1995-10-06 - Re: subjective names and MITM

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: a129a975edb6ec1c00ae440f88164a8eef9a84ecf99599887e1aa360ac9a7a10
Message ID: <199510061433.HAA04187@jobe.shell.portal.com>
Reply To: <Pine.SUN.3.91.951005111048.24409B-100000@eskimo.com>
UTC Datetime: 1995-10-06 14:34:50 UTC
Raw Date: Fri, 6 Oct 95 07:34:50 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Fri, 6 Oct 95 07:34:50 PDT
To: cypherpunks@toad.com
Subject: Re: subjective names and MITM
In-Reply-To: <Pine.SUN.3.91.951005111048.24409B-100000@eskimo.com>
Message-ID: <199510061433.HAA04187@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain

m5@dev.tivoli.com (Mike McNally) writes:

>hfinney@shell.portal.com writes:
> > There is a difference between a MITM and the case you describe where you
> > are actually communicating securely with the person you think you are,
> > but he chooses to relay the messages around.  

>Seems to me that the idea of "communicating with the person you think
>you are" is intractably difficult if you're not sitting in the same
>room.  If you accept instead the idea of "communicating with the
>entity possessing the private half of a keypair" then life gets a lot

I can certainly agree with the attractive simplicity of this notion.  My
point is that it is practically useless.  I believe this is a seductive
but very wrong idea.  As I said, it amounts to defining the problem away.
Does that mean that the problem (of MITM attacks) never existed at all,
that all of the effort that people have spent over the year to try to
solve it was wasted?  I am baffled by the fact that people are taking
this whole notion of "communicating with keys" seriously.  Keys do not

One might as easily say that wiretaps are not an issue: I am not
communicating with the person I called, but with the other end of the
telephone wire.  If that wire end is actually (unknown to me) in the
hands of a government agent who has cut the wire and interposed his own
listening device, that's OK, because I'm still communicating with the
other end of the wire.  After all, I have no way of knowing whether the
person that I am talking to may actually be spreading my info to
anyone, so it doesn't really make any difference if he does it or the
wiretappers.  Etc., etc.  This is exactly like the argument about
communicating with keys.  Does this mean that we shouldn't worry about
wiretaps?  I hope not.  I really don't understand why the argument is
so much more persuasive in the case of keys.

> >                                               The difference is that if
> > you are actually communicating securely with an individual, you can form
> > some estimate of his personality, judgement, etc.  You may choose on this
> > basis to trust him, provide sensitve information, take risks, and so on.
> > But if he is actually behind a MITM then all bets are off. 

>I don't see why.  If, via some MITM (or "EITM", "Entity In The
>Middle") you are able to form a trust relationship with a public key,
>then I can see no practical difference.  Consider a dating advice
>service that's behind a public key.  You send it dozens of letters,
>and soon come to trust the advice being given.  By whatever means at
>your disposal you look for leaks of information you divulge and find
>none, so your trust increases.  If the private key is held by an AI
>program, by a team of learned specialists at a shadowy Swedish
>research institute, or by Rush Limbaugh, then what difference does it
>make to you?

The difference is that I form a judgement about the personality of the
person I am communicating with, whereas I can't form any such judgement
about the personality of the MITM.  Consider how, in life, we decide who
to trust.  Isn't it largely on the basis of communications?  We talk to
the person, we talk to other people about him, we take what we know of
him, and we decide to trust him.  If we suppose that there is in fact a
secure channel to another person, then I suggest that it is plausible to
suppose that we could enter into a trusted relationship with him, even
without a face-to-face meeting.  After all, what exactly does the face to
face meeting accomplish?  Yes, we see a little more about the person, we
can judge some non-verbal communications.  But it is not wholly

We can always be wrong - the person may not be as trustworthy as we think
he is.  There is some probability of that which we must always keep in
mind.  But, and here is my main point, if a MITM is a possibility (and
we're taking the attitude that that's just fine, we're communicating with
keys, no problem if there's a MITM involved, don't bother to take any
steps to prevent it) then these assumptions about extending trust are a
lot riskier.  The probability of a betrayal will be much higher if a MITM
is possibly involved than if he is not.  Most people do not try to betray
their communicants.  But if (in the worst case) all lines were tapped by
men in the middle, then in fact all conversations are subject to this
betrayal.  As I wrote before, I don't see the difference between this
situation and one where there is no security at all (at least from

> > All of your judgement about him is irrelevant.  At any time the
> > MITM can take advantage of the information you provide.  He can
> > even "blow his cover" and take extreme action, to your detriment.

>But then so can the "real person" you thought you were communicating

Most of the time your judgement about the real person will be valid, at
least with some experience.  Most people are not AI's or teams of
conspirators.  But you have absolutely no basis to make judgements about
the MITM.  In fact the greater probability is that his interests are
opposed to yours.

> > This situation with the MITM is actually about the same as if you were
> > communicating insecurely in the first place.  You are exposed to all of
> > the same risks.

>The only way to achieve the level of security offered by physical face
>to face communication with a person is to have a physical face to face
>conversation at some point.  If you only ever communicate via
>electronic means, you are always subject to the risk of dealing with a
>synthetic entity.  (I think.)

I don't think so, or at least the risk can be minimized much more than in
the model where we just say that we're communicating with keys, therefore
a MITM is perfectly legitimate because it's just a matter of who holds
the keys.  Suppose I want to talk to PC Magazine columnist John Dvorak.
Suppose I find a VeriSign certificate for his key, with his name and
employment information.  I've never met him.  We've never had a face to
face conversation.  Yet I claim I can communicate with considerable
security with Dvorak using this certificate, certainly more than if I
just use any old key which is lying around with his name on it, one which
may be owned by a MITM.

> > So if you are willing to accept communicating systems that allow this
> > kind of attack, you almost might as well not use cryptography at all.
> > (Not quite, because the MITM is a more expensive attack to mount than one
> > on an unsecured wire.)

>That's not clear.  I can have confidence when using a PK scheme that I
>am at least communicating securely with the entity that holds the
>private key.  That that entity may be leaking information through
>alternate channels is something I don't know; I don't see how you can
>securely defend against that in any case, or perhaps I don't see how
>defending against it in the case that you think you know who you're
>dealing with is any different than defending against it if you accept
>that you don't know who you're dealing with.

>(I've read over that a couple times, and I think it's OK.)

If you are in fact communicating with the person you think you are, you
can use all the information you have about him (including other
conversations) to judge his personality and trustworthiness.  Yes, this
can be mistaken - but the same thing happens in the real world.  That
doesn't mean that we abandon the whole idea of trust.  We still can be
right most of the time.  However if you know that a MITM may be involved,
you will be much slower to extend trust.  In fact you have to act as
though you have an unsecured channel.

> > All of your messages are by definition going to the communicatee
> > with whom you are communicating.  If the particular communicatee
> > who is receiving your message chooses to relay it or spread the
> > information around in other ways, that is the right and privilege
> > of the communicatee.  But messages are going to the communicatee
> > they are going to, whether encryption is used or not.  So
> > encryption is not necessary. 

>Ah, but that last point is clearly *not* true.  When you encrypt, you
>at least have some assurance that between you and the communicatee
>there's security.  If (unfortunately) the "comminicatee" is a
>conspiracy that begins at the CO where your home phone lines
>terminate, then indeed you've got a problem.

No, by definition the "communicatee" is the set of all the people who
see your messages.  So by definition between you and the communicatee
there is security even without encryption (since no one other than the
communicatee sees the message).  Sophistry?  The number of people who can
receive your messages is no greater without encryption than if you use
encryption but don't take steps against a MITM and in fact adopt a stance
which states that MITM attacks don't exist.

> > This argument seems to mirror the one for why we only communicate with
> > keys, that if a key wants to do something nasty we can't stop it (him?),
> > etc.  I say, we don't communicate with keys.  We communicate with people
> > (or occasionally programs).

>But how do you know?  (How do you know there aren't a team of people
>standing beside me advising me on what to type?)  And note that you
>can hardly keep me from doing something nasty: to prove it, I'm going
>to get up right now and fetch my favorite beverage, which is a 6oz can
>of cranberry juice mixed with a 12oz can of Diet Coke :-)

I don't know for sure, but if you tell me or give me the impression over
a period of time that you are keeping our conversations private, and I
decide that you are honest based on our conversations and what I know
about you from others, then I can make a judgement with a reasonable
chance of safety.  Yes, I can be mistaken.  But that doesn't mean that I
should abandon the whole idea of trust.  Otherwise I will never trust
anybody in any part of life.  But preventing MITM attacks is very
important to being able to extend trust in the online world.  Defining
them away is not a satisfactory solution.