At 12:26 PM 06/28/2002 +0300, Marcel Popescu wrote: >From: "Mike Rosing" <[EMAIL PROTECTED]> > > > Is there a defense against MITM for Diffie-Hellman? Is there another > > > protocol with equivalent properties, with such a defense? (Secure > > > communications between two parties, with no shared secret and no > out-of-band > > > abilities, on an insecure network.) > > > > What do you mean by no shared secret? The point of DH is that you > > get a shared secret. > >I guess I should have said "no *previously* shared secret".
Fundamentally, you need out-of-band knowledge. Consider setting up a secure video call with somebody, and each of you reading the hash of your DH parameter to the other. It's really hard for a MITM to fake that - but if you don't know what the other person looks or sounds like, do you know it's really them, or did you just have an unbreakably secure call with the wrong person? If you have a shared secret, you can defend against the MITM, and Steve Bellovin's Encrypted Key Exchange and AEKE work can help. If you both know each other's public signature keys through a channel that's authenticated but not necessarily private, you can do signed DH, which works just fine. (Diffie likes it.) Of if you both know a public encryption key for the other, you can send an encrypted DH keypart and also get security. (Both of these assume that the private keys aren't compromised.) If only one of you knows a public key for the other, the one who knows the key can know if the channel's secure, but the one who doesn't know the key still doesn't know who he's talking to, though in many kinds of transactions, it's good enough for the originator of the call to know she reached the recipient without the recipient being sure of the originator, e.g. the recipient knows the originator trusted the conversation well enough to send a credit card number, and Visa said the card was good. Also, if it's a phone or video call between people who recognize each other, the public key cuts out the need to read the keyparts over the phone. >Well... I assume an active MITM (like my ISP). He's able to intercept my >public key request and change it. Plus, I now realize I should have put an >even harder condition - no previously shared *information*, even if it's >public. I need to know if two complete strangers can communicate securely >over an insecure network, even if they communicate through an untrusted >party. Wasn't there a protocol for two prisoners communicating through an >untrusted guard? Signature public keys or encryption public keys can ensure that you're talking consistently to a given person; I don't think straight DH can do that unless you've got other information.
