Re: anonymous DH MITM

2003-10-17 Thread Bodo Moeller
Ian Grigg [EMAIL PROTECTED]: I agree. As a side note, I think it is probably a good idea for TLS to deprecate ADH, simply because self-signed certs are more or less equivalent, and by unifying the protocol around certificates, it reduces some amount of complexity without major loss of

Re: anonymous DH MITM

2003-10-17 Thread Bodo Moeller
Tim Dierks [EMAIL PROTECTED]: Ian Grigg [EMAIL PROTECTED]: Steven M. Bellovin: What's your threat model? Self-signed certs are no better than ADH against MITM attacks. I agree. As a side note, I think it is probably a good idea for TLS to deprecate ADH, simply because self-signed certs

Re: anonymous DH MITM

2003-10-06 Thread Taral
On Mon, Oct 06, 2003 at 11:43:21AM -0400, Anton Stiglic wrote: You started by talking about anonymous communication, but ended up suggesting a scheme for pseudonymous communication. Anonymous != pseudonymous. Let us be clear on that! It is an important difference. Yes it is. An anonymous

Re: how to defeat MITM using plain DH, Re: anonymous DH MITM

2003-10-06 Thread Ed Gerck
Jerrold Leichter wrote: [Using multiple channels on the assumption that the MITM can't always get all of them.] This is starting to sound like some very old work ...[example deleted] 1948 sounds right? The mathematical basis for this approach is Shannon's Tenth Theorem of 1948. We are

Re: anonymous DH MITM

2003-10-06 Thread Ian Grigg
Taral wrote: On Mon, Oct 06, 2003 at 11:43:21AM -0400, Anton Stiglic wrote: You started by talking about anonymous communication, but ended up suggesting a scheme for pseudonymous communication. Anonymous != pseudonymous. Let us be clear on that! It is an important difference.

Re: anonymous DH MITM

2003-10-06 Thread David Honig
At 03:38 PM 10/6/03 -0400, Ian Grigg wrote: I'm asking myself whether anonymous DH is confusingly named. Perhaps it should be called psuedonymous DH because it creates psuedonyms for the life of the session? Or, we need a name that describes the creation of psuedonyms, de novo, from an anonymous

Re: how to defeat MITM using plain DH, Re: anonymous DH MITM

2003-10-05 Thread Jerrold Leichter
[Using multiple channels on the assumption that the MITM can't always get all of them.] This is starting to sound like some very old work - to which I don't have a reference - on what was called the wiretap channel. Basic idea: Alice and Bob wish to talk; Carol can listen in to everything, but

Re: anonymous DH MITM

2003-10-05 Thread bear
On Sat, 4 Oct 2003, Benja Fallenstein wrote: Does it work? Assume A() is Alice's series, B() is Bob's, MA() is the one Mitch uses with Alice, MB() the one Mitch uses with Bob. - Mitch sends first half of cyphertext of MA(1000) (to Alice) - Alice sends first half of cyphertext of her move +

Re: anonymous DH MITM

2003-10-04 Thread Tim Dierks
I'm lost in a twisty page of MITM passages, all alike. My point was that in an anonymous protocol, for Alice to communicate with Mallet is equivalent to communicating with Bob, since the protocol is anonymous: there is no distinction. All the concept of MITM is intended to convey is that in an

Re: anonymous DH MITM

2003-10-04 Thread bear
On Fri, 3 Oct 2003, Benja Fallenstein wrote: bear wrote: Why should this not be applicable to chess? There's nothing to prevent the two contestants from making nonce transmissions twice a move when it's not their turn. I.e., you would need a protocol extension to verify the nonces

Re: anonymous DH MITM

2003-10-04 Thread Jerrold Leichter
| From: Tim Dierks [EMAIL PROTECTED] | | I'm lost in a twisty page of MITM passages, all alike. | | My point was that in an anonymous protocol, for Alice to communicate with | Mallet is equivalent to communicating with Bob, since the protocol is | anonymous: there is no distinction. All the

Re: anonymous DH MITM

2003-10-04 Thread Zooko O'Whielacronx
(about the Interlock Protocol) Benja wrote: The basic idea is that Alice sends *half* of her ciphertext, then Bob *half* of his, then Alice sends the other half and Bob sends the other half (each step is started only after the previous one was completed). The point is that having only

Re: how to defeat MITM using plain DH, Re: anonymous DH MITM

2003-10-04 Thread Zooko O'Whielacronx
Ed Gerck wrote: It's possible to have at least one open and anonymous protocol immune to MITM -- which I called multi-channel DH. This is a good idea! I used to advocate it on the cypherpunks list (e.g. [1]). Later I learned that it is called a Merkle Channel. From _MOV_ [2], page 48:

Re: anonymous DH MITM

2003-10-04 Thread Benja Fallenstein
bear wrote: On Fri, 3 Oct 2003, Benja Fallenstein wrote: bear wrote: Why should this not be applicable to chess? There's nothing to prevent the two contestants from making nonce transmissions twice a move when it's not their turn. I.e., you would need a protocol extension to verify the nonces

Re: anonymous DH MITM

2003-10-03 Thread Zooko O'Whielacronx
Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85, which are on my shelf. Where was it published? R. L. Rivest and A. Shamir. How to expose an eavesdropper. Communications of the ACM, 27:393-395, April 1984.

Re: anonymous DH MITM

2003-10-03 Thread bear
On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote: Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85, which are on my shelf. Where was it published? R. L. Rivest and A. Shamir. How to expose an eavesdropper. Communications of the ACM, 27:393-395, April 1984. Ah.

Re: anonymous DH MITM

2003-10-03 Thread Anton Stiglic
- Original Message - From: Tim Dierks [EMAIL PROTECTED] I think it's a tautology: there's no such thing as MITM if there's no such thing as identity. You're talking to the person you're talking to, and that's all you know. That seems to make sense. In anonymity providing systems

Re: anonymous DH MITM

2003-10-03 Thread Benja Fallenstein
Hi, bear wrote: starting with Rivest Shamir's Interlock Protocol from 1984. Hmmm. I'll go read, and thanks for the pointer. Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85, which are on my shelf. Where was it published? Communications of the ACM: Rivest and Shamir, How to

Re: anonymous DH MITM

2003-10-03 Thread R. A. Hettinga
At 2:16 PM -0700 10/2/03, bear wrote: That's not anonymity, that's pseudonymity. It seems to me that perfect pseudonymity *is* anonymity. Frankly, without the ability to monitor reputation, you don't have ways of controlling things like transactions, for instance. It's just that people are

Re: anonymous DH MITM

2003-10-03 Thread Benja Fallenstein
Hi -- bear wrote: On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote: R. L. Rivest and A. Shamir. How to expose an eavesdropper. Communications of the ACM, 27:393-395, April 1984. Ah. Interesting, I see. It's an interesting application of a bit-commitment scheme. Ok, so my other mail came far too

Re: anonymous DH MITM

2003-10-03 Thread Jerrold Leichter
| Date: Fri, 3 Oct 2003 10:14:42 -0400 | From: Anton Stiglic [EMAIL PROTECTED] | To: Cryptography list [EMAIL PROTECTED], | Tim Dierks [EMAIL PROTECTED] | Subject: Re: anonymous DH MITM | | | - Original Message - | From: Tim Dierks [EMAIL PROTECTED] | | | I think it's a tautology

Re: anonymous DH MITM

2003-10-03 Thread Tim Dierks
At 02:16 PM 10/3/2003, Jerrold Leichter wrote: From: Anton Stiglic [EMAIL PROTECTED] | From: Tim Dierks [EMAIL PROTECTED] | I think it's a tautology: there's no such thing as MITM if there's no such | thing as identity. You're talking to the person you're talking to, and | that's all you know.

Re: anonymous DH MITM

2003-10-03 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Benja Fallenstein writes: Hi, bear wrote: starting with Rivest Shamir's Interlock Protocol from 1984. Hmmm. I'll go read, and thanks for the pointer. Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85, which are on my shelf. Where was it

Re: anonymous DH MITM

2003-10-03 Thread Ian Grigg
R. A. Hettinga wrote: At 2:16 PM -0700 10/2/03, bear wrote: That's not anonymity, that's pseudonymity. It seems to me that perfect pseudonymity *is* anonymity. Conventionally, I think, Anonymity is when one publishes a pamphlet of political criticism, and there is no name on the pamphlet.

Re: anonymous DH MITM

2003-10-03 Thread Taral
On Fri, Oct 03, 2003 at 02:16:22PM -0400, Jerrold Leichter wrote: The Interlock Protocol doesn't provide this - it prevents the MITM from modifying the exchanged messages, but can't prevent him from reading them. It's not clear if it can be achieved at all. But it does make sense as a

Re: anonymous DH MITM

2003-10-03 Thread Anton Stiglic
- Original Message - From: Jerrold Leichter [EMAIL PROTECTED] [...] | I think it's a tautology: there's no such thing as MITM if there's no such | thing as identity. You're talking to the person you're talking to, and | that's all you know. | | That seems to make sense No;

Re: anonymous DH MITM

2003-10-03 Thread Jerrold Leichter
| From: Anton Stiglic [EMAIL PROTECTED] | From: Jerrold Leichter [EMAIL PROTECTED] | No; it's false. If Alice and Bob can create a secure channel between | themselves, it's reasonable to say that they are protected from MITM | attacks if they can be sure that no third party can read their

Re: anonymous DH MITM

2003-10-03 Thread Jerrold Leichter
| Date: Fri, 03 Oct 2003 17:27:36 -0400 | From: Tim Dierks [EMAIL PROTECTED] | To: Jerrold Leichter [EMAIL PROTECTED] | Cc: Cryptography list [EMAIL PROTECTED] | Subject: Re: anonymous DH MITM | | At 03:28 PM 10/3/2003, Jerrold Leichter wrote: | From: Tim Dierks [EMAIL PROTECTED] | | No; it's

Re: anonymous DH MITM

2003-10-02 Thread Ian Grigg
Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Ian Grigg writes: M Taylor wrote: MITM is a real and valid threat, and should be considered. By this motive, ADH is not a recommended mode in TLS, and is also deprecated. Ergo, your threat model must include MITM, and you will

Re: anonymous DH MITM

2003-10-02 Thread bear
On Wed, 1 Oct 2003, Ian Grigg wrote: M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, Ah, there's the rub. ADH does not protect against MITM, as far as I am aware. DH is an open

Re: anonymous DH MITM

2003-10-02 Thread Zooko O'Whielacronx
Bear wrote: DH is an open protocol; it doesn't rely on an initial shared secret or a Trusted Authority. There is a simple proof that an open protocol between anonymous parties is _always_ vulnerable to MITM. Put simply, in an anonymous protocol, Alice has no way of knowing whether she

Re: anonymous DH MITM

2003-10-02 Thread Tim Dierks
At 11:50 PM 10/1/2003, Ian Grigg wrote: (AFAIK, self-signed certs in every way dominate ADH in functional terms.) In TLS, AnonDH offers forward secrecy, but there are no RSA certificate modes which do (except for ExportRSA). You can use ephemeral DH key agreement keys with static certified DSA

Re: anonymous DH MITM

2003-10-02 Thread Zooko O'Whielacronx
Bear wrote: If it's an anonymous protocol, then credit for being a good chess player is a misnomer at best; the channel cannot provide credit to any particular person. I understand the objection, which is why I made the notion concrete by saying that Mitch wins if he gets the first player

Re: anonymous DH MITM

2003-10-02 Thread Tim Dierks
At 11:52 AM 10/2/2003, Zooko O'Whielacronx wrote: Bear wrote: You can have anonymous protocols that aren't open be immune to MITM And you can have open protocols that aren't anonymous be immune to MITM. But you can't have both. I'd like to see the proof. I think it depends on what you mean

Re: anonymous DH MITM

2003-10-02 Thread Ed Gerck
bear wrote: You can have anonymous protocols that aren't open be immune to MITM True. And you can have open protocols that aren't anonymous be immune to MITM. True. But you can't have both. False. In fact, it is possible to prove the existence of at least one open and anonymous

anonymous DH MITM

2003-10-01 Thread M Taylor
Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection so I cannot imagine it would be acceptable practice without some form of

Re: anonymous DH MITM

2003-10-01 Thread Eric Rescorla
M Taylor [EMAIL PROTECTED] writes: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection so I cannot imagine it would be

Re: anonymous DH MITM

2003-10-01 Thread Tim Dierks
At 07:06 PM 10/1/2003, M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection so I cannot imagine it would be acceptable

Re: anonymous DH MITM

2003-10-01 Thread Ian Grigg
M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, Ah, there's the rub. ADH does not protect against MITM, as far as I am aware. and it would seem TLS would be wide open to abuse

Re: anonymous DH MITM

2003-10-01 Thread Eric Murray
On Thu, Oct 02, 2003 at 12:06:40AM +0100, M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? No, it doesn't. If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection

Re: anonymous DH MITM

2003-10-01 Thread Peter Gutmann
Tim Dierks [EMAIL PROTECTED] writes: It does not, and most SSL/TLS implementations/installations do not support anonymous DH in order to avoid this attack. Uhh, I think that implementations don't support DH because the de facto standard is RSA, not because of any concern about MITM (see below).

Re: anonymous DH MITM

2003-10-01 Thread Tim Dierks
At 10:37 PM 10/1/2003, Peter Gutmann wrote: Tim Dierks [EMAIL PROTECTED] writes: It does not, and most SSL/TLS implementations/installations do not support anonymous DH in order to avoid this attack. Uhh, I think that implementations don't support DH because the de facto standard is RSA, not