From: "Mike Rosing"
Is there a defense against MITM for Diffie-Hellman? Is there another protocol with equivalent properties, with such a defense? (Secure communications between two parties, with no shared secret and no out-of-band abilities, on an insecure network.)
What do you mean by no shared secret? The point of DH is that you get a shared secret.
I guess I should have said "no *previously* shared secret".
Check out MQV protocol for MITM defense and forward secrecy. It uses permenent public keys and ephemeral public keys for each session. In any protocol, the out-of-band check of the public keys is still a "good thing".
Well... I assume an active MITM (like my ISP). He's able to intercept my public key request and change it. Plus, I now realize I should have put an even harder condition - no previously shared *information*, even if it's public. I need to know if two complete strangers can communicate securely over an insecure network, even if they communicate through an untrusted party. Wasn't there a protocol for two prisoners communicating through an untrusted guard? Thanks, Mark
On Fri, 28 Jun 2002, Marcel Popescu wrote:
Well... I assume an active MITM (like my ISP). He's able to intercept my public key request and change it. Plus, I now realize I should have put an even harder condition - no previously shared *information*, even if it's public. I need to know if two complete strangers can communicate securely over an insecure network, even if they communicate through an untrusted party. Wasn't there a protocol for two prisoners communicating through an untrusted guard?
Can't be done. You must have multiple channels, and you need to hope that all of them can't be spoofed. A phone call, a newspaper ad, a bill board, a satallite link, any one of them might be spoofed. But to spoof *all* of them would be very hard. If you use some kind of "security by obscurity" method, you can do something once. but for general security, it's not possible to just go via the net without an out-of-band check. A public posting of the key id is a pretty safe way for a large company or organization. A .sig with your key id is another good way, it leaves traces all over the net for a long time. The point is that you have to leave some kind of trace that's checkable via an effective alternate channel. Otherwise, the MITM wins. Patience, persistence, truth, Dr. mike
hi,
If there is no previous shared secret,then ur
communication on an insecure network is susecptable to
the man in the middle attack.
One solution suggested against the man in the middle
attack is using the interlock protocol
InterLock Protocol
Is used to foil a man in the middle attack,
1:>Alice sends Bob her public key
2:>Bob sends Alice his public key
3:>Alice encrypts her message with Bob's public
key.She sends half of the encryped
message to Bob.
4:>Bob encrypts his message using Alice's public
key.He sends half of the encrypted message to
Alice.
5:>Alice sends the other half of encrypted message to
Bob.
6:>Bob puts the 2 halves of Alice's message together &
decrypts it with his private key.Bob sends
the other half of the message to Alice.
7:>Alice puts the 2 halves of Bob's message together &
decrypt it with her private key.
Here Mallory can still substitute his own public key
for Alice & Bob .
Now when he interceprs half of Alice's message,he
cannot decrypt it with his private key &
re-encrypt it with Bob's public key .He must invent a
completely new message & send half of it to
Bob.
When he intercepts half of Bob's message to Alice,he
has the same problem.
He cannot decrypt with his private key & re encrypt
with Alice's public key.
By the time the second half of the message of Alice &
Bob arrive,its already too late to change
the new message he invented.
The conversation between Alice & Bob need to be
completely different.
How ever if Mallory can mimic Alice & Bob,they might
not realise that they are being duped &
may get away with his scheme
here is what i think
It is not compulsary that all the blocks of messages
must be invented by Mallory.
he only need to make the first full message for alice
and send it to bob & vice versa.
ok,eg:
1:>alice send bob part of 1 st block
2:>bob makes the 1 st half on his own and send to bob
& keeps alice's message
3:>now bob sends his first half of message
4:>mallory intercept it and make his own message and
send it to alice
5:>Again bob sends alice the other half of the msg
which mallory intercepts & substitue his own 2nd part
of his block
6:>the same happens when bob sends the second half of
his message to alice,mallory intercepts it and sends
his own 2 nd block to alice.
since he has send one full block to each other & has
the full block of alice's and bob's true
messages,mallory can now split it as half and
complete the protocol
ie,
since the 1 st packet is fake,he has the true packets
of alice & bob & can complete the protocol.
All mallory would have to do is send the half of the
(n th) packet when he receives the half of (n+1)th
packet since the 1 st packet was faked by mallory.
so i dont think the interlock protocol will work in
this case.
thats how i understand it.
am i not rite?
Regards Data.
--- Mike Rosing
On Fri, 28 Jun 2002, Marcel Popescu wrote:
Well... I assume an active MITM (like my ISP). He's able to intercept my public key request and change it. Plus, I now realize I should have put an even harder condition - no previously shared *information*, even if it's public. I need to know if two complete strangers can communicate securely over an insecure network, even if they communicate through an untrusted party. Wasn't there a protocol for two prisoners communicating through an untrusted guard?
Can't be done.
You must have multiple channels, and you need to hope that all of them can't be spoofed. A phone call, a newspaper ad, a bill board, a satallite link, any one of them might be spoofed. But to spoof *all* of them would be very hard.
If you use some kind of "security by obscurity" method, you can do something once. but for general security, it's not possible to just go via the net without an out-of-band check.
A public posting of the key id is a pretty safe way for a large company or organization. A .sig with your key id is another good way, it leaves traces all over the net for a long time. The point is that you have to leave some kind of trace that's checkable via an effective alternate channel. Otherwise, the MITM wins.
Patience, persistence, truth, Dr. mike
__________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
From: "gfgs pedo"
One solution suggested against the man in the middle attack is using the interlock protocol
This is the one I vaguely recalled, thank you.
All mallory would have to do is send the half of the (n th) packet when he receives the half of (n+1)th packet since the 1 st packet was faked by mallory.
Interesting attack... assuming that a one-block delay doesn't look suspicious. What if every message except the very first one has a hash of the previously received message? A -> (M ->) B: half 1 of message A1 B -> (M ->) A: half 1 of message B1 | hash (half 1 of message A1) A -> (M ->) B: half 2 of message A1 | hash (half 1 of message B1) B -> (M ->) A: half 2 of message B1 | hash (half 2 of message A1) A -> (M ->) B: half 1 of message A2 | hash (half 2 of message B1) ... and so on Nah... won't work; since M captures A1 and B1, he can compute the hashes for both the initial bogus message and the (delayed) genuine ones. Same if they try hasing all the previous messages. What if they send the hash of the *other* half? (The program splitting the messages already has the full ones.) A -> (M ->) B: half 1 of message A1 | hash (half 2 of message A1) B -> (M ->) A: half 1 of message B1 | hash (half 2 of message B1) A -> (M ->) B: half 2 of message A1 | hash (half 1 of message A1) B -> (M ->) A: half 2 of message B1 | hash (half 1 of message B1) ... and so on Nope, no good... M fakes the first message in both direction, and then he always has a good one, so he can compute the hashes. The only thing that might, as far as I can see, succeed (with a high probability) would be for everyone to hash the *next* half - meaning that, together with half 2 of message N, there will be the hash of half one of message N + 1. However, I don't see how this would be possible for an interactive communication... Thanks, Mark
hi,
Thanx Mark, I was also wondering on the line of hash
functions too,me 2 dont see how it works securely.
Nor does the interlock protocol look secure to me.
Regards Data.
--- Marcel Popescu
From: "gfgs pedo"
One solution suggested against the man in the middle attack is using the interlock protocol
This is the one I vaguely recalled, thank you.
All mallory would have to do is send the half of the (n th) packet when he receives the half of (n+1)th packet since the 1 st packet was faked by mallory.
Interesting attack... assuming that a one-block delay doesn't look suspicious.
What if every message except the very first one has a hash of the previously received message?
A -> (M ->) B: half 1 of message A1 B -> (M ->) A: half 1 of message B1 | hash (half 1 of message A1) A -> (M ->) B: half 2 of message A1 | hash (half 1 of message B1) B -> (M ->) A: half 2 of message B1 | hash (half 2 of message A1) A -> (M ->) B: half 1 of message A2 | hash (half 2 of message B1) ... and so on
Nah... won't work; since M captures A1 and B1, he can compute the hashes for both the initial bogus message and the (delayed) genuine ones. Same if they try hasing all the previous messages.
What if they send the hash of the *other* half? (The program splitting the messages already has the full ones.)
A -> (M ->) B: half 1 of message A1 | hash (half 2 of message A1) B -> (M ->) A: half 1 of message B1 | hash (half 2 of message B1) A -> (M ->) B: half 2 of message A1 | hash (half 1 of message A1) B -> (M ->) A: half 2 of message B1 | hash (half 1 of message B1) ... and so on
Nope, no good... M fakes the first message in both direction, and then he always has a good one, so he can compute the hashes.
The only thing that might, as far as I can see, succeed (with a high probability) would be for everyone to hash the *next* half - meaning that, together with half 2 of message N, there will be the hash of half one of message N + 1. However, I don't see how this would be possible for an interactive communication...
Thanks, Mark
__________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
hi,
The only thing that might, as far as I can see, succeed (with a high probability) would be for everyone to hash the *next* half - meaning that, together with half 2 of message N, there will be the hash of half one of message N + 1. However, I don't see how this would be possible for an interactive communication...
As far as i can extend the previous attack,i.e faking
1 packet for interlock protocol in the above 1 you
propose,extending the same attack it only takes
Mallory
one and a half faked packets to launch a succefull
attack on the above proposal.
let
A=Alice
M=Mallory
B=Bob
let
1:1 indicate 1 st packet ,1st half
1:2 indicate 1 st packet , 2nd half
2:1 indicate 2 nd packet, 1st half
2:2 indicate 2nd packet , 2nd half
and so on
so we are now have 1:2 and 2:1 as one complete
message
and so on
No: A M B
1 A->1:1 M->1:1
2 M->1:1 B->1:1
3 A->1:2 M->1:2
4 M->1:2 B->1:2
5 A->2:1 M->2:1
6 M->2:1 B->2:1
7 A->2:2 ******
The blank spaces corresponding to each row indicates
that it is a sender and the other 2 are receivers.
Once Mallory receives A->2:2 ,he has 2 full packets in
hand and has faked 1 and a half packets(Step 7)
**** indicates that it is now the earler packet Bob
receives of Alice after Mallory's manupilation.
I hope that table will give some clarity.
now he can send Bob the original message of Alice.
So I think the above suggested protocol will not work.
Mallory can still get away with his scheme
Regards Data.
--- Marcel Popescu
From: "gfgs pedo"
One solution suggested against the man in the middle attack is using the interlock protocol
This is the one I vaguely recalled, thank you.
All mallory would have to do is send the half of the (n th) packet when he receives the half of (n+1)th packet since the 1 st packet was faked by mallory.
Interesting attack... assuming that a one-block delay doesn't look suspicious.
What if every message except the very first one has a hash of the previously received message?
A -> (M ->) B: half 1 of message A1 B -> (M ->) A: half 1 of message B1 | hash (half 1 of message A1) A -> (M ->) B: half 2 of message A1 | hash (half 1 of message B1) B -> (M ->) A: half 2 of message B1 | hash (half 2 of message A1) A -> (M ->) B: half 1 of message A2 | hash (half 2 of message B1) ... and so on
Nah... won't work; since M captures A1 and B1, he can compute the hashes for both the initial bogus message and the (delayed) genuine ones. Same if they try hasing all the previous messages.
What if they send the hash of the *other* half? (The program splitting the messages already has the full ones.)
A -> (M ->) B: half 1 of message A1 | hash (half 2 of message A1) B -> (M ->) A: half 1 of message B1 | hash (half 2 of message B1) A -> (M ->) B: half 2 of message A1 | hash (half 1 of message A1) B -> (M ->) A: half 2 of message B1 | hash (half 1 of message B1) ... and so on
Nope, no good... M fakes the first message in both direction, and then he always has a good one, so he can compute the hashes.
The only thing that might, as far as I can see, succeed (with a high probability) would be for everyone to hash the *next* half - meaning that, together with half 2 of message N, there will be the hash of half one of message N + 1. However, I don't see how this would be possible for an interactive communication...
Thanks, Mark
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
participants (3)
-
gfgs pedo -
Marcel Popescu -
Mike Rosing