[messaging] MITM-safe communication w/o authentication possible?

Ethan Heilman eth3rs at gmail.com
Sun Nov 29 14:53:30 PST 2015


It is possible If your identity in a system is directly tied to your
public key or some provable secret.

For instance a network in which the network address of every node in
the network is the hash of their public key. If you want to talk to a
particular address, you don't need a PKI, you just ask for their
public key and verify that it matches their network address. People
have done this with IPv6 where their IP address is a hash of their
public key, but it is vulnerable to collisions (2^64 queries isn't
safe).

One could imagine building an pseudonymous encrypted chat application
under this model. I heard this was the idea behind https://gli.ph/
although I'm not sure how it currently works.

However, it is often the case that we wish to connect real world
identities to cryptographic identities. This is where a PKI enters the
picture as it maps between two sets of identities that have no
inherent mapping. Since this mapping is arbitrary some trust in the
PKI is required.


On Sun, Nov 29, 2015 at 5:26 PM, Natanael <natanael.l at gmail.com> wrote:
>
> Den 29 nov 2015 23:11 skrev "U.Mutlu" <for-gmane at mutluit.com>:
>>
>> So, in summarizing the replies so far: it is not possible
>> without a central authority, or an a priori shared secret,
>> or PKI certificates.
>>
>> Ok, let's say the only missing link here is just a missing shared secret,
>> ie. a password. If that were given then it will function.
>>
>> Now, going a step further: is it not possible to exchange
>> a temporary password (OTP) on-the-fly during the protocol
>> in a secure way with the other party?
>> That is, one would need to embed such an algorithm into the protocol.
>>
>> Could for example the Interlock Protocol not be used for this?
>> Or maybe in a combination with SMP? As said, the task is "just"
>> to create and exchange on-the-fly an ephemeral secret between the parties.
>
> Not OTP, that's a different beast, because the definition of that is full
> unpredictable randomness (entropy) and no reuse of keys and much more.
>
> (There's however a version of message authentication provably secure if
> keyed using an OTP, so to use two pads, one for the ciphertext and one to
> key the authentication tags, is pretty much perfectly secure. Key management
> is still ridiculously impractical.)
>
> But yes, SRP + Diffie-Hellman does exactly what you describe here. There's
> also other pairs of protocols capable of achieving the same thing.
>
> OTR (IM) uses a variant of this (socialist millionaires protocol), and so
> does ZRTP (VoIP). I think even SSH can be made to do it, and it is in the
> TLS (SSL) spec AFAIK but rarely used and thus not implemented in most
> places.
>
> But nowadays the preference is for mutual public key authentication. It is
> just more practical.
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>


More information about the Messaging mailing list