MITM evasion MITM evasion
Two years ago, I pointed out that getting a single message past the man in the middle isn't good enough; you have to convince your readers that the key they received on one channel is more accurate than the key they're receiving on all the other channels. But if they'll believe that, they may also believe the man in the middle's announcement that the key in your name on all the keyservers is wrong, and the correct key is the one he's putting out. Can't win either way, but it's still important to get the key out. My current key is 0x54696D4D; the fingerprint is 4D 65 44 75 53 61 21 2F 41 73 55 64 85 6D 21 7F. .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
Anonymous, claiming to be Tim May, writes:
Two years ago, I pointed out that getting a single message past the man in the middle isn't good enough; you have to convince your readers that the key they received on one channel is more accurate than the key they're receiving on all the other channels. But if they'll believe that, they may also believe the man in the middle's announcement that the key in your name on all the keyservers is wrong, and the correct key is the one he's putting out. Can't win either way, but it's still important to get the key out.
I see two general categories of MITM attacks. In one case, Mitch wants to eavesdrop on Alice and Bob, but doesn't really care about other communication they do. In the other, Mitch wants to know about all of Alice's communications, regardless of with whom they are. Public key cryptography turns the first case into two instances of the second. If Mitch doesn't control all of both Alice and Bob's communications with everyone, the will eventually discover that the key they're using for the other isn't the same one everyone else uses. In the second MITM model, Mitch has an unbelievable task. Any public key that goes from Alice to anyone else, or vice versa, must be substituted with one Mitch holds. Any messages *about* public keys must be transformed into messages about the corresponding MITM keys. This includes telephone conversations where Alice and Bob exchange keyids, the business card Eve has printed with her keyid and gives to Alice at Interop, the Betsi key Alice can read in the newspaper, WWW pages, files FTP'd, and face-to-face meetings. Anything short of total control gives Alice an opportunity to learn about Mitch's presence. If Alice can exploit the hole enough to get one good key, Mitch must change his tactics to denial of service with respect to that key, or Alice can ask the key owner for other good keys. If Mitch can successfully surround Alice in such a cloud, I submit at least one of the following statements is true: 1. Alice is such a non-entity that no one really wants to communicate with her. 2. Bob can safely assume that the new key he just got isn't really from Alice, because an Alice-with-a-life surrounded by a nearly successful Mitch-cloud wouldn't be sending out keys --- she'd be sending out messages saying "HELP ME!! I'M LOCKED IN MITCH'S SECRET BOMB SHELTER!!!"
Scott Brickner <sjb@universe.digex.net> writes:
I see two general categories of MITM attacks. In one case, Mitch wants to eavesdrop on Alice and Bob, but doesn't really care about other communication they do. In the other, Mitch wants to know about all of Alice's communications, regardless of with whom they are.
Public key cryptography turns the first case into two instances of the second. If Mitch doesn't control all of both Alice and Bob's communications with everyone, the will eventually discover that the key they're using for the other isn't the same one everyone else uses.
This is true, but it doesn't mean that the threat can be neglected. A successful MITM attack may be a matter of reading even one message and acting on it, if the participants don't find out until later that they were robbed. In fact, they might not ever notice that they key they used Tuesday was different from the key they used Thursday, if they didn't cache the keys. (Yes, PGP does store the keys in a local key ring cache but not all systems will necessarily work that way.)
In the second MITM model, Mitch has an unbelievable task. Any public key that goes from Alice to anyone else, or vice versa, must be substituted with one Mitch holds. Any messages *about* public keys must be transformed into messages about the corresponding MITM keys.
This includes telephone conversations where Alice and Bob exchange keyids, the business card Eve has printed with her keyid and gives to Alice at Interop, the Betsi key Alice can read in the newspaper, WWW pages, files FTP'd, and face-to-face meetings.
Obviously the MITM cannot handle (most) communications taking place offline. But there may be a lot of people who don't use any of these offline methods to validate their keys. These people don't go to academic conferences, don't read their key id's over the phone, and don't print them on business cards (or if they do, they don't get business cards from those they communicate with securely). Maybe this will change, maybe it is a matter of user education, but it is still an extra effort which will be important to have secure communications. I don't think this is widely recognized (other than in the context of the need for certificates and signed keys).
Anything short of total control gives Alice an opportunity to learn about Mitch's presence. If Alice can exploit the hole enough to get one good key, Mitch must change his tactics to denial of service with respect to that key, or Alice can ask the key owner for other good keys.
Note too that Mitch is not necessarily taking any risks here even if he is caught. "Mitch" could be a remotely operating program, a virus embedded in Alice's computer or in some link between her system and the outside world, which is performing these transformations and sending the decrypted messages out anonymously. So even if Alice discovers the trickery there may be no effective way to track down the miscreant.
If Mitch can successfully surround Alice in such a cloud, I submit at least one of the following statements is true:
1. Alice is such a non-entity that no one really wants to communicate with her.
2. Bob can safely assume that the new key he just got isn't really from Alice, because an Alice-with-a-life surrounded by a nearly successful Mitch-cloud wouldn't be sending out keys --- she'd be sending out messages saying "HELP ME!! I'M LOCKED IN MITCH'S SECRET BOMB SHELTER!!!"
or 3. Mitch's MITM attack is transitory and he doesn't care if he is caught afterwards, he got his goodies. or 4. Alice doesn't go to a lot of trouble to check her keys via offline means. After all, MITM is so rare it can't happen to her. Practice safe cryptography! Hal
participants (3)
-
anon-remailer@utopia.hacktic.nl -
Hal -
Scott Brickner