[messaging] Can a pre-shared public key prevent MITM-attacks?

Justin King-Lacroix justin.king-lacroix at cs.ox.ac.uk
Mon Dec 7 07:00:38 PST 2015

True, I missed out TOFU. I would argue, though, that TOFU gives you a
weaker guarante: authentication *as long as the first message was not
tampered with*.
(Also note that SSH and OTR end up using this approach in practise, but
they weren't designed to -- you're supposed to check the key fingerprint
before saying "yes".)

TOFU systems also require careful design to achieve the properties you
describe vis-a-vis MITM. In particular, while all encrypted messaging
systems require a way to roll over the key, they must not support a "set
session key to X" message, or similar, or the adversary can use it to
switch from active mode to passive mode. This is not as trivial as it
sounds -- I think SSL reauthentication lets you do exactly this.

Otherwise, I agree with what you've said.

On 7 Dec 2015 14:34, "Sam Lanning" <sam at samlanning.com> wrote:

> You are forgetting one other approach though TOFO (Trust on First Use),
> which is getting significantly more traction recently, for example in
> Signal, and OpenSSH actually uses this approach. And as long as on the
> first communication, you are only being passively attacked, and not
> actively (full MITM), after the keys have been exchanged and stored, a MITM
> cannot occur after that point. Further to this, it allows you to verify
> out-of-band later on that you have been communicating with the correct
> keys, which can then give you authentication for all previous messages.
> More specifically, a sustained attack on TOFU requires:
> 1) An active MITM attack on first communicaiton.
> 2) An active MITM for every communication thereafter (which is v.
> difficult in today's mobile world of networks anyway).
> 3) The two parties to never verify their keys out-of-band.
> Failing to do (1) will mean that the parties successfully set up
> communications, failing to do (2) or (3) will mean that the parties will be
> able to detect they have been being attacked up until now.
> Cheers,
> Sam.
> On Mon, Dec 7, 2015 at 1:52 PM, Justin King-Lacroix <
> justin.king-lacroix at cs.ox.ac.uk> wrote:
>> No. Even in principle, this is essentially impossible -- two parties with
>> no relationship basically can't communicate securely.
>> There are lots of approaches to the problem, but they all involve
>> breaking the 'no relationship' constraint. PKI -- and thus iMessage,
>> WhatsApp -- does it by introducing a well-known trusted third-party. PGP /
>> Web of Trust does it by relying on social graphs. OTR and SSH leave it up
>> to you: they show you the key fingerprint, and it's up to you to work out
>> whether it's the right one.
>> But in general, the problem you're describing has no solution.
>> (Once you've exchanged keys, of course, there are a multitude of way to
>> create a secure channel on that basis. But you need to exchange keys
>> somehow first.)
>> Justin
>> On 6 December 2015 at 23:43, U.Mutlu <for-gmane at mutluit.com> wrote:
>>> Justin King-Lacroix wrote on 12/06/2015 03:23 PM:
>>>> There are basically three common ways to authenticate a DH key exchange:
>>>>     1. If you and your partner *already have* a shared secret: you mix
>>>> it
>>>>     into into the key exchange somehow. This is the 'shared key'
>>>> mechanism, and
>>>>     is the basis of (eg) PAKE. The crux of this mechanism is that the
>>>> key
>>>>     exchange will fail unless both parties knew the shared secret.
>>>>     2. If you and your partner have long-term public keys, and *each
>>>> already
>>>>     knows the public key of the other*: you use the corresponding
>>>> private
>>>>     keys to augment the key exchange. This one basically breaks down
>>>> into two
>>>>     categories, depending on what kinds of long-term public keys you
>>>> have.
>>>>        1. If you have signing keys, then you digitally sign the DH
>>>>        transaction to authenticate it. You also need to hash the
>>>> long-term public
>>>>        keys into the shared secret, or you introduce an identity
>>>> misbinding
>>>>        vulnerability.
>>>>        2. If you have DH-type keys, then you basically do the DH crypto
>>>>        twice, using both sets of keys.
>>>>     3. If you and your partner have long-term public keys, and you
>>>> *don't
>>>>     know* each other's public keys, then you need someone to vouch for
>>>> you.
>>>>     In most people's heads, that means "PKI", but SSH/OTR-style
>>>>     check-the-fingerprint is potentially viable.
>>>> There's also a whole raft of academic literature on more subtle ways you
>>>> can authenticate your DH transaction using the properties of the
>>>> environment, like the availability of secondary, very low-bandwidth
>>>> channels (think Bluetooth pairing); I can direct you to one or two of
>>>> those
>>>> papers if you're interested. But those three are the 'classically
>>>> strong'
>>>> ones, and the ones that are the easiest to understand.
>>>> Justin
>>> Hello, thank you,
>>> I'm interested in a practical and ultimate MITM-prevention method
>>> to be used in computer communication using TCP.
>>> All the papers and examples I read on MITM-prevention do expect
>>> that one already has safely (pre-) exchanged the public keys
>>> of a signing algo like RSA for signing+enc+dec.
>>> And just that exactly is now the question I'm seeking an answer for,
>>> ie. does there exist an algorithm for sending/exchanging the public keys
>>> safely (that is guaranteed authentic) over the public internet,
>>> w/o human interaction by the two parties?
>>> Said differently:
>>> Public keys are by definition of course public, but there is the "little"
>>> problem of authentically transmitting it to the other party, for example
>>> the public key of an ephemeral RSA method to be used as nonce in session
>>> creation with PFS: here Alice needs to be sure that Bob receives her
>>> new pubkey, and not that of someone else in the middle (MITM).
>>> Any algorithm known for solving this elementary problem of securely
>>> exchanging the public keys?
>>> --
>>> U.Mutlu
>>> _______________________________________________
>>> Messaging mailing list
>>> Messaging at moderncrypto.org
>>> https://moderncrypto.org/mailman/listinfo/messaging
>> _______________________________________________
>> Messaging mailing list
>> Messaging at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151207/6c792274/attachment.html>

More information about the Messaging mailing list