1995-10-10 - Man in the Middle Revisited (but not for the last time)

Header Data

From: tcmay@got.net (Timothy C. May)
To: cypherpunks@toad.com
Message Hash: 3153850f41b261ebe6cb904017e97340fb5f4e8fb410416ef41051efd815c760
Message ID: <ac9ec6b5070210049d4b@[205.199.118.202]>
Reply To: N/A
UTC Datetime: 1995-10-10 01:14:27 UTC
Raw Date: Mon, 9 Oct 95 18:14:27 PDT

Raw message

From: tcmay@got.net (Timothy C. May)
Date: Mon, 9 Oct 95 18:14:27 PDT
To: cypherpunks@toad.com
Subject: Man in the Middle Revisited (but not for the last time)
Message-ID: <ac9ec6b5070210049d4b@[205.199.118.202]>
MIME-Version: 1.0
Content-Type: text/plain


At 7:03 PM 10/9/95, Hal wrote:
>tcmay@got.net (Timothy C. May) writes:
>>For communication, the only credential Alice needs to ensure that only Bob
>>can read her message is that she uses Bob's public key. If "Bob the Key"
>>reads it, presumably it was "Bob the Person" who read it.
>
>>(Again, Bob the Key = Bob the Person to many of us. If Bob the Person has
>>let his private key out, so that Chuck the Person is also able to read the
>>Bob the Key stuff, etc., then of course cryptography cannot really handle
>>this situtation.)
>
>OK, but again, what about the man in the middle attack?  Suppose the
>key that you found that claims to be from Bob is actually not his, but
>another one created by a man in the middle, such as Bob's malicious
>ISP?  Then that ISP is decrypting the messages Alice sends to him using
>that fake key, and re-encrypting them using Bob's real key.  He is
>reading all of the messages, and Alice and Bob do not in fact have
>communications privacy.

There are many, many people on the list that I know only from their posts
and their public keys (not that I'm a heavy user of PGP as some of you are,
though some of you I have dealt with via PGP messages).

I don't know if "Carl Ellison the Key" is "really" the same Carl Ellison
that Carl Ellison the Key claims to be...you see the semantic difficulties.


What I know is that the Carl Ellison who sends me PGP message and who
appears to be working at TIS is not publically disputing messages sent by
an MITM attacker. (True, the MITM could be only targetting _me_, and so the
"real" Carl Ellison could be unaware that the "fake" MITM Carl Ellison is
masquerading as him.)

But if I really care I can post a public channel (the CP list, for example)
query, encrypted to the known public key (used in many past posts, for
example) of "Carl Ellison the Key," asking if he sent the message to me.

To put it bluntly, all I really care about is _persistent_ key-holding,
i.e., that the person who began posting with a given key is still using the
same key. Or, rather, I don't even care if the keyholder "Pr0duct Cypher"
is actually a person, or a Bourbaki-style committee--I only care that
messages purporting to be from Pr0duct Cypher or Black Unicorn or Carl
Ellison are still using the same key.

Who any of these entities "really" are is irrelevant to me. (I don't even
know if Hal Finney, who I met once a few years ago, is the "real" Hal
Finney, nor do I really care.)


>I don't want to overstate the risk of this attack.  It would not be an
>easy one to mount and I believe there are countermeasures which could
>detect it unless the MITM had nearly supernatural powers.  But the MITM
>attack is normally considered seriously in discussing crypto protocols.
>It is a well known weakness in Diffie-Hellman, for example.  That is why
>authenticated Diffie Hellman is used in some of the newly proposed key
>exchange protocols for IP.  The risks of MITM attacks on public key
>systems was recognized not long after those systems were proposed.  The
>problems with fake keys have been discussed for over a decade.
>
>Why is this all suddenly irrelevant?  Were these attacks never realistic?
>Is it just not a problem somehow?  I am baffled by the fact that people
>are just turning their backs on all these years of research and
>experience.  If this is some kind of paradigm shift in which the idea of
>communicating with keys is seen as the key to the puzzle, then I am
>afraid I don't share the enlightenment.  To me the problem seems as real
>as ever.

Well, I'm not saying the work is unimportant. What I'm saying--and I think
others are too--is that there is no crisis that calls for "certificate
authorities" to provide "proof" that a keyholder is who he says he is.

I'm happy continuing to trust that people are who I once they thought they
were, by their signatures and their apparent ability to read messages
encrypted to their public key. If in fact I am dealing with body-snatchers
who actually infiltrated the identity of "Carl Ellison" and are able to act
as him, so what?

I never met the "real" Carl Ellison, so who cares if Carl Ellison the Key
is really Carl Ellison the Biological Entity who Grew up in Foobar,
Pennsylvania and Graduated from Bobby Ray Inman H.S. in 1975?

That's all. If people want to work on credentials and similar certificate
processes, that's great.

But I'm saying I see no compelling need _for myself_ and will strongly
argue against some of the reasoning we are hearing about why certificates
need to be issued. (Because I have also read the Postal Service proposals
that they get into the business of certification of e-mail in various ways,
and because of the various other schemes being discussed which seem less
than voluntary.)

--Tim May

Views here are not the views of my Internet Service Provider or Government.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."







Thread