[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Man in the middle attacks

>Subject: Re: bootstrap of key-centric binding of person to key

At 09:26 3/5/96, Mark S Feldman wrote:

>I think we're having two interesting, but distinct conversations here.
>In my previous message I was attempting to point out how a man in the
>middle spoofing attack might be executed against your USENET news

I agree.  I was not discussing man-in-the-middle.  As far as I am
concerned, the man-in-the-middle attack is a nice theoretical construct but
of no real importance.  [I suspect you and I have had this conversation
before over lunch, so what I'm about to say might not change your mind.]

Consider two cases:

I.  Alice wants to talk with Bob.  Eve intercepts *all* traffic to and from
Bob and substitutes her own key for Bob's.  Alice has never met Bob -- has
no shared secret with him.  Therefore, there is no way for her to prove
that Bob is on the other end of the encrypted communication.  [If there
were a shared secret of enough bits, then Alice could be assured that Bob
is on the other end of an encrypted channel -- but there can't be a shared
secret if Alice has never encountered Bob except over this channel.]

Alice "meets" Bob over the net but is really meeting Eve.  Eve stays
anonymous.  Eve lets Bob handle some of the traffic, but other traffic she
writes and reads herself.

First of all, this is very hard for Eve to accomplish -- but for the sake
of argument, let's assume it happens and that we want to prevent it.  That
is, Alice wants to talk to Bob, not to Eve.

II.  Alice wants to talk with Bob.  Bob is a very busy man and has hired a
secretary, Carol.  Carol reads all of Bob's traffic, writes some replies
without even showing Bob the original message, and passes other messages in
to Bob for him to reply.  Carol signs and encrypts all Bob's mail.  For
this purpose, Bob uses an identity certificate and his own key, but he has
given his private key to Carol to use for him.


>From Alice's point of view, these two cases are equivalent.  She may not be
happy with either one of them, but they are outside her control.  Since she
has never met Bob over any other channel and therefore never created a
shared secret with him, she has no reason to believe Bob is anything other
than the composite entity [Bob,Eve] or [Bob,Carol].  She doesn't even know
that she's dealing with a composite entity, in either case.

There *is* a difference from Bob's point of view.  He is being victimized
in one case and helped in the other.  So, it is to his advantage to
communicate over more channels than any one eavesdropper can control.  He
must not allow himself to be boxed into a corner where all communication is
subject to active eavesdropping by the same agent.  An identity certificate
might be a second such channel, but it might not.  Eve might get a male
confederate to obtain a certificate to use when she's the channel for Bob
-- not with his key, but she never lets his key escape into the world so no
one knows either it or his real certificate is attached in any way to
[Bob,Eve].  The certificate hierarchy lets the key out, presumably in a way
Eve can't control, but there's no reason for her to use Bob's DN on the
certificate she gets for him.  That is, she might use the name Jim for
[Bob,Eve] and get the certificate for Jim.  From then on, Bob might be
defined, but he never sends/receives e-mail.  Jim, on the other hand, is
very prolific.  Remember, under the original assumption, you have never met
Bob and never expected to meet Jim [who doesn't really exist] so you have
no reason to know that Bob is locked in a closet and is communicating as
[Bob,Eve] under the name Jim.

Meanwhile, without identity-based certificates, Bob can find other ways to
guarantee a second channel.  He can, for example, broadcast his self-signed
key from a public access internet terminal in Cambridge's CyberSmith [or
any of the numerous other Internet cafes].  He can publish his key in a
newspaper.  He can give his key to friends, on his business card [as I do].

The ways identity-based certificates break the Eve scenario is by second
channels other than the certificate hierarchy.  The flaw in the whole MITM
argument is the assumption that any one of us can be held in a dark room
and fed connectivity to the outside world through a single pipe which one
eavesdropper can control.  It's an interesting theoretical scenario for
prompting discussion, but it comes back to a philosophical question:

if you have Bob locked in Eve's attic, does Bob exist apart from [Bob,Eve]?
...if a tree falls in the forest....?

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |