From: don@cs.byu.edu
To: cypherpunks@toad.com
Message Hash: 61b8517a2e116fa4d2f805bc671c0dbe2ee57cd9c16f93a783be326a0d6dfe39
Message ID: <199510110408.WAA00256@wero.byu.edu>
Reply To: N/A
UTC Datetime: 1995-10-11 06:59:21 UTC
Raw Date: Tue, 10 Oct 95 23:59:21 PDT
From: don@cs.byu.edu
Date: Tue, 10 Oct 95 23:59:21 PDT
To: cypherpunks@toad.com
Subject: MITM garbage
Message-ID: <199510110408.WAA00256@wero.byu.edu>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Scott Brickner writes:
>By "successful" I mean communicating without the MITM *interfering*.
>Either the parties need to exchange a symmetric key without the MITM
>eavesdropping, or exchange asymmetric keys without the MITM modifying
>them.
First of all, I think this "you can't prove there's no MITM, so might as
well not use crypto at all" stuff that some people believe is garbage.
Once you've successfully gotten your key out, Mitch can't expect to mount
an effective MITM attack "against" you. [isolating someone else from you
is a different story] In fact, Mitch can't really MITM anyone who has any
kind of cryptocontact with the general public. Obtaining a single
non-mitch public key cuts the attack down the middle. Being able to get
your key out without it being intercepted also foils the attack, since one
there is suspicion of a MITM attack, people are going to investigate. You
can't erase crypographic evidence of MITM activity, either. So, once your
keys are actually "out there", you can no longer be effectively attacked
without leaving messy trails here or there.
The other problem, of course, is how do you know you haven't already been
MITM'd. You don't. You can't, unless you expose it by publishing your key
to someone though a channel that can't be D.O.S.'d. Publishing a hash/sig of
future posts is not terribly practical, because not only does the hash/sig
have to be expected beforehand but what the hash is for has to be known as
well. If I publish a detached signature of something (could be my key, or
might not be) then Mitch will just have to make something up, make a sig
for it, and publish THAT.
Posting the source code to RC5, for example, after sending out a hash
first means that Mitch will have to send out whatever it was he hashed in
place of my hash, and then make HIS hash of RC5 code, then quickly follow
up with the actual code that I was kind enough to mail to him. And since
Medussa is by definition "in the middle" I don't ever realize that any of
that happened. I suppose the "overloading the processors" works well if
you can be sure you've overloaded it, which means not only that you know
already what Mitch's power is, but you know of someone else (a group
perhaps) that has even MORE power, such that Mitch will stick out in the
timing.
So, if you ask me, none of _those_ methods are very trustworthy considering
the resources you have to have already assigned to Mitch - after all,
keeping a 24 hour Medussawatch on you and your whole ISP is tough work.
Going _through_ Mitch is not easy.
>The chance of failure is minimized by diversity in the channels used to
>try to bypass the MITM.
I agree-On the other hand, it's not terribly difficult to go _around_
Mitch. I mean, just how many of the following things has Mitch done:
Watch all the ISP's in town and all the phone lines you can use to call
them. Filter your work/school ISPs. Filter all your net-using neighbors,
co-workers, and friends' accounts. etc. All it takes is to get one
non-Mitch public key.
Of course, once the MITM gig is up, the option of locking you in a room
since 1983 will make Mitch the "new you", meaning there is no longer a
middle. (Fortunately, though, Bob was MITM'ing Mitch at the same time,
and now you're both out of the loop and Bob has the goods now, cuz what's
Mitch gonna do about it?)
>you can't afford a failure, you *do* need a channel over which you have
>nearly complete control. The simplest such channel is a physical
>meeting, during which you exchange public keys. If the MITM threat is
How do you know you're not giving your key to Mitch. And how do you know
that Mitch isn't headed over to Alice's later on to pretend to be you and
give Alice "your" key?
Don "Medussa for short"
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBMHtC+sLa+QKZS485AQEEmwL+NbEoXoeJPEBKGFev8gLWBCIoniyXS4o5
YyyGnkfTjsc/DimbU15z++d/fcihUzwK/dLKBXub3fdxcna9m9YyLNEdo8QyhPNb
/Wp6PKq9SdfMb6uCzgoVwg7PrtTZzZEe
=jN+h
-----END PGP SIGNATURE-----
<don@cs.byu.edu> fRee cRyPTo! jOin the hUnt or BE tHe PrEY
PGP key - http://bert.cs.byu.edu/~don or PubKey servers (0x994b8f39)
June 7&14, 1995: 1st amendment repealed. Junk mail to root@127.0.0.1
* This user insured by the Smith, Wesson, & Zimmermann insurance company *
Return to October 1995
Return to “Scott Brickner <sjb@universe.digex.net>”