[messaging] MITM-safe communication w/o authentication possible?

Natanael natanael.l at gmail.com
Sun Nov 29 13:21:43 PST 2015

Den 29 nov 2015 21:32 skrev "U.Mutlu" <for-gmane at mutluit.com>:
> Hi all,
> SRP and OTR+SMP are IMO good examples for MITM-safe online protocols.
> But they require prior key exchange (ie. a persistent password or PKI
> I wonder if it can be possible, at least theoretically, to have a
> MITM-secure internet channel without the use of PKI and/or
> persistent password (ie. w/o authentication, like in the telephone
> Of course the communication must be encrypted against passive MITM,
> and must also detect active MITM.
> Does anybody know of such a protocol, info, papers etc.?

As far as we know, that's impossible.

The entire point of cryptographic authentication is to create a unique
capability of the individual which is enables remote verification through
using a means of communication (and computation) exclusively.

Because after all, without any kind of verifiability, without unique
capability, how do you know who you are talking to? What can you detect if
the endpoint is manned by the wrong person despite following the protocol?
Even with quantum key exchange, what if the fiber link is rerouted, how
would you know the difference?

*There must be an observable difference in behavior between the intended
endpoint and any other possible endpoint*.

There must be something measurable in the communication, anything, in which
there is at least one thing that only the intended endpoint is capable of
achieving such that you can detect and verify it.

Cryptography provides it through information theory and computational
complexity combined with secret strings. Without observable verifiable
differences, information is just a series of malleable bits that is trivial
to forge.

The best approximation is TOFU-POP: Trust on first user, persistence of
pseudonym. Use unauthenticated key exchange the first time, then reuse the
generated shared key the next time. You won't know for certain that the
endpoint is the right one, but next time around you do have some assurance
that you're still talking to the same person as last time. SSH uses this by

Some physical non-cryptographic means of proving such capabilities are
trusted human carriers (ancient and still used), once upon a time wax seals
(some tamper resistance + a recognizable stamp that was once hard to
replicate), more modern ones are physically protected private fiber links
(you verify the physical origin/path, not properties of the data itself).

One method researched around WW2 (I think) was for the recipient to
broadcast noise over the phone line when the sender sent his message. The
recipient could easily filter out his own noise, but anybody listening in
wouldn't know what was noise and what wasn't. This still lacked
authentication, but assuming resistance against tampering of a physically
protected line, it would defend against side channels / TEMPEST. An
interesting early attempt at creating asymmetric capabilities in

I've seen that there were some attempts at quantum based proof of location,
but somebody supposedly proved them categorically incapable to resist
forging, so that's not a solution either (Wikipedia is my source on this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151129/1af2b73d/attachment.html>

More information about the Messaging mailing list