Ian Grigg [EMAIL PROTECTED]:
I agree. As a side note, I think it is probably
a good idea for TLS to deprecate ADH, simply
because self-signed certs are more or less
equivalent, and by unifying the protocol around
certificates, it reduces some amount of complexity
without major loss of
Tim Dierks [EMAIL PROTECTED]:
Ian Grigg [EMAIL PROTECTED]:
Steven M. Bellovin:
What's your threat model? Self-signed certs are no better than ADH
against MITM attacks.
I agree. As a side note, I think it is probably
a good idea for TLS to deprecate ADH, simply
because self-signed certs
At 03:38 PM 10/6/03 -0400, Ian Grigg wrote:
I'm asking myself whether anonymous DH is confusingly named.
Perhaps it should be called psuedonymous DH because it creates
psuedonyms for the life of the session? Or, we need a name
that describes the creation of psuedonyms, de novo, from
an anonymous
[Using multiple channels on the assumption that the MITM can't always get all
of them.]
This is starting to sound like some very old work - to which I don't have a
reference - on what was called the wiretap channel. Basic idea: Alice and
Bob wish to talk; Carol can listen in to everything, but
On Sat, 4 Oct 2003, Benja Fallenstein wrote:
Does it work?
Assume A() is Alice's series, B() is Bob's, MA() is the one Mitch uses
with Alice, MB() the one Mitch uses with Bob.
- Mitch sends first half of cyphertext of MA(1000) (to Alice)
- Alice sends first half of cyphertext of her move +
I'm lost in a twisty page of MITM passages, all alike.
My point was that in an anonymous protocol, for Alice to communicate with
Mallet is equivalent to communicating with Bob, since the protocol is
anonymous: there is no distinction. All the concept of MITM is intended to
convey is that in an
On Fri, 3 Oct 2003, Benja Fallenstein wrote:
bear wrote:
Why should this not be applicable to chess? There's nothing to
prevent the two contestants from making nonce transmissions twice a
move when it's not their turn.
I.e., you would need a protocol extension to verify the nonces
| From: Tim Dierks [EMAIL PROTECTED]
|
| I'm lost in a twisty page of MITM passages, all alike.
|
| My point was that in an anonymous protocol, for Alice to communicate with
| Mallet is equivalent to communicating with Bob, since the protocol is
| anonymous: there is no distinction. All the
(about the Interlock Protocol)
Benja wrote:
The basic idea is that Alice sends *half* of her ciphertext, then Bob
*half* of his, then Alice sends the other half and Bob sends the other
half (each step is started only after the previous one was completed).
The point is that having only
bear wrote:
On Fri, 3 Oct 2003, Benja Fallenstein wrote:
bear wrote:
Why should this not be applicable to chess? There's nothing to
prevent the two contestants from making nonce transmissions twice a
move when it's not their turn.
I.e., you would need a protocol extension to verify the nonces
Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
which are on my shelf. Where was it published?
R. L. Rivest and A. Shamir. How to expose an eavesdropper. Communications of the ACM,
27:393-395, April 1984.
On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:
Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
which are on my shelf. Where was it published?
R. L. Rivest and A. Shamir. How to expose an
eavesdropper. Communications of the ACM, 27:393-395, April 1984.
Ah.
- Original Message -
From: Tim Dierks [EMAIL PROTECTED]
I think it's a tautology: there's no such thing as MITM if there's no such
thing as identity. You're talking to the person you're talking to, and
that's all you know.
That seems to make sense. In anonymity providing systems
Hi,
bear wrote:
starting with Rivest Shamir's Interlock Protocol from 1984.
Hmmm. I'll go read, and thanks for the pointer.
Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
which are on my shelf. Where was it published?
Communications of the ACM: Rivest and
Shamir, How to
Hi --
bear wrote:
On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:
R. L. Rivest and A. Shamir. How to expose an
eavesdropper. Communications of the ACM, 27:393-395, April 1984.
Ah. Interesting, I see. It's an interesting application of a
bit-commitment scheme.
Ok, so my other mail came far too
| Date: Fri, 3 Oct 2003 10:14:42 -0400
| From: Anton Stiglic [EMAIL PROTECTED]
| To: Cryptography list [EMAIL PROTECTED],
| Tim Dierks [EMAIL PROTECTED]
| Subject: Re: anonymous DH MITM
|
|
| - Original Message -
| From: Tim Dierks [EMAIL PROTECTED]
|
|
| I think it's a tautology
In message [EMAIL PROTECTED], Benja Fallenstein writes:
Hi,
bear wrote:
starting with Rivest Shamir's Interlock Protocol from 1984.
Hmmm. I'll go read, and thanks for the pointer.
Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
which are on my shelf. Where was it
- Original Message -
From: Jerrold Leichter [EMAIL PROTECTED]
[...]
| I think it's a tautology: there's no such thing as MITM if there's no
such
| thing as identity. You're talking to the person you're talking to, and
| that's all you know.
|
| That seems to make sense
No;
| From: Anton Stiglic [EMAIL PROTECTED]
| From: Jerrold Leichter [EMAIL PROTECTED]
| No; it's false. If Alice and Bob can create a secure channel between
| themselves, it's reasonable to say that they are protected from MITM
| attacks if they can be sure that no third party can read their
| Date: Fri, 03 Oct 2003 17:27:36 -0400
| From: Tim Dierks [EMAIL PROTECTED]
| To: Jerrold Leichter [EMAIL PROTECTED]
| Cc: Cryptography list [EMAIL PROTECTED]
| Subject: Re: anonymous DH MITM
|
| At 03:28 PM 10/3/2003, Jerrold Leichter wrote:
| From: Tim Dierks [EMAIL PROTECTED]
| | No; it's
Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Ian Grigg writes:
M Taylor wrote:
MITM is a real and valid threat, and should be
considered. By this motive, ADH is not a recommended
mode in TLS, and is also deprecated.
Ergo, your threat model must include MITM, and you
will
On Wed, 1 Oct 2003, Ian Grigg wrote:
M Taylor wrote:
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
Ah, there's the rub. ADH does not protect against
MITM, as far as I am aware.
DH is an open
Bear wrote:
DH is an open protocol; it doesn't rely on an initial shared
secret or a Trusted Authority.
There is a simple proof that an open protocol between anonymous
parties is _always_ vulnerable to MITM.
Put simply, in an anonymous protocol, Alice has no way of knowing
whether she
bear wrote:
You can have anonymous protocols that aren't open be immune to MITM
True.
And you can have open protocols that aren't anonymous be immune to
MITM.
True.
But you can't have both.
False. In fact, it is possible to prove the existence of at least one open and
anonymous
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
and it would seem TLS would be wide open to abuse without MITM protection so
I cannot imagine it would be acceptable practice without some form of
M Taylor [EMAIL PROTECTED] writes:
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
and it would seem TLS would be wide open to abuse without MITM protection so
I cannot imagine it would be
At 07:06 PM 10/1/2003, M Taylor wrote:
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
and it would seem TLS would be wide open to abuse without MITM protection so
I cannot imagine it would be acceptable
M Taylor wrote:
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
Ah, there's the rub. ADH does not protect against
MITM, as far as I am aware.
and it would seem TLS would be wide open to abuse
On Thu, Oct 02, 2003 at 12:06:40AM +0100, M Taylor wrote:
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks?
No, it doesn't.
If so, how? I cannot figure out how it would,
and it would seem TLS would be wide open to abuse without MITM protection
Tim Dierks [EMAIL PROTECTED] writes:
It does not, and most SSL/TLS implementations/installations do not support
anonymous DH in order to avoid this attack.
Uhh, I think that implementations don't support DH because the de facto
standard is RSA, not because of any concern about MITM (see below).
At 10:37 PM 10/1/2003, Peter Gutmann wrote:
Tim Dierks [EMAIL PROTECTED] writes:
It does not, and most SSL/TLS implementations/installations do not support
anonymous DH in order to avoid this attack.
Uhh, I think that implementations don't support DH because the de facto
standard is RSA, not
31 matches
Mail list logo
