On Thu, 27 Jun 2002, Mike Rosing wrote:
On Thu, 27 Jun 2002, Marcel Popescu wrote:
Is there a defense against MITM for Diffie-Hellman? Is there another protocol with equivalent properties, with such a defense? (Secure communications between two parties, with no shared secret and no out-of-band abilities, on an insecure network.)
What do you mean by no shared secret? The point of DH is that you get a shared secret.
I think the original poster meant no shared secrets at the beginning of the protocol.
Check out MQV protocol for MITM defense and forward secrecy. It uses permenent public keys and ephemeral public keys for each session. In any protocol, the out-of-band check of the public keys is still a "good thing".
You can also do this with DH (use a pair of DH keys, one long term and the other for that single exchange). IEEE 1363 includes this as well as MQV. I don't know how the security compares between these two options, though. -J