[12891] in cryptography@c2.net mail archive
Re: meet in the middle attacks
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Wed Mar 26 19:41:01 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
Date: Wed, 26 Mar 2003 19:20:53 -0500
From: Jeffrey Altman <jaltman@columbia.edu>
Reply-To: cryptography@wasabisystems.com
To: cryptography@wasabisystems.com
In-Reply-To: <87u1dqasb0.fsf@snark.piermont.com>
This is a cryptographically signed message in MIME format.
--------------ms080105000207050408050002
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I believe that most browsers and even some TELNET/FTP/SMTP clients that
support START_TLS will allow the certificate to be saved as an
authenticator of the host provided that the certificate is not a
self-signed cert. If you do not want to use a commercial CA, then you
should generate your own CA cert plus one End Entity cert signed by your
CA cert. Use the End Entity cert for your service. This process could
easily be added to the makefile for Apache or even OpenSSL.
- Jeff
Perry E. Metzger wrote:
>I have to say I've watched this with a bit of puzzlement.
>
>Meet in the middle attacks are perfectly real. I've seen them myself,
>and toolkits to perform them are readily available out there. Ian's
>vague comments about a lack of evidence of the economic impact
>notwithstanding, it is unreasonable to leave one's protocols and
>systems open to such attacks.
>
>You do not need an elaborate CA infrastructure to prevent them, of
>course. SSH manages to prevent them simply by having both sides sign
>exchanges using naked (i.e. uncertified) keys that are pre-shared, for
>example. Even use of MACs over exchanged values and pre-shared
>conventional keys can prevent many such attacks.
>
>However, not attempting to prevent such attacks -- especially given
>that they are very effective -- seems foolish at best.
>
>
>
--------------ms080105000207050408050002
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUDCC
AwYwggJvoAMCAQICAwmQtzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl
bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAzMDMyMzA5MjQyM1oXDTA0MDMyMjA5MjQyM1owRjEf
MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEjMCEGCSqGSIb3DQEJARYUamFsdG1h
bkBjb2x1bWJpYS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrpNXsgxnE
Oe9bETC/KYQUavfHLwka7QKg5azAckspojVrqmWoB/1EnvBFycrCqe+vsOzH62O4C1qvrDpt
4sE8pGFfp7CROsE9GoK+XDwYaFPM4a6IpmGeaEac5wDrgsGnipzIQq9xCY99+stbDo6A+gZM
M07KTBXR/pjkqF+XTzt5fDovDiXMY2SvqtOCf+U8OUa6o5OSs4N6ByxZnSLO0fJMJSyChhrs
PRbSHOubVknctRJZWfGPh42ypby9UHXzB7k09M+YkGQHOpXydTUgvctS4pBp6mhwUQmN0d9A
EmziTmLA92ZE+YTRxh0fc9gsZv9TzJ+PaXTWiPTmiXEpAgMBAAGjMTAvMB8GA1UdEQQYMBaB
FGphbHRtYW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEA
S30tx576bGOyLX4dY0fHgo03zoQ+wbLiU+aTiA4wDcAriQKX5Xu1hFjG8ylzbNIbUP9QMTh9
A9qgtpEmTjwOJMjsMrjrni3SGJk4QDw1shSYV0WtcFtkVS6VbJoFWCpPHOJQFKpDzw6tG6Mz
6T77Epov90gKWE7ouMN0NlDIEwowggMGMIICb6ADAgECAgMJkLcwDQYJKoZIhvcNAQEEBQAw
gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo
MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMzAzMjMwOTI0
MjNaFw0wNDAzMjIwOTI0MjNaMEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
IzAhBgkqhkiG9w0BCQEWFGphbHRtYW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAq6TV7IMZxDnvWxEwvymEFGr3xy8JGu0CoOWswHJLKaI1a6plqAf9
RJ7wRcnKwqnvr7Dsx+tjuAtar6w6beLBPKRhX6ewkTrBPRqCvlw8GGhTzOGuiKZhnmhGnOcA
64LBp4qcyEKvcQmPffrLWw6OgPoGTDNOykwV0f6Y5Khfl087eXw6Lw4lzGNkr6rTgn/lPDlG
uqOTkrODegcsWZ0iztHyTCUsgoYa7D0W0hzrm1ZJ3LUSWVnxj4eNsqW8vVB18we5NPTPmJBk
BzqV8nU1IL3LUuKQaepocFEJjdHfQBJs4k5iwPdmRPmE0cYdH3PYLGb/U8yfj2l01oj05olx
KQIDAQABozEwLzAfBgNVHREEGDAWgRRqYWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8E
AjAAMA0GCSqGSIb3DQEBBAUAA4GBAEt9Lcee+mxjsi1+HWNHx4KNN86EPsGy4lPmk4gOMA3A
K4kCl+V7tYRYxvMpc2zSG1D/UDE4fQPaoLaRJk48DiTI7DK4654t0hiZOEA8NbIUmFdFrXBb
ZFUulWyaBVgqTxziUBSqQ88OrRujM+k++xKaL/dIClhO6LjDdDZQyBMKMIIDODCCAqGgAwIB
AgIQZkVyt8x09c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3
dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lv
bjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB
FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgy
NzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUq
bXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC
9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEww
KQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQI
MAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF15
1j2YwCYTYoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59s
ogxYjTFCCRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TY
yWJirQXGMYID1TCCA9ECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJu
IENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRD
ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIw
MDAuOC4zMAIDCZC3MAkGBSsOAwIaBQCgggIPMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTAzMDMyNzAwMjA1M1owIwYJKoZIhvcNAQkEMRYEFO2lH11qUtv7
XiWr6cTlrLHihOXpMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC
AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGrBgkrBgEEAYI3
EAQxgZ0wgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCZC3
MIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rl
cm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0Eg
MjAwMC44LjMwAgMJkLcwDQYJKoZIhvcNAQEBBQAEggEADbPBZjV+VHGSTRUuahgz/HwSVTy5
feLvmUmzbubbB6bzhOl+lMAyaRLKmJV+lzh0CPhj86BI++96fbj11VJVjiR5p2Rm617UPK67
ove0V/pBKWrBf8bSvzfuqjg+EQRrIuwK3ajzYwdN6M/6ySiPZkvx8eZEWpWgXOJN7v1EswZ7
Qt15DtAxTAQNol8Oxz6lQ4mv46tU6H9DYTsWCYATqZ/AynQxQY4+ImWapPCiQzvCLi4O0sJO
SHtEug4zR7/vju/en1O0thNIwmzCmQcNoEuSB6ggGqQJn/ItTcM5V8+2oGqVFZbTUCDkOFcQ
rQCvgmKHzVVFI3jb5dh/7KVKKgAAAAAAAA==
--------------ms080105000207050408050002--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
