[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Im talking about the man in the middle

To: Tony Gurnick <TonyG@clemenger.co.nz>
Subject: RE: Im talking about the man in the middle
From: Bill Stewart <bill.stewart@pobox.com>
Date: Wed, 23 Jun 1999 01:22:55 -0700
Cc: "'cypherpunks@toad.com'" <cypherpunks@toad.com>
In-Reply-To: <B19ED1C7C267D211972100805F6D3C5F46F791@COAEXCHG1>
Sender: owner-cypherpunks@toad.com

At 01:08 PM 6/23/99 +1200, Tony Gurnick wrote:
>I am assuming 
>1. you dont have and hash finger print of the public key
>2. You dont have any other shared secret (because you are trying to
>establish one by swapping your public keys in the first place)
>3. The man in the middle really is, physically in the middle.  Like your ISP
>for instance.

If you don't know who the man on the other end is, except
by who he says he is, you don't have any way to tell who he is.
	(Well, you can probably tell that he isn't you, 
	at least if you're human, unless you're a solipsist or confused.)
Can you tell if the man in the middle is really in the middle
or really at the other end?  Naah.
Public Key cryptography does make it possible to tell if the
person you're talking to has the same secret information
as a person you were talking to previously, but since you
didn't know who that was then, you still don't know who it is now,
or whether it's the man in the middle or the end
or whether one of them has shared a secret key with another of them.

A shared secret can work, if you can exchange it secretly.
A shared public key can also work, if you can exchange it untamperably.

There's a variant on Diffie-Hellman that lets you annoy the
man in the middle by sending your encrypted message in two parts,
but it doesn't cover all the possible attacks,
and it certainly can't make up for the lack of shared information.
(Rivest-Shamir Interlock Protocol, see Pg. 49 of Schneier.)

And of course, if you suspect there's a MITM, you should never
actually send you shared secret across the channel -
do something like send a challenge string, and respond with
a hash of the shared secret and the challenge string,
after making sure the challenge string has enough entropy.

You don't always need to authenticate both directions of
a communication - if you're initiating a connection to a web server,
you need to know that you're reaching the real web server,
but the web server doesn't necessarily care that it's the real you,
since you could be anybody - it just cares that it's talking to
one single person during the whole session (unless you're doing a
kind of transaction that only authorized users are allowed to do.)

				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

Follow-Ups:
- Re: Im talking about the man in the middle
  - From: John Hackworth <zooko@wildgoose.tandu.com>

References:
- RE: Im talking about the man in the middle
  - From: Tony Gurnick <TonyG@clemenger.co.nz>

Prev by Date: Re: we don't need no stinkin constitution..
Next by Date: RE: a thought...
Prev by thread: RE: Im talking about the man in the middle
Next by thread: Re: Im talking about the man in the middle
Index(es):
- Date
- Thread