Tim Dierks <[EMAIL PROTECTED]>:
> Ian Grigg <[EMAIL PROTECTED]>:
>> Steven M. Bellovin:
>>> What's your threat model? Self-signed certs are no better than ADH
>>> against MITM attacks.
>> I agree. As a side note, I think it is probably
>> a good idea for TLS to deprecate ADH, simply
>> because
Ian Grigg <[EMAIL PROTECTED]>:
> I agree. As a side note, I think it is probably
> a good idea for TLS to deprecate ADH, simply
> because self-signed certs are more or less
> equivalent, and by unifying the protocol around
> certificates, it reduces some amount of complexity
> without major loss
At 03:38 PM 10/6/03 -0400, Ian Grigg wrote:
>I'm asking myself whether "anonymous DH" is confusingly named.
>Perhaps it should be called psuedonymous DH because it creates
>psuedonyms for the life of the session? Or, we need a name
>that describes the creation of psuedonyms, de novo, from
>an anon
Taral wrote:
>
> On Mon, Oct 06, 2003 at 11:43:21AM -0400, Anton Stiglic wrote:
> > You started by talking about anonymous communication, but ended up
> > suggesting a scheme for pseudonymous communication.
> >
> > Anonymous != pseudonymous.
> >
> > Let us be clear on that!
> > It is an important
Jerrold Leichter wrote:
> [Using multiple channels on the assumption that the MITM can't always get all
> of them.]
>
> This is starting to sound like some very old work
> ...[example deleted]
1948 sounds right? The mathematical basis for this approach is Shannon's
Tenth Theorem of 1948. We are
On Mon, Oct 06, 2003 at 11:43:21AM -0400, Anton Stiglic wrote:
> You started by talking about anonymous communication, but ended up
> suggesting a scheme for pseudonymous communication.
>
> Anonymous != pseudonymous.
>
> Let us be clear on that!
> It is an important difference.
Yes it is. An ano
- Original Message -
From: "Jerrold Leichter" <[EMAIL PROTECTED]>
To: "Tim Dierks" <[EMAIL PROTECTED]>
Cc: "Jerrold Leichter" <[EMAIL PROTECTED]>; "Cryptography list"
<[EMAIL PROTECTED]>
Sent: Friday, October 03, 2003
- Original Message -
From: "Jerrold Leichter" <[EMAIL PROTECTED]>
To: "Anton Stiglic" <[EMAIL PROTECTED]>
Cc: "Jerrold Leichter" <[EMAIL PROTECTED]>; "Cryptography list"
<[EMAIL PROTECTED]>; "Tim Dierks" <[EMAIL
ED]>
Sent: Friday, October 03, 2003 6:44 PM
Subject: how to defeat MITM using plain DH, Re: anonymous DH & MITM
> Anton Stiglic wrote:
>
> > That's false. Alice and Bob can follow the basic DH protocol, exactly,
but
> > Mallory is in the middle, and what you end up w
On Sat, 4 Oct 2003, Benja Fallenstein wrote:
>Does it work?
>
>Assume A() is Alice's series, B() is Bob's, MA() is the one Mitch uses
>with Alice, MB() the one Mitch uses with Bob.
>
>- Mitch sends first half of cyphertext of MA(1000) (to Alice)
>- Alice sends first half of cyphertext of her move
[Using multiple channels on the assumption that the MITM can't always get all
of them.]
This is starting to sound like some very old work - to which I don't have a
reference - on what was called the "wiretap channel". Basic idea: Alice and
Bob wish to talk; Carol can listen in to everything, but
bear wrote:
On Fri, 3 Oct 2003, Benja Fallenstein wrote:
bear wrote:
Why should this not be applicable to chess? There's nothing to
prevent the two contestants from making "nonce" transmissions twice a
move when it's not their turn.
I.e., you would need a protocol extension to verify the nonces so
Ed Gerck wrote:
>
> It's possible to have at least one open and anonymous protocol
> immune to MITM -- which I called multi-channel DH.
This is a good idea!
I used to advocate it on the cypherpunks list (e.g. [1]).
Later I learned that it is called a "Merkle Channel". From _MOV_ [2], page 48:
(about the Interlock Protocol)
Benja wrote:
>
> The basic idea is that Alice sends *half* of her ciphertext, then Bob
> *half* of his, then Alice sends the other half and Bob sends the other
> half (each step is started only after the previous one was completed).
> The point is that having on
| From: Tim Dierks <[EMAIL PROTECTED]>
|
| I'm lost in a twisty page of MITM passages, all alike.
|
| My point was that in an anonymous protocol, for Alice to communicate with
| Mallet is equivalent to communicating with Bob, since the protocol is
| anonymous: there is no distinction. All the conce
On Fri, 3 Oct 2003, Benja Fallenstein wrote:
>bear wrote:
>> Why should this not be applicable to chess? There's nothing to
>> prevent the two contestants from making "nonce" transmissions twice a
>> move when it's not their turn.
>
>I.e., you would need a protocol extension to verify the nonc
I'm lost in a twisty page of MITM passages, all alike.
My point was that in an anonymous protocol, for Alice to communicate with
Mallet is equivalent to communicating with Bob, since the protocol is
anonymous: there is no distinction. All the concept of MITM is intended to
convey is that in an
Anton Stiglic wrote:
> That's false. Alice and Bob can follow the basic DH protocol, exactly, but
> Mallory is in the middle, and what you end up with is a shared key between
> Alice and Bob and Mallory.
No. What you get is a shared key between Bob and Mallory and *another* shared
key between Al
| Date: Fri, 03 Oct 2003 17:27:36 -0400
| From: Tim Dierks <[EMAIL PROTECTED]>
| To: Jerrold Leichter <[EMAIL PROTECTED]>
| Cc: Cryptography list <[EMAIL PROTECTED]>
| Subject: Re: anonymous DH & MITM
|
| At 03:28 PM 10/3/2003, Jerrold Leichter wrote:
| >From: Tim
At 03:28 PM 10/3/2003, Jerrold Leichter wrote:
From: Tim Dierks <[EMAIL PROTECTED]>
| >No; it's false. If Alice and Bob can create a secure channel between them-
| >selves, it's reasonable to say that they are protected from MITM attacks if
| >they can be sure that no third party can read their me
| From: Anton Stiglic <[EMAIL PROTECTED]>
| From: "Jerrold Leichter" <[EMAIL PROTECTED]>
| > No; it's false. If Alice and Bob can create a secure channel between
| > themselves, it's reasonable to say that they are protected from MITM
| > attacks if they can be sure that no third party can read th
| From: Tim Dierks <[EMAIL PROTECTED]>
| >No; it's false. If Alice and Bob can create a secure channel between them-
| >selves, it's reasonable to say that they are protected from MITM attacks if
| >they can be sure that no third party can read their messages. That is:
| >If Alice and Bob are ano
- Original Message -
From: "Jerrold Leichter" <[EMAIL PROTECTED]>
> [...]
> | > I think it's a tautology: there's no such thing as MITM if there's no
such
> | > thing as identity. You're talking to the person you're talking to, and
> | > that's all you know.
> |
> | That seems to make se
On Fri, Oct 03, 2003 at 02:16:22PM -0400, Jerrold Leichter wrote:
> The Interlock Protocol doesn't provide this - it prevents the MITM from
> modifying the exchanged messages, but can't prevent him from reading them.
> It's not clear if it can be achieved at all. But it does make sense as a
> secu
"R. A. Hettinga" wrote:
>
> At 2:16 PM -0700 10/2/03, bear wrote:
> >That's not anonymity, that's pseudonymity.
>
> It seems to me that perfect pseudonymity *is* anonymity.
Conventionally, I think, Anonymity is when one
publishes a pamphlet of political criticism, and
there is no name on the pam
In message <[EMAIL PROTECTED]>, Benja Fallenstein writes:
>
>Hi,
>
>bear wrote:
>starting with Rivest & Shamir's Interlock Protocol from 1984.
Hmmm. I'll go read, and thanks for the pointer.
>>
>> Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
>> which are on my
At 02:16 PM 10/3/2003, Jerrold Leichter wrote:
From: Anton Stiglic <[EMAIL PROTECTED]>
| From: "Tim Dierks" <[EMAIL PROTECTED]>
| > I think it's a tautology: there's no such thing as MITM if there's no such
| > thing as identity. You're talking to the person you're talking to, and
| > that's all yo
At 11:50 PM -0400 10/1/03, Ian Grigg wrote:
...
A threat must occur sufficiently in real use, and incur
sufficient costs in excess of protecting against it, in
order to be included in the threat model on its merits.
I think that is an excellent summation of the history-based approach
to threat mod
| Date: Fri, 3 Oct 2003 10:14:42 -0400
| From: Anton Stiglic <[EMAIL PROTECTED]>
| To: Cryptography list <[EMAIL PROTECTED]>,
| Tim Dierks <[EMAIL PROTECTED]>
| Subject: Re: anonymous DH & MITM
|
|
| - Original Message -
| From: "Tim Dierks" <[EMAIL
Hi --
bear wrote:
On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:
R. L. Rivest and A. Shamir. How to expose an
eavesdropper. Communications of the ACM, 27:393-395, April 1984.
Ah. Interesting, I see. It's an interesting application of a
bit-commitment scheme.
Ok, so my other mail came far too late
At 2:16 PM -0700 10/2/03, bear wrote:
>That's not anonymity, that's pseudonymity.
It seems to me that perfect pseudonymity *is* anonymity.
Frankly, without the ability to monitor reputation, you don't have ways of controlling
things like transactions, for instance. It's just that people are stil
Hi,
bear wrote:
starting with Rivest & Shamir's Interlock Protocol from 1984.
Hmmm. I'll go read, and thanks for the pointer.
Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
which are on my shelf. Where was it published?
Communications of the ACM: Rivest and
Shamir, "How to
- Original Message -
From: "Tim Dierks" <[EMAIL PROTECTED]>
>
> I think it's a tautology: there's no such thing as MITM if there's no such
> thing as identity. You're talking to the person you're talking to, and
> that's all you know.
That seems to make sense. In anonymity providing s
On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:
>
>> Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
>> which are on my shelf. Where was it published?
> R. L. Rivest and A. Shamir. How to expose an
> eavesdropper. Communications of the ACM, 27:393-395, April 1984.
Ah. In
> Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
> which are on my shelf. Where was it published?
R. L. Rivest and A. Shamir. How to expose an eavesdropper. Communications of the ACM,
27:393-395, April 1984.
On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:
> I understand the objection, which is why I made the notion concrete
> by saying that Mitch wins if he gets the first player to accept the
> second player's move. (I actually think that you can have some
> notion of "credit" -- for example a persi
It's clear that my challenge about the Chess Grandmaster Problem has thrown
more shadow than light.
This is partly because it is an inherently tricky problem, but also because
I confused the issue by talking about both traditional Chess Grandmaster (a
problem that I am interested in) and Full-
bear wrote:
> You can have anonymous protocols that aren't open be immune to MITM
True.
> And you can have open protocols that aren't anonymous be immune to
> MITM.
True.
> But you can't have both.
False. In fact, it is possible to prove the existence of at least one open and
anonymous pro
At 11:52 AM 10/2/2003, Zooko O'Whielacronx wrote:
Bear wrote:
> You can have anonymous protocols that aren't open be immune to MITM
> And you can have open protocols that aren't anonymous be immune to
> MITM. But you can't have both.
I'd like to see the proof.
I think it depends on what you mean
Bear wrote:
>
> If it's an anonymous protocol, then "credit" for being a good chess
> player is a misnomer at best; the channel cannot provide credit to
> any particular person.
I understand the objection, which is why I made the notion concrete by saying
that Mitch wins if he gets the first pl
On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:
>
> Bear wrote:
>>
>> DH is an "open" protocol; it doesn't rely on an initial shared
>> secret or a Trusted Authority.
>>
>> There is a simple proof that an open protocol between anonymous
>> parties is _always_ vulnerable to MITM.
>>
>> Put simply,
At 11:50 PM 10/1/2003, Ian Grigg wrote:
(AFAIK, self-signed certs in every way dominate
ADH in functional terms.)
In TLS, AnonDH offers forward secrecy, but there are no RSA certificate
modes which do (except for ExportRSA). You can use ephemeral DH key
agreement keys with static certified DSA ke
Bear wrote:
>
> DH is an "open" protocol; it doesn't rely on an initial shared
> secret or a Trusted Authority.
>
> There is a simple proof that an open protocol between anonymous
> parties is _always_ vulnerable to MITM.
>
> Put simply, in an anonymous protocol, Alice has no way of knowing
> w
On Wed, 1 Oct 2003, Ian Grigg wrote:
>M Taylor wrote:
>>
>> Stupid question I'm sure, but does TLS's anonymous DH protect against
>> man-in-the-middle attacks? If so, how? I cannot figure out how it would,
>
>
>Ah, there's the rub. ADH does not protect against
>MITM, as far as I am aware.
DH i
"Steven M. Bellovin" wrote:
>
> In message <[EMAIL PROTECTED]>, Ian Grigg writes:
> >M Taylor wrote:
>
> >
> >MITM is a real and valid threat, and should be
> >considered. By this motive, ADH is not a recommended
> >mode in TLS, and is also deprecated.
> >
> >Ergo, your threat model must include
At 10:37 PM 10/1/2003, Peter Gutmann wrote:
Tim Dierks <[EMAIL PROTECTED]> writes:
>It does not, and most SSL/TLS implementations/installations do not support
>anonymous DH in order to avoid this attack.
Uhh, I think that implementations don't support DH because the de facto
standard is RSA, not be
Tim Dierks <[EMAIL PROTECTED]> writes:
>It does not, and most SSL/TLS implementations/installations do not support
>anonymous DH in order to avoid this attack.
Uhh, I think that implementations don't support DH because the de facto
standard is RSA, not because of any concern about MITM (see below
In message <[EMAIL PROTECTED]>, Ian Grigg writes:
>M Taylor wrote:
>
>MITM is a real and valid threat, and should be
>considered. By this motive, ADH is not a recommended
>mode in TLS, and is also deprecated.
>
>Ergo, your threat model must include MITM, and you
>will pay the cost.
>
>(Presumably
On Thu, Oct 02, 2003 at 12:06:40AM +0100, M Taylor wrote:
>
> Stupid question I'm sure, but does TLS's anonymous DH protect against
> man-in-the-middle attacks?
No, it doesn't.
> If so, how? I cannot figure out how it would,
> and it would seem TLS would be wide open to abuse without MITM protec
M Taylor wrote:
>
> Stupid question I'm sure, but does TLS's anonymous DH protect against
> man-in-the-middle attacks? If so, how? I cannot figure out how it would,
Ah, there's the rub. ADH does not protect against
MITM, as far as I am aware.
> and it would seem TLS would be wide open to abus
At 07:06 PM 10/1/2003, M Taylor wrote:
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
and it would seem TLS would be wide open to abuse without MITM protection so
I cannot imagine it would be acceptable
M Taylor <[EMAIL PROTECTED]> writes:
> Stupid question I'm sure, but does TLS's anonymous DH protect against
> man-in-the-middle attacks? If so, how? I cannot figure out how it would,
> and it would seem TLS would be wide open to abuse without MITM protection so
> I cannot imagine it would be acce
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
and it would seem TLS would be wide open to abuse without MITM protection so
I cannot imagine it would be acceptable practice without some form of
security
53 matches
Mail list logo
