subjective names and MITM
Neither certification hiearchies nor the PGP web-of-trust are very useful because they try to bind True Names to keys and True Names have many problems. People can have duplicate names and can change their names (what happens if I legally change my name to Bill Clinton and try to get Verisign to certify my key under that name?), and often we don't care about someone's True Name. Perhaps it is better to think of names as subjective identifiers, and public keys as global ids. That is, a person who has a collection of public keys gives each of them a name, but different people can name their keys differently. Of course the holder of the corresponding private key can help in the naming process (e.g., "Please call me Wei"). If two people need to talk about a third party, they can refer to him by an arbitrary name after establishing a common binding between his key and that name. In this scheme, the man-in-the-middle problem goes away because you are no longer trying to communicate with a True Name, whose binding with a key can be spoofed, but rather with the key itself. If the holder of that key chooses to act as a middle-man by relaying messages around, that is his business, and there is really nothing you can do about it. Wei Dai
Wei Dai wrote: | Perhaps it is better to think of names as subjective identifiers, and | public keys as global ids. That is, a person who has a collection of | public keys gives each of them a name, but different people can name their | keys differently. Of course the holder of the corresponding private key | can help in the naming process (e.g., "Please call me Wei"). If two | people need to talk about a third party, they can refer to him by an | arbitrary name after establishing a common binding between his key and | that name. Just a minor nit regarding a well thought out post, public keys are not 'global' ids, but 'system-wide' IDs. For keys to be really global, there needs to be a mechanism in place for insuring that key ids are very probably unique. One way to ensure that keys are globally unique would be to integrate a KCA identifier with the keyid, and KCAs base part of their reputation on not signing multiple keys with the same id. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Adam Shostack writes:
Just a minor nit regarding a well thought out post, public keys are not 'global' ids, but 'system-wide' IDs. For keys to be really global, there needs to be a mechanism in place for insuring that key ids are very probably unique. One way to ensure that keys are globally unique would be to integrate a KCA identifier with the keyid, and KCAs base part of their reputation on not signing multiple keys with the same id.
A public key *is* "very probably unique". A "randomly selected" 1024 bit prime number has a specific amount of entropy in it. The likelihood of two users world wide "randomly" choosing the same such prime may be precisely determined (assuming you can figure the entropy). Who needs a KCA to certify it? The real benefit of the KCA is as a means of linking the key with a unique person. As I've commented before, anonyms have no meaningful "credit rating".
Scott Brickner wrote: | Adam Shostack writes: | > Just a minor nit regarding a well thought out post, public | >keys are not 'global' ids, but 'system-wide' IDs. For keys to be | >really global, there needs to be a mechanism in place for insuring | >that key ids are very probably unique. One way to ensure that keys | >are globally unique would be to integrate a KCA identifier with the | >keyid, and KCAs base part of their reputation on not signing multiple | >keys with the same id. | | A public key *is* "very probably unique". A "randomly selected" 1024 bit | prime number has a specific amount of entropy in it. The likelihood of | two users world wide "randomly" choosing the same such prime may be | precisely determined (assuming you can figure the entropy). The key does indeed have a high likelihood of being unique, but dealing with 1024 bit identifiers could strain database systems, especially when 100 well chosen bits would be than enough. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Adam Shostack writes:
The key does indeed have a high likelihood of being unique, but dealing with 1024 bit identifiers could strain database systems, especially when 100 well chosen bits would be than enough.
Hence the suggestion to use a hash of the key instead of the key itself. Someone pointed out that a uniformly distributed 1024 bit prime has something like 1014 bits of entropy. An md5 hash of the key should have about 128 bits of entropy, with the probability of a collision among 2^33 keys (one per person, worldwide) being about 1 in 2^95, or about 1 in 10^29. Sounds like we're safe, even without straining our databases.
Wei Dai <weidai@eskimo.com> writes:
In this scheme, the man-in-the-middle problem goes away because you are no longer trying to communicate with a True Name, whose binding with a key can be spoofed, but rather with the key itself. If the holder of that key chooses to act as a middle-man by relaying messages around, that is his business, and there is really nothing you can do about it.
Carl Ellison has been arguing a similar point for some time, if I understand him, which I may not! The man in the middle problem is a difficult one, but I don't think you're going to get away with defining the problem out of existence. There is a difference between a MITM and the case you describe where you are actually communicating securely with the person you think you are, but he chooses to relay the messages around. The difference is that if you are actually communicating securely with an individual, you can form some estimate of his personality, judgement, etc. You may choose on this basis to trust him, provide sensitve information, take risks, and so on. But if he is actually behind a MITM then all bets are off. All of your judgement about him is irrelevant. At any time the MITM can take advantage of the information you provide. He can even "blow his cover" and take extreme action, to your detriment. This situation with the MITM is actually about the same as if you were communicating insecurely in the first place. You are exposed to all of the same risks. So if you are willing to accept communicating systems that allow this kind of attack, you almost might as well not use cryptography at all. (Not quite, because the MITM is a more expensive attack to mount than one on an unsecured wire.) In fact, I can facetiously prove that cryptography is unnecessary. We are not communicating with individuals, but with communicatees. All of your messages are by definition going to the communicatee with whom you are communicating. If the particular communicatee who is receiving your message chooses to relay it or spread the information around in other ways, that is the right and privilege of the communicatee. But messages are going to the communicatee they are going to, whether encryption is used or not. So encryption is not necessary. This argument seems to mirror the one for why we only communicate with keys, that if a key wants to do something nasty we can't stop it (him?), etc. I say, we don't communicate with keys. We communicate with people (or occasionally programs). Hal
hfinney@shell.portal.com writes:
m5@dev.tivoli.com (Mike McNally) writes:
hfinney@shell.portal.com writes:
There is a difference between a MITM and the case you describe ...
Seems to me that the idea of "communicating with the person you think you are" is intractably difficult if you're not sitting in the same room. ...
I can certainly agree with the attractive simplicity of this notion. My point is that it is practically useless. ...
Oddly enough, it seems to me that Hal (if that really *is* his name) and I (and Carl & others) are saying basically the same things, but drawing completely different conclusions. Strange. I'm willing to wait to see what the peer review process concludes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Fri, 6 Oct 1995, Mike McNally wrote:
hfinney@shell.portal.com writes:
m5@dev.tivoli.com (Mike McNally) writes:
hfinney@shell.portal.com writes:
There is a difference between a MITM and the case you describe ...
Seems to me that the idea of "communicating with the person you think you are" is intractably difficult if you're not sitting in the same room. ...
I can certainly agree with the attractive simplicity of this notion. My point is that it is practically useless. ...
Oddly enough, it seems to me that Hal (if that really *is* his name) and I (and Carl & others) are saying basically the same things, but drawing completely different conclusions. Strange. I'm willing to wait to see what the peer review process concludes.
I think Hal and some other Cypherpunks (Me, You, Carl, etc.) are not proceeding from one of the same assumptions. Specifically, Hal seems to be proceeding from the assumption that the person "on the other end of the line" is in fact a known physical entity who has a meat reputation tied to the name. I'm proceeding from the assumption that the person on the other end of the line has no specific RL reputation that I'm basing the relationship on, just the online one. Here's an example: There's someone on the list, now, apparently, with the name of "Steven Levy." Hal assumes that, when communicating with that "Steven Levy," one intends to communicate with the fairly-well-known journalist of that name, and thus certification of RL identity is important. I assume that, unless there's a specific reason otherwise, I want to have an intellectual conversation (or financial transaction, etc) that isn't predicated on this being "the" Steven Levy. In that case, certification of RL identity is irrelevant. (Not to pick on you, Steve, but I needed an obvious example familiar to list members... The other candidate was Steve Wozniak, to whom I sent fan e-mail the other day... :) ) Jon ------------------------------------------------------------------------------ Jon Lasser <jlasser@rwd.goucher.edu> (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key.
Assassins with Sly Stallone and Antonio Banderas with Julianne Moore as the cyberspatial interest. This may be the film derived in part from some writer-type's conversation with our own Tim May. Sly and Antonio get their contracts via computer from an anonymous source. They favor Powerbooks. The source types on the tops of the screens they type on the bottom. The Powerbooks must have built in wireless modems because they are pretty casual about firing them up wherever they happen to be. Julianne is cute. Apparently being a net security expert/hacker is seen as women's work in Hollywood with Sandra in the Net and what's her name in Hackers. Also this sort of life interferes with your social contacts because both Sandra and Julianne seem lonely. Julianne likes cats. The screens look fake (like most Hollywood computer screens). There is minor mention of encryption. Julianne is a "ghost" (self-described) with no SS# or DL. She does have a car and apartment, however. As always in these films, much of the action is motivated by a single high-density floppy. It's amazing the amount of stuff they can get on those disks. Most of these character's problems could be solved if they would simply transfer this info over the nets without having to meet in person. They could also encrypt disks much more than they choose to. Coincidentally, I saw both The Net and Hackers this weekend. It is hard to decide which is the "best." Assassins is slick and Antonio makes a great psycho. [Note to Sly --- Many of your problems as a professional assassin could be solved by a few finishing shots to the head. --- I thought they taught that on the first day in assassin's school.] I suppose I liked Assassins best although Puerto Rico makes a poor stand-in for an island tax haven. I like English accents on my tax haven bankers. DCF "Who is ready to act as an advisor for a small fee to anyone out there who wants to do a real net film."
Jon Lasser <jlasser@rwd.goucher.edu> writes:
I think Hal and some other Cypherpunks (Me, You, Carl, etc.) are not proceeding from one of the same assumptions. Specifically, Hal seems to be proceeding from the assumption that the person "on the other end of the line" is in fact a known physical entity who has a meat reputation tied to the name. I'm proceeding from the assumption that the person on the other end of the line has no specific RL reputation that I'm basing the relationship on, just the online one.
Here's an example: There's someone on the list, now, apparently, with the name of "Steven Levy." Hal assumes that, when communicating with that "Steven Levy," one intends to communicate with the fairly-well-known journalist of that name, and thus certification of RL identity is important. I assume that, unless there's a specific reason otherwise, I want to have an intellectual conversation (or financial transaction, etc) that isn't predicated on this being "the" Steven Levy. In that case, certification of RL identity is irrelevant.
That is not exactly my point. My concern is avoiding the man in the middle attack. One way to do that is to find a certificate from Verisign saying that this key belongs to Steven Levy, ideally with other information that I can confirm relates to the on-line personage I wish to speak to. Presumably the MITM can't get a certificate for Steven Levy, unless by coincidence his name actually is Steven Levy, in which case the other information I mentioned will be helpful as well. Would you propose just to use an unsigned key that says it is for Steven Levy? Or perhaps a key without any name at all that someone told you was for him? That is the policy which I have been arguing against. The whole idea of communicating with keys, or not having key certificates or signatures, seems to me to leave open the possibility of man in the middle attacks. Isn't this a problem? Or are the difficulties of mounting a MITM attack considered so large that they can be neglected? I would just like to hear exactly what are the assumptions being made regarding this problem by those who oppose certificates. Hal
m5@dev.tivoli.com (Mike McNally) writes, quoting me: Mike>Seems to me that the idea of "communicating with the person you think Mike>you are" is intractably difficult if you're not sitting in the same Mike>room. ... Hal> I can certainly agree with the attractive simplicity of this notion. My Hal> point is that it is practically useless. ... Mike>Oddly enough, it seems to me that Hal (if that really *is* his name) Mike>and I (and Carl & others) are saying basically the same things, but Mike>drawing completely different conclusions. Strange. I'm willing to Mike>wait to see what the peer review process concludes. I am afraid you have quoted this out of context and thereby exactly reversed the sense of what I was saying. Hence we are not saying the same things, but rather we are saying opposite things. The full quote is: Mike>Seems to me that the idea of "communicating with the person you think Mike>you are" is intractably difficult if you're not sitting in the same Mike>room. If you accept instead the idea of "communicating with the Mike>entity possessing the private half of a keypair" then life gets a lot Mike>simpler. Hal>I can certainly agree with the attractive simplicity of this notion. My Hal>point is that it is practically useless. By "this notion" I was referring to the second sentence rather than the first, the idea that we are communicating with whomever holds the key. This was the one which you said would make life simpler, and so I hoped that by agreeing about its simplicity it would be clear which of the two competing ideas I was referring to. Apparently it was ambiguous, so I apologize for being unclear. It is disturbing that even after reading that very long message my position could be interpreted as being the opposite of what it is. Apparently my arguments are not being well understood. I will have to think about this issue more and try to express myself better. Hal
hfinney@shell.portal.com writes:
There is a difference between a MITM and the case you describe where you are actually communicating securely with the person you think you are, but he chooses to relay the messages around.
Seems to me that the idea of "communicating with the person you think you are" is intractably difficult if you're not sitting in the same room. If you accept instead the idea of "communicating with the entity possessing the private half of a keypair" then life gets a lot simpler.
The difference is that if you are actually communicating securely with an individual, you can form some estimate of his personality, judgement, etc. You may choose on this basis to trust him, provide sensitve information, take risks, and so on. But if he is actually behind a MITM then all bets are off.
I don't see why. If, via some MITM (or "EITM", "Entity In The Middle") you are able to form a trust relationship with a public key, then I can see no practical difference. Consider a dating advice service that's behind a public key. You send it dozens of letters, and soon come to trust the advice being given. By whatever means at your disposal you look for leaks of information you divulge and find none, so your trust increases. If the private key is held by an AI program, by a team of learned specialists at a shadowy Swedish research institute, or by Rush Limbaugh, then what difference does it make to you?
All of your judgement about him is irrelevant. At any time the MITM can take advantage of the information you provide. He can even "blow his cover" and take extreme action, to your detriment.
But then so can the "real person" you thought you were communicating with.
This situation with the MITM is actually about the same as if you were communicating insecurely in the first place. You are exposed to all of the same risks.
The only way to achieve the level of security offered by physical face to face communication with a person is to have a physical face to face conversation at some point. If you only ever communicate via electronic means, you are always subject to the risk of dealing with a synthetic entity. (I think.)
So if you are willing to accept communicating systems that allow this kind of attack, you almost might as well not use cryptography at all. (Not quite, because the MITM is a more expensive attack to mount than one on an unsecured wire.)
That's not clear. I can have confidence when using a PK scheme that I am at least communicating securely with the entity that holds the private key. That that entity may be leaking information through alternate channels is something I don't know; I don't see how you can securely defend against that in any case, or perhaps I don't see how defending against it in the case that you think you know who you're dealing with is any different than defending against it if you accept that you don't know who you're dealing with. (I've read over that a couple times, and I think it's OK.)
In fact, I can facetiously prove that cryptography is unnecessary. We are not communicating with individuals, but with communicatees.
Works for me. (Indeed, Hal, I have no idea who or what your are :-)
All of your messages are by definition going to the communicatee with whom you are communicating. If the particular communicatee who is receiving your message chooses to relay it or spread the information around in other ways, that is the right and privilege of the communicatee. But messages are going to the communicatee they are going to, whether encryption is used or not. So encryption is not necessary.
Ah, but that last point is clearly *not* true. When you encrypt, you at least have some assurance that between you and the communicatee there's security. If (unfortunately) the "comminicatee" is a conspiracy that begins at the CO where your home phone lines terminate, then indeed you've got a problem.
This argument seems to mirror the one for why we only communicate with keys, that if a key wants to do something nasty we can't stop it (him?), etc. I say, we don't communicate with keys. We communicate with people (or occasionally programs).
But how do you know? (How do you know there aren't a team of people standing beside me advising me on what to type?) And note that you can hardly keep me from doing something nasty: to prove it, I'm going to get up right now and fetch my favorite beverage, which is a 6oz can of cranberry juice mixed with a 12oz can of Diet Coke :-) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
m5@dev.tivoli.com (Mike McNally) writes:
hfinney@shell.portal.com writes:
There is a difference between a MITM and the case you describe where you are actually communicating securely with the person you think you are, but he chooses to relay the messages around.
Seems to me that the idea of "communicating with the person you think you are" is intractably difficult if you're not sitting in the same room. If you accept instead the idea of "communicating with the entity possessing the private half of a keypair" then life gets a lot simpler.
I can certainly agree with the attractive simplicity of this notion. My point is that it is practically useless. I believe this is a seductive but very wrong idea. As I said, it amounts to defining the problem away. Does that mean that the problem (of MITM attacks) never existed at all, that all of the effort that people have spent over the year to try to solve it was wasted? I am baffled by the fact that people are taking this whole notion of "communicating with keys" seriously. Keys do not communicate. One might as easily say that wiretaps are not an issue: I am not communicating with the person I called, but with the other end of the telephone wire. If that wire end is actually (unknown to me) in the hands of a government agent who has cut the wire and interposed his own listening device, that's OK, because I'm still communicating with the other end of the wire. After all, I have no way of knowing whether the person that I am talking to may actually be spreading my info to anyone, so it doesn't really make any difference if he does it or the wiretappers. Etc., etc. This is exactly like the argument about communicating with keys. Does this mean that we shouldn't worry about wiretaps? I hope not. I really don't understand why the argument is so much more persuasive in the case of keys.
The difference is that if you are actually communicating securely with an individual, you can form some estimate of his personality, judgement, etc. You may choose on this basis to trust him, provide sensitve information, take risks, and so on. But if he is actually behind a MITM then all bets are off.
I don't see why. If, via some MITM (or "EITM", "Entity In The Middle") you are able to form a trust relationship with a public key, then I can see no practical difference. Consider a dating advice service that's behind a public key. You send it dozens of letters, and soon come to trust the advice being given. By whatever means at your disposal you look for leaks of information you divulge and find none, so your trust increases. If the private key is held by an AI program, by a team of learned specialists at a shadowy Swedish research institute, or by Rush Limbaugh, then what difference does it make to you?
The difference is that I form a judgement about the personality of the person I am communicating with, whereas I can't form any such judgement about the personality of the MITM. Consider how, in life, we decide who to trust. Isn't it largely on the basis of communications? We talk to the person, we talk to other people about him, we take what we know of him, and we decide to trust him. If we suppose that there is in fact a secure channel to another person, then I suggest that it is plausible to suppose that we could enter into a trusted relationship with him, even without a face-to-face meeting. After all, what exactly does the face to face meeting accomplish? Yes, we see a little more about the person, we can judge some non-verbal communications. But it is not wholly different. We can always be wrong - the person may not be as trustworthy as we think he is. There is some probability of that which we must always keep in mind. But, and here is my main point, if a MITM is a possibility (and we're taking the attitude that that's just fine, we're communicating with keys, no problem if there's a MITM involved, don't bother to take any steps to prevent it) then these assumptions about extending trust are a lot riskier. The probability of a betrayal will be much higher if a MITM is possibly involved than if he is not. Most people do not try to betray their communicants. But if (in the worst case) all lines were tapped by men in the middle, then in fact all conversations are subject to this betrayal. As I wrote before, I don't see the difference between this situation and one where there is no security at all (at least from wiretappers).
All of your judgement about him is irrelevant. At any time the MITM can take advantage of the information you provide. He can even "blow his cover" and take extreme action, to your detriment.
But then so can the "real person" you thought you were communicating with.
Most of the time your judgement about the real person will be valid, at least with some experience. Most people are not AI's or teams of conspirators. But you have absolutely no basis to make judgements about the MITM. In fact the greater probability is that his interests are opposed to yours.
This situation with the MITM is actually about the same as if you were communicating insecurely in the first place. You are exposed to all of the same risks.
The only way to achieve the level of security offered by physical face to face communication with a person is to have a physical face to face conversation at some point. If you only ever communicate via electronic means, you are always subject to the risk of dealing with a synthetic entity. (I think.)
I don't think so, or at least the risk can be minimized much more than in the model where we just say that we're communicating with keys, therefore a MITM is perfectly legitimate because it's just a matter of who holds the keys. Suppose I want to talk to PC Magazine columnist John Dvorak. Suppose I find a VeriSign certificate for his key, with his name and employment information. I've never met him. We've never had a face to face conversation. Yet I claim I can communicate with considerable security with Dvorak using this certificate, certainly more than if I just use any old key which is lying around with his name on it, one which may be owned by a MITM.
So if you are willing to accept communicating systems that allow this kind of attack, you almost might as well not use cryptography at all. (Not quite, because the MITM is a more expensive attack to mount than one on an unsecured wire.)
That's not clear. I can have confidence when using a PK scheme that I am at least communicating securely with the entity that holds the private key. That that entity may be leaking information through alternate channels is something I don't know; I don't see how you can securely defend against that in any case, or perhaps I don't see how defending against it in the case that you think you know who you're dealing with is any different than defending against it if you accept that you don't know who you're dealing with.
(I've read over that a couple times, and I think it's OK.)
If you are in fact communicating with the person you think you are, you can use all the information you have about him (including other conversations) to judge his personality and trustworthiness. Yes, this can be mistaken - but the same thing happens in the real world. That doesn't mean that we abandon the whole idea of trust. We still can be right most of the time. However if you know that a MITM may be involved, you will be much slower to extend trust. In fact you have to act as though you have an unsecured channel.
All of your messages are by definition going to the communicatee with whom you are communicating. If the particular communicatee who is receiving your message chooses to relay it or spread the information around in other ways, that is the right and privilege of the communicatee. But messages are going to the communicatee they are going to, whether encryption is used or not. So encryption is not necessary.
Ah, but that last point is clearly *not* true. When you encrypt, you at least have some assurance that between you and the communicatee there's security. If (unfortunately) the "comminicatee" is a conspiracy that begins at the CO where your home phone lines terminate, then indeed you've got a problem.
No, by definition the "communicatee" is the set of all the people who see your messages. So by definition between you and the communicatee there is security even without encryption (since no one other than the communicatee sees the message). Sophistry? The number of people who can receive your messages is no greater without encryption than if you use encryption but don't take steps against a MITM and in fact adopt a stance which states that MITM attacks don't exist.
This argument seems to mirror the one for why we only communicate with keys, that if a key wants to do something nasty we can't stop it (him?), etc. I say, we don't communicate with keys. We communicate with people (or occasionally programs).
But how do you know? (How do you know there aren't a team of people standing beside me advising me on what to type?) And note that you can hardly keep me from doing something nasty: to prove it, I'm going to get up right now and fetch my favorite beverage, which is a 6oz can of cranberry juice mixed with a 12oz can of Diet Coke :-)
I don't know for sure, but if you tell me or give me the impression over a period of time that you are keeping our conversations private, and I decide that you are honest based on our conversations and what I know about you from others, then I can make a judgement with a reasonable chance of safety. Yes, I can be mistaken. But that doesn't mean that I should abandon the whole idea of trust. Otherwise I will never trust anybody in any part of life. But preventing MITM attacks is very important to being able to extend trust in the online world. Defining them away is not a satisfactory solution. Hal
participants (7)
-
Adam Shostack -
Duncan Frissell -
Hal -
Jon Lasser -
m5@dev.tivoli.com -
Scott Brickner -
Wei Dai