From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: f2b6cbee8318ace29d1cfad052786114fc09eb0e51d7eb0420cc645004b896b3
Message ID: <199510121404.HAA07082@jobe.shell.portal.com>
Reply To: <199510112222.SAA21067@universe.digex.net>
UTC Datetime: 1995-10-12 14:05:56 UTC
Raw Date: Thu, 12 Oct 95 07:05:56 PDT
From: Hal <hfinney@shell.portal.com>
Date: Thu, 12 Oct 95 07:05:56 PDT
To: cypherpunks@toad.com
Subject: Re: MITM evasion MITM evasion
In-Reply-To: <199510112222.SAA21067@universe.digex.net>
Message-ID: <199510121404.HAA07082@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
Scott Brickner <sjb@universe.digex.net> writes:
>I see two general categories of MITM attacks. In one case, Mitch wants
>to eavesdrop on Alice and Bob, but doesn't really care about other
>communication they do. In the other, Mitch wants to know about all of
>Alice's communications, regardless of with whom they are.
>Public key cryptography turns the first case into two instances of the
>second. If Mitch doesn't control all of both Alice and Bob's
>communications with everyone, the will eventually discover that the key
>they're using for the other isn't the same one everyone else uses.
This is true, but it doesn't mean that the threat can be neglected. A
successful MITM attack may be a matter of reading even one message and
acting on it, if the participants don't find out until later that they
were robbed. In fact, they might not ever notice that they key they
used Tuesday was different from the key they used Thursday, if they
didn't cache the keys. (Yes, PGP does store the keys in a local key ring
cache but not all systems will necessarily work that way.)
>In the second MITM model, Mitch has an unbelievable task. Any public
>key that goes from Alice to anyone else, or vice versa, must be
>substituted with one Mitch holds. Any messages *about* public keys
>must be transformed into messages about the corresponding MITM keys.
>This includes telephone conversations where Alice and Bob exchange
>keyids, the business card Eve has printed with her keyid and gives
>to Alice at Interop, the Betsi key Alice can read in the newspaper,
>WWW pages, files FTP'd, and face-to-face meetings.
Obviously the MITM cannot handle (most) communications taking place
offline. But there may be a lot of people who don't use any of these
offline methods to validate their keys. These people don't go to
academic conferences, don't read their key id's over the phone, and
don't print them on business cards (or if they do, they don't get
business cards from those they communicate with securely). Maybe this
will change, maybe it is a matter of user education, but it is still an
extra effort which will be important to have secure communications. I
don't think this is widely recognized (other than in the context of the
need for certificates and signed keys).
>Anything short of total control gives Alice an opportunity to learn
>about Mitch's presence. If Alice can exploit the hole enough to get
>one good key, Mitch must change his tactics to denial of service
>with respect to that key, or Alice can ask the key owner for other
>good keys.
Note too that Mitch is not necessarily taking any risks here even if he
is caught. "Mitch" could be a remotely operating program, a virus
embedded in Alice's computer or in some link between her system and the
outside world, which is performing these transformations and sending the
decrypted messages out anonymously. So even if Alice discovers the
trickery there may be no effective way to track down the miscreant.
>If Mitch can successfully surround Alice in such a cloud, I submit
>at least one of the following statements is true:
>1. Alice is such a non-entity that no one really wants to communicate
>with her.
>2. Bob can safely assume that the new key he just got isn't really from
>Alice, because an Alice-with-a-life surrounded by a nearly successful
>Mitch-cloud wouldn't be sending out keys --- she'd be sending out
>messages saying "HELP ME!! I'M LOCKED IN MITCH'S SECRET BOMB
>SHELTER!!!"
or
3. Mitch's MITM attack is transitory and he doesn't care if he is caught
afterwards, he got his goodies.
or
4. Alice doesn't go to a lot of trouble to check her keys via offline
means. After all, MITM is so rare it can't happen to her.
Practice safe cryptography!
Hal
Return to October 1995
Return to “Scott Brickner <sjb@universe.digex.net>”