<div dir="ltr">Yes. Having a pre-shared public key definitely allows you to prevent MITM attacks. (Where by 'attack' I assume you mean 'the adversary learns the agreed key')<div><br></div><div>See e.g. MQV (<a href="https://en.wikipedia.org/wiki/MQV">https://en.wikipedia.org/wiki/MQV</a>), HMQV, NAXOS for examples of modern(-ish) protocols that are not vulnerable to MITM attacks.</div><div>Even Needham-Schroeder-Lowe protocol (<a href="https://en.wikipedia.org/wiki/Needham%E2%80%93Schroeder_protocol#Fixing_the_man-in-the-middle_attack">https://en.wikipedia.org/wiki/Needham%E2%80%93Schroeder_protocol#Fixing_the_man-in-the-middle_attack</a>, <a href="http://www.cs.cornell.edu/~shmat/courses/cs6431/lowe.pdf">http://www.cs.cornell.edu/~shmat/courses/cs6431/lowe.pdf</a>, 1996, not DH-based) is not vulnerable to MITM when you have pre-shared public keys.</div><div><br></div><div>If you'd like machine-based proofs of the fact that they're not vulnerable to MITM attacks, run them through the Tamarin-prover (a security protocol verification tool that supports both falsification and unbounded verification of security protocols): download <a href="https://github.com/tamarin-prover/tamarin-prover/">https://github.com/tamarin-prover/tamarin-prover/</a> and then look in examples/ake/dh/ and examples/classic/ for each of the above mentioned protocols.</div><div><br></div><div>This is just one way of demonstrating their invulnerability (in this case in the symbolic world), but you can also find proofs for (I believe) most of the above in the computational setting as well, which are generally stronger 'proofs', but mostly human constructed and verified.</div><div><br></div><div>Martin</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 4, 2015 at 8:00 PM, <span dir="ltr"><<a href="mailto:messaging-request@moderncrypto.org" target="_blank">messaging-request@moderncrypto.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Messaging mailing list submissions to<br> <a href="mailto:messaging@moderncrypto.org">messaging@moderncrypto.org</a><br> <br> To subscribe or unsubscribe via the World Wide Web, visit<br> <a href="https://moderncrypto.org/mailman/listinfo/messaging" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br> or, via email, send a message with subject or body 'help' to<br> <a href="mailto:messaging-request@moderncrypto.org">messaging-request@moderncrypto.org</a><br> <br> You can reach the person managing the list at<br> <a href="mailto:messaging-owner@moderncrypto.org">messaging-owner@moderncrypto.org</a><br> <br> When replying, please edit your Subject line so it is more specific<br> than "Re: Contents of Messaging digest..."<br> <br> <br> Today's Topics:<br> <br> 1. Can a pre-shared public key prevent MITM-attacks? (U.Mutlu)<br> <br> <br> ----------------------------------------------------------------------<br> <br> Message: 1<br> Date: Fri, 4 Dec 2015 03:03:27 +0100<br> From: "U.Mutlu" <<a href="mailto:for-gmane@mutluit.com">for-gmane@mutluit.com</a>><br> To: <a href="mailto:messaging@moderncrypto.org">messaging@moderncrypto.org</a><br> Subject: [messaging] Can a pre-shared public key prevent MITM-attacks?<br> Message-ID: <n3qs9g$9p4$<a href="mailto:1@ger.gmane.org">1@ger.gmane.org</a>><br> Content-Type: text/plain; charset=UTF-8; format=flowed<br> <br> On the following wiki page it's boldly claimed that "A pre-shared public key<br> also prevents man-in-the-middle attacks"<br> <a href="https://en.wikipedia.org/wiki/Diffie?Hellman_key_exchange#Public_key" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Diffie?Hellman_key_exchange#Public_key</a> :<br> "It is also possible to use Diffie?Hellman as part of a public key<br> infrastructure, allowing Bob to encrypt a message so that only Alice will be<br> able to decrypt it, with no prior communication between them other than Bob<br> having trusted knowledge of Alice's public key. Alice's public key is<br> (g^a mod p, g, p). To send her a message, Bob chooses a random b and then<br> sends Alice g^b mod p (un-encrypted) together with the message encrypted<br> with symmetric key (g^a)^b mod p. Only Alice can determine the symmetric key<br> and hence decrypt the message because only she has a (the private key).<br> A pre-shared public key also prevents man-in-the-middle attacks."<br> <br> I have my doubts.<br> What do others think of 'MITM prevention by using public key encryption'?<br> <br> <br> <br> <br> <br> ------------------------------<br> <br> Subject: Digest Footer<br> <br> _______________________________________________<br> Messaging mailing list<br> <a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br> <a href="https://moderncrypto.org/mailman/listinfo/messaging" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br> <br> <br> ------------------------------<br> <br> End of Messaging Digest, Vol 357, Issue 1<br> *****************************************<br> </blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Martin <br></div> </div>