At Sun, 13 Apr 2008 12:14:18 -0400, Hadriel Kaplan wrote: > > side's identity, than MITM attacks get blocked, because an MITM attack > > requires replacing keys in both directions with the attacker's > > key. Consider the following example, in which Alice is calling Bob, > > but for some reason her fingerprint isn't signed: > > > > > > Alice Attacker Bob > > ---------------------------------------------------------- > > Fingerprint=X (unsigned) -> > > Fingerprint=A (unsigned) -> > > > > <- Fingerprint=Z (signed, Bob) > > <- Fingerprint=Z (signed, Bob) > > > > So, Bob has no reliable way of knowing Alice's identity. However, > > that's not sufficient to mount an MITM attack, which required that the > > attacker to replace Bob's key Z with his own key A. But he can't do > > that without replacing Bob's fingerprint, which would require the > > ability to sign a message from Bob [0]. > > I don't think Dean is claiming a MitM attack is possible when > 4474/4916 *is* used. At least not in the definition of "MitM > attack" where one side *thinks* it's secure but it's not. Clearly a > form of MitM attack can be trivially performed whereby neither side > get signed requests, but still get fingerprints, but that's not a > MitM attack in my book as much as it is a downgrade attack. And > that form of attack can be done on your example above, very easily, > but then both Alice and Bob should know their media plane isn't > secure. And similar to TLS, Alice has to take care not to speak her > PIN over the media plane to Bob, etc. > > But I think Dean's point is: if we can't get a 4474/4916 model to be > useful in practice, then *neither* side will be using it in > practice. We want it to be used in practice, as much as possible. > But he should chime in with what he meant. :)
Well, I don't know what Dean is claiming, but what *I* am claiming is that MITM attacks aren't possible as long as at least one side uses 4474/4916 and the other side checks the signature. And that means that at least in the case of PSTN->SIP calls, we don't have an inherent MITM problem. -Ekr _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
