[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
anonymity against active attackers
Correction to a previous message of mine follows (sorry for the confusion).
I said that the paragraph in Photuris (bottom of page 8):
> > The scheme is not foolproof. By posing as the Responder, an active
> > attacker could trick the Initiator into revealing its identity.
> > However, this active attack is considerably more difficult than
> > passive vacuum-cleaner monitoring. Unless the attacker can steal the
> > private/secret key belonging to the Responder, the Initiator will
> > discover the deception when verifying the Identification Exchange.
is no longer necessary. Actually, it is.
I didn't read correctly the participants here. Indeed, a responder acting as
a man-in-the-middle *can* trick the initiator to disclose its identity.
The actual feature of Photuris (that didn't exist in early versions of the
protocol), and which I consider very important, is that an Initiator
*cannot* trick the Responder to disclose its identity.
This is very important. Otherwise, any Initiator could discover the identity
of a user (say a mobile one) by just initiating a Photuris exchange.
That's far easier than intercepting communication as a man-in-the-middle.
Anyway, pardon my confusion.
(It may still be valuable to add to that paragraph in page 8 a remark that
the attack does not work on the other direction, namely, an Initiator
tricking the Responder to disclose its identity. The text in the draft that
ensures that property is at the beginning of section 5 in page 25).
Hugo
PS: thanks to the person that pointed out to my confusion in a private mail.