[messaging] Can a pre-shared public key prevent MITM-attacks?

Sam Lanning sam at samlanning.com
Mon Dec 7 07:12:46 PST 2015

> True, I missed out TOFU. I would argue, though, that TOFU gives you a weaker guarante: authentication *as long as the first message was not tampered with*.

It's certainly a weaker guarantee, yes. But it gives a level of
bootstrapping that can later be verified, which is better than no
storage at all / exchanging keys each time for example.

> TOFU systems also require careful design to achieve the properties you describe vis-a-vis MITM. In particular, while all encrypted messaging systems require a way to roll over the key, they must not support a "set session key to X" message, or similar, or the adversary can use it to switch from active mode to passive mode. This is not as trivial as it sounds -- I think SSL reauthentication lets you do exactly this.

Very true, and interesting points. As an attacker you could then hide
the fact that you have been attacking by switching keys, but it would
sacrifice interception ability from that point onwards, and would
require you to pick a reliable point in time to perform the switch.
(i.e. you'd need to know the reliability and availability of your MITM

> Otherwise, I agree with what you've said.


More information about the Messaging mailing list