-----BEGIN PGP SIGNED MESSAGE----- Scott Brickner writes:

By "successful" I mean communicating without the MITM *interfering*. Either the parties need to exchange a symmetric key without the MITM eavesdropping, or exchange asymmetric keys without the MITM modifying them.

First of all, I think this "you can't prove there's no MITM, so might as well not use crypto at all" stuff that some people believe is garbage. Once you've successfully gotten your key out, Mitch can't expect to mount an effective MITM attack "against" you. [isolating someone else from you is a different story] In fact, Mitch can't really MITM anyone who has any kind of cryptocontact with the general public. Obtaining a single non-mitch public key cuts the attack down the middle. Being able to get your key out without it being intercepted also foils the attack, since one there is suspicion of a MITM attack, people are going to investigate. You can't erase crypographic evidence of MITM activity, either. So, once your keys are actually "out there", you can no longer be effectively attacked without leaving messy trails here or there. The other problem, of course, is how do you know you haven't already been MITM'd. You don't. You can't, unless you expose it by publishing your key to someone though a channel that can't be D.O.S.'d. Publishing a hash/sig of future posts is not terribly practical, because not only does the hash/sig have to be expected beforehand but what the hash is for has to be known as well. If I publish a detached signature of something (could be my key, or might not be) then Mitch will just have to make something up, make a sig for it, and publish THAT. Posting the source code to RC5, for example, after sending out a hash first means that Mitch will have to send out whatever it was he hashed in place of my hash, and then make HIS hash of RC5 code, then quickly follow up with the actual code that I was kind enough to mail to him. And since Medussa is by definition "in the middle" I don't ever realize that any of that happened. I suppose the "overloading the processors" works well if you can be sure you've overloaded it, which means not only that you know already what Mitch's power is, but you know of someone else (a group perhaps) that has even MORE power, such that Mitch will stick out in the timing. So, if you ask me, none of _those_ methods are very trustworthy considering the resources you have to have already assigned to Mitch - after all, keeping a 24 hour Medussawatch on you and your whole ISP is tough work. Going _through_ Mitch is not easy.

The chance of failure is minimized by diversity in the channels used to try to bypass the MITM.

I agree-On the other hand, it's not terribly difficult to go _around_ Mitch. I mean, just how many of the following things has Mitch done: Watch all the ISP's in town and all the phone lines you can use to call them. Filter your work/school ISPs. Filter all your net-using neighbors, co-workers, and friends' accounts. etc. All it takes is to get one non-Mitch public key. Of course, once the MITM gig is up, the option of locking you in a room since 1983 will make Mitch the "new you", meaning there is no longer a middle. (Fortunately, though, Bob was MITM'ing Mitch at the same time, and now you're both out of the loop and Bob has the goods now, cuz what's Mitch gonna do about it?)

you can't afford a failure, you *do* need a channel over which you have nearly complete control. The simplest such channel is a physical meeting, during which you exchange public keys. If the MITM threat is

How do you know you're not giving your key to Mitch. And how do you know that Mitch isn't headed over to Alice's later on to pretend to be you and give Alice "your" key? Don "Medussa for short" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMHtC+sLa+QKZS485AQEEmwL+NbEoXoeJPEBKGFev8gLWBCIoniyXS4o5 YyyGnkfTjsc/DimbU15z++d/fcihUzwK/dLKBXub3fdxcna9m9YyLNEdo8QyhPNb /Wp6PKq9SdfMb6uCzgoVwg7PrtTZzZEe =jN+h -----END PGP SIGNATURE----- <don@cs.byu.edu> fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://bert.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root@127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company *