. > I didn't say I had a protocol that would accomplish this - I said that the > notion was such a protocol was not inherently self-contradictory. Seems to be an important part, especially in an anonymous network... My point was that you can't do that, thus making the rest of your proposal infeasable. > > | > That is: If Alice and Bob are anonymous, they can't say *who* can read the > | > messages they are sending, but they might be able to say that, assuming > | > that their peer is following the protocol exactly (and in particular is > | > not releasing the shared secret) *exactly one other party* can read the > | > message. > | > | That's false. Alice and Bob can follow the basic DH protocol, exactly, but > | Mallory is in the middle, and what you end up with is a shared key between > | Alice and Bob and Mallory. > There's nothing to be true or false: It's a definition! (And yes, DH does > not provide a system that meets the definition.) I didn't see this as being a definition, I saw this as a suggestion for a protocol which I believe cannot be achieved (again, assuming both parties want to remain anonymous). The best you could probably do is have a system where users are anonymous and detain anonymous credentials when they register, and have users use these credentials to demonstrate that they registered, but without having them reveal exactly who they are. This way, you can probably prevent MITM who did not register... > > | The property you are talking about, concerning the *exactly one other party* > | can read the message is related to the *key authentication* property, > | discussed in [1] (among other places), which enables you to construct > | authenticated key agreements. > The reference was missing; I'd be interested in seeing it. Sorry I forgot, here it is: [1] Authenticated Diffie-Hellman Key Agreement Protocols. Simon Blake-Wilson, Alfred Menezes. http://citeseer.nj.nec.com/blake-wilson98authenticated.html --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
