[messaging] MITM-safe communication w/o authentication possible?

Natanael natanael.l at gmail.com
Sun Nov 29 14:26:35 PST 2015

Den 29 nov 2015 23:11 skrev "U.Mutlu" <for-gmane at mutluit.com>:
> So, in summarizing the replies so far: it is not possible
> without a central authority, or an a priori shared secret,
> or PKI certificates.
> Ok, let's say the only missing link here is just a missing shared secret,
> ie. a password. If that were given then it will function.
> Now, going a step further: is it not possible to exchange
> a temporary password (OTP) on-the-fly during the protocol
> in a secure way with the other party?
> That is, one would need to embed such an algorithm into the protocol.
> Could for example the Interlock Protocol not be used for this?
> Or maybe in a combination with SMP? As said, the task is "just"
> to create and exchange on-the-fly an ephemeral secret between the parties.

Not OTP, that's a different beast, because the definition of that is full
unpredictable randomness (entropy) and no reuse of keys and much more.

(There's however a version of message authentication provably secure if
keyed using an OTP, so to use two pads, one for the ciphertext and one to
key the authentication tags, is pretty much perfectly secure. Key
management is still ridiculously impractical.)

But yes, SRP + Diffie-Hellman does exactly what you describe here. There's
also other pairs of protocols capable of achieving the same thing.

OTR (IM) uses a variant of this (socialist millionaires protocol), and so
does ZRTP (VoIP). I think even SSH can be made to do it, and it is in the
TLS (SSL) spec AFAIK but rarely used and thus not implemented in most

But nowadays the preference is for mutual public key authentication. It is
just more practical.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151129/2933e520/attachment.html>

More information about the Messaging mailing list