>Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory.
You still need to know that you want to communicate with someone named Mallory, which is a piece of information that predates the communication. That piece of information was communicated thus starting a chain of infinite regress. Instead consider the situation in which you want to communicate with someone that have solved a particular discrete log problem which you have also solved. You don't care who that person is, just that they solved that problem (their ability to solve the problem is their identity). That is, you assume "a priori" that such a person if someone you want to have a chat with (maybe to ask if you both used the same method or maybe you are throwing a lavish dinner party for discrete log problem solvers). It seems possible to communicate with such a person or group of people without an earlier secure communication. If the above scenario seems absurd consider the following practical situation: Alice has just found a fast way to factor primes. She may not have been the first person to do so, in fact Bob has also discovered a method. Alice wants to communicate with someone, who turns out to be Bob, that can also do this so they can work together listening to all of Eve's messages (Alice listens on even days, Bob listens on odd days). Alice coordinate with Bob (and other Bobs) without Eve learning what is being said, even if she actively MITMs (WITM, EITM?) all communication. Does this contradict the above proof? On Thu, Jun 6, 2013 at 2:35 PM, Ralph Holz <h...@net.in.tum.de> wrote: > Hi, > > Of course it is obvious. But obvious does not equal proof. I am > surprised this proof wasn't given until 1993. > > Ralph > > > Isn't it obvious? (I mean, there is some value in formalizing the model, > > but still...) > > > > Consider authentication of A to B. If there is nothing distinguishing > > (impersonator) Mallory from (honest) A, then anything A can do can also > > be done by Mallory. > > > > > > On Thu, Jun 6, 2013 at 1:31 PM, Ralph Holz <h...@net.in.tum.de > > <mailto:h...@net.in.tum.de>> wrote: > > > > Hi, > > > > I am currently doing a write-up that dives into some of the more > formal > > aspects of authentication. In particular, I am wondering when > exactly it > > was formally proved that two entities A and B cannot establish a > secure > > channel between them without such a secure channel having been > available > > to them at a previous point in time. Or, in other words, you cannot > > authenticate without already having authenticated credentials for > that > > purpose. > > > > To the best of my knowledge, the earliest such proof is the one by > Colin > > Boyd: > > > > Colin Boyd. Security architecture using formal methods. IEEE Journal > on > > Selected Topics in Communications. 1993. > > > > Does anyone know of an earlier such (formal) proof? > > > > Ralph > > > > -- > > Ralph Holz > > I8 - Network Architectures and Services > > Technische Universität München > > http://www.net.in.tum.de/de/mitarbeiter/holz/ > > Phone +49.89.289.18043 <tel:%2B49.89.289.18043> > > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > > _______________________________________________ > > cryptography mailing list > > cryptography@randombit.net <mailto:cryptography@randombit.net> > > http://lists.randombit.net/mailman/listinfo/cryptography > > > > > > > -- > Ralph Holz > I8 - Network Architectures and Services > Technische Universität München > http://www.net.in.tum.de/de/mitarbeiter/holz/ > Phone +49.89.289.18043 > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
