[14453] in cryptography@c2.net mail archive
Re: anonymous DH & MITM
daemon@ATHENA.MIT.EDU (Anton Stiglic)
Fri Oct 3 13:21:57 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Anton Stiglic" <astiglic@okiok.com>
To: "Cryptography list" <cryptography@metzdowd.com>,
"Tim Dierks" <tim@dierks.org>
Date: Fri, 3 Oct 2003 10:14:42 -0400
----- Original Message -----
From: "Tim Dierks" <tim@dierks.org>
>
> I think it's a tautology: there's no such thing as MITM if there's no such
> thing as identity. You're talking to the person you're talking to, and
> that's all you know.
That seems to make sense. In anonymity providing systems often you
want one side to be anonymous, and the other to identify itself (like in
anonymous web surfing). In this case, if you are using DH to exchange
keys, what you want is something like half-certified DH (see for example
section 2.3 of [1]), where the web server authenticates itself. With half
certified DH, Alice (the user that is browsing in my example) can be
assured that she is really talking to Bob (web server she wanted to
communicate with), and not a MITM.
[1] http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
