In the situation you cite, Bob doesn't know Alice apart from their email correspondence? In this case the ISP is acting as extension-of-alice. Bob thinks he is talking to Alice but he is talking to ISP+Alice. What difference does it make, if Bob has no knowledge of Alice outside their email discussion, that Bob is talking to ISP+ Alice rather than just alice. From Bob's perspective, Alice is really an alias for ISP+Alice. (The same goes for Alice in the other direction.) In tim's words, from alice's point of view "Bob the key" == "BOB the person and Bob's ISP". From Bob's point of view "Alice the key" == "Alice the person & Bob's ISP". The MITM attack only matters if there is a context outside the email correpondence. (Say, perhaps, a drug deal which involves real physical goods.) More concretely, All I know of 'Hal' is through is emails. If his ISP is intercepting the email between him and me, then my definition of 'Hal' is 'Hal+ISP' -- it doesn't make a real difference unless there is another context involved. (The MITM is still -important- though, because in most situations there *is* some external context)
tcmay@got.net (Timothy C. May) writes:
For communication, the only credential Alice needs to ensure that only Bob can read her message is that she uses Bob's public key. If "Bob the Key" reads it, presumably it was "Bob the Person" who read it.
(Again, Bob the Key = Bob the Person to many of us. If Bob the Person has let his private key out, so that Chuck the Person is also able to read the Bob the Key stuff, etc., then of course cryptography cannot really handle this situtation.)
OK, but again, what about the man in the middle attack? Suppose the key that you found that claims to be from Bob is actually not his, but another one created by a man in the middle, such as Bob's malicious ISP? Then that ISP is decrypting the messages Alice sends to him using that fake key, and re-encrypting them using Bob's real key. He is reading all of the messages, and Alice and Bob do not in fact have communications privacy.
I don't want to overstate the risk of this attack. It would not be an easy one to mount and I believe there are countermeasures which could detect it unless the MITM had nearly supernatural powers. But the MITM attack is normally considered seriously in discussing crypto protocols. It is a well known weakness in Diffie-Hellman, for example. That is why authenticated Diffie Hellman is used in some of the newly proposed key exchange protocols for IP. The risks of MITM attacks on public key systems was recognized not long after those systems were proposed. The problems with fake keys have been discussed for over a decade.
Why is this all suddenly irrelevant? Were these attacks never realistic? Is it just not a problem somehow? I am baffled by the fact that people are just turning their backs on all these years of research and experience. If this is some kind of paradigm shift in which the idea of communicating with keys is seen as the key to the puzzle, then I am afraid I don't share the enlightenment. To me the problem seems as real as ever.
Hal
-- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org