From: bryce@digicash.com
To: kruempel@cs.colorado.edu
Message Hash: 2d615c3bc18ed5a0089041dcd81fe4083d7e14c8b454a1087c4691acd731c785
Message ID: <199604290915.LAA04182@digicash.com>
Reply To: N/A
UTC Datetime: 1996-04-29 18:43:09 UTC
Raw Date: Tue, 30 Apr 1996 02:43:09 +0800
From: bryce@digicash.com
Date: Tue, 30 Apr 1996 02:43:09 +0800
To: kruempel@cs.colorado.edu
Subject: Bold Assertion: there are no Men in the Middle
Message-ID: <199604290915.LAA04182@digicash.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
I have the intuition that there has never been a successful
MITM attack which has subverted the use of PGP
authentication. If we could be sure of this hypothesis,
then we could go about creating a strongly linked Web O
Trust and then use it from now until such a future time as
1024-bit PGP keys are brute forceable. We could also use
it to bootstrap bigger keys, a wider and more strongly-
connected Web O Trust, etc.
I can't think of any good way to test this hypothesis,
however. One thing that we _could_ test is the difficulty
of performing such an attack.
If I had the cash, I would post a reward for anyone who
could successfully run a demo MITM attack on two
unsuspecting stooges. I would (of course) specify with more
precision what would constitute a successful attack, how it
would be proven to me that the attack was successful and so
forth.
But I don't have sufficient cash to motivate such a trick,
and there would be some very complicated ethical and
logistic questions about performing it.
I still have a strong intuition that I could keep my cash if
I made such a proposal and gave it a few simple stipulations
(such as that the attacker would have to forge important
material in the victim's name rather than just use the
attack to eavesdrop...). The successful attacker would
have to have the ability to get in the middle of TCP/IP
connections as well as perhaps telephone connections, as
well as have formidable computational and
"social-engineering" (really: "-cracking") resources.
more later,
Bryce
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2
iQB1AwUBMYSIhkjbHy8sKZitAQHKYwL+Mj/4G5JW5F+v6w3+PqIIacC1BBNfnHqR
rO5ra8bFAeGwz7vmIcmyQAxU/3PW/jjsLv0lo5f0j4eiQ/iDBYUjVUKKWfjDMzSi
qIj1HNiHOq1eZ+M1rqvchwVRFTZazXsi
=YUmd
-----END PGP SIGNATURE-----
Return to April 1996
Return to “bryce@digicash.com”