Re: Diffie-Hellman and MITM
Consider setting up a secure video call with somebody, and each of you reading the hash of your DH parameter to the other. It's really hard for a MITM to fake that - but if you don't know what the other person looks or sounds like, do you know it's really them, or did you just have an unbreakably secure call with the wrong person? Whatever you deploy to define somebody should be used as authentication channel. You are exactly as secure as as you can define somebody. Your al quaeda coworker probably has your never published public key. Your online-found busty and wet blonde is probably named Gordon. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
Re: Diffie-Hellman and MITM
hi, Thanx Mark, I was also wondering on the line of hash functions too,me 2 dont see how it works securely. Nor does the interlock protocol look secure to me. Regards Data. --- Marcel Popescu [EMAIL PROTECTED] wrote: From: gfgs pedo [EMAIL PROTECTED] One solution suggested against the man in the middle attack is using the interlock protocol This is the one I vaguely recalled, thank you. All mallory would have to do is send the half of the (n th) packet when he receives the half of (n+1)th packet since the 1 st packet was faked by mallory. Interesting attack... assuming that a one-block delay doesn't look suspicious. What if every message except the very first one has a hash of the previously received message? A - (M -) B: half 1 of message A1 B - (M -) A: half 1 of message B1 | hash (half 1 of message A1) A - (M -) B: half 2 of message A1 | hash (half 1 of message B1) B - (M -) A: half 2 of message B1 | hash (half 2 of message A1) A - (M -) B: half 1 of message A2 | hash (half 2 of message B1) ... and so on Nah... won't work; since M captures A1 and B1, he can compute the hashes for both the initial bogus message and the (delayed) genuine ones. Same if they try hasing all the previous messages. What if they send the hash of the *other* half? (The program splitting the messages already has the full ones.) A - (M -) B: half 1 of message A1 | hash (half 2 of message A1) B - (M -) A: half 1 of message B1 | hash (half 2 of message B1) A - (M -) B: half 2 of message A1 | hash (half 1 of message A1) B - (M -) A: half 2 of message B1 | hash (half 1 of message B1) ... and so on Nope, no good... M fakes the first message in both direction, and then he always has a good one, so he can compute the hashes. The only thing that might, as far as I can see, succeed (with a high probability) would be for everyone to hash the *next* half - meaning that, together with half 2 of message N, there will be the hash of half one of message N + 1. However, I don't see how this would be possible for an interactive communication... Thanks, Mark __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
Re: Diffie-Hellman and MITM
From: gfgs pedo [EMAIL PROTECTED] One solution suggested against the man in the middle attack is using the interlock protocol This is the one I vaguely recalled, thank you. All mallory would have to do is send the half of the (n th) packet when he receives the half of (n+1)th packet since the 1 st packet was faked by mallory. Interesting attack... assuming that a one-block delay doesn't look suspicious. What if every message except the very first one has a hash of the previously received message? A - (M -) B: half 1 of message A1 B - (M -) A: half 1 of message B1 | hash (half 1 of message A1) A - (M -) B: half 2 of message A1 | hash (half 1 of message B1) B - (M -) A: half 2 of message B1 | hash (half 2 of message A1) A - (M -) B: half 1 of message A2 | hash (half 2 of message B1) ... and so on Nah... won't work; since M captures A1 and B1, he can compute the hashes for both the initial bogus message and the (delayed) genuine ones. Same if they try hasing all the previous messages. What if they send the hash of the *other* half? (The program splitting the messages already has the full ones.) A - (M -) B: half 1 of message A1 | hash (half 2 of message A1) B - (M -) A: half 1 of message B1 | hash (half 2 of message B1) A - (M -) B: half 2 of message A1 | hash (half 1 of message A1) B - (M -) A: half 2 of message B1 | hash (half 1 of message B1) ... and so on Nope, no good... M fakes the first message in both direction, and then he always has a good one, so he can compute the hashes. The only thing that might, as far as I can see, succeed (with a high probability) would be for everyone to hash the *next* half - meaning that, together with half 2 of message N, there will be the hash of half one of message N + 1. However, I don't see how this would be possible for an interactive communication... Thanks, Mark
Re: Diffie-Hellman and MITM
hi, If there is no previous shared secret,then ur communication on an insecure network is susecptable to the man in the middle attack. One solution suggested against the man in the middle attack is using the interlock protocol InterLock Protocol Is used to foil a man in the middle attack, 1:Alice sends Bob her public key 2:Bob sends Alice his public key 3:Alice encrypts her message with Bob's public key.She sends half of the encryped message to Bob. 4:Bob encrypts his message using Alice's public key.He sends half of the encrypted message to Alice. 5:Alice sends the other half of encrypted message to Bob. 6:Bob puts the 2 halves of Alice's message together decrypts it with his private key.Bob sends the other half of the message to Alice. 7:Alice puts the 2 halves of Bob's message together decrypt it with her private key. Here Mallory can still substitute his own public key for Alice Bob . Now when he interceprs half of Alice's message,he cannot decrypt it with his private key re-encrypt it with Bob's public key .He must invent a completely new message send half of it to Bob. When he intercepts half of Bob's message to Alice,he has the same problem. He cannot decrypt with his private key re encrypt with Alice's public key. By the time the second half of the message of Alice Bob arrive,its already too late to change the new message he invented. The conversation between Alice Bob need to be completely different. How ever if Mallory can mimic Alice Bob,they might not realise that they are being duped may get away with his scheme here is what i think It is not compulsary that all the blocks of messages must be invented by Mallory. he only need to make the first full message for alice and send it to bob vice versa. ok,eg: 1:alice send bob part of 1 st block 2:bob makes the 1 st half on his own and send to bob keeps alice's message 3:now bob sends his first half of message 4:mallory intercept it and make his own message and send it to alice 5:Again bob sends alice the other half of the msg which mallory intercepts substitue his own 2nd part of his block 6:the same happens when bob sends the second half of his message to alice,mallory intercepts it and sends his own 2 nd block to alice. since he has send one full block to each other has the full block of alice's and bob's true messages,mallory can now split it as half and complete the protocol ie, since the 1 st packet is fake,he has the true packets of alice bob can complete the protocol. All mallory would have to do is send the half of the (n th) packet when he receives the half of (n+1)th packet since the 1 st packet was faked by mallory. so i dont think the interlock protocol will work in this case. thats how i understand it. am i not rite? Regards Data. --- Mike Rosing [EMAIL PROTECTED] wrote: On Fri, 28 Jun 2002, Marcel Popescu wrote: Well... I assume an active MITM (like my ISP). He's able to intercept my public key request and change it. Plus, I now realize I should have put an even harder condition - no previously shared *information*, even if it's public. I need to know if two complete strangers can communicate securely over an insecure network, even if they communicate through an untrusted party. Wasn't there a protocol for two prisoners communicating through an untrusted guard? Can't be done. You must have multiple channels, and you need to hope that all of them can't be spoofed. A phone call, a newspaper ad, a bill board, a satallite link, any one of them might be spoofed. But to spoof *all* of them would be very hard. If you use some kind of security by obscurity method, you can do something once. but for general security, it's not possible to just go via the net without an out-of-band check. A public posting of the key id is a pretty safe way for a large company or organization. A .sig with your key id is another good way, it leaves traces all over the net for a long time. The point is that you have to leave some kind of trace that's checkable via an effective alternate channel. Otherwise, the MITM wins. Patience, persistence, truth, Dr. mike __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
Re: Diffie-Hellman and MITM
On Thu, 27 Jun 2002, Marcel Popescu wrote: Is there a defense against MITM for Diffie-Hellman? Is there another protocol with equivalent properties, with such a defense? (Secure communications between two parties, with no shared secret and no out-of-band abilities, on an insecure network.) What do you mean by no shared secret? The point of DH is that you get a shared secret. Check out MQV protocol for MITM defense and forward secrecy. It uses permenent public keys and ephemeral public keys for each session. In any protocol, the out-of-band check of the public keys is still a good thing. Patience, persistence, truth, Dr. mike