[PP-main] Cryptography

Joakim Ziegler joakim at simplemente.net
Mon Mar 6 00:34:39 CET 2000 

On Sun, Mar 05, 2000 at 11:00:30PM +0000, Andrew Cooke wrote:
> At 04:07 PM 3/5/00 -0600, you wrote:

>>Only the public part of a host signature is sent. The private part is kept
>>secret and used to answer to challenges.

>>I have a nice book recommendation on this subject: Applied Cryptography by
>>Bruce Schneier.

>>By the way, will you be working on the communications code for Peerpress?
 
> Sorry - I didn't recognise the terminology (despite having read chunks of
> Schneier's book).  I am not involved in the code.
 
> This is not enough to foil a man-in-the middle attack.  If A is talking to
> B then M can insert themselves inbetween and send M's public key to A and
> B, converting messages on the fly.  The only way that I know of around this
> (apart from having a shared secret beforehand, in which case why bother
> with public keys) is to have a certificate signed by a CA that certifies
> the identity.  Right at the start of this thread someone said that you
> didn't want to use SSL because it involved CAs.
 
> This is a very common problem.  If you are aware of more terminology than
> me then you must have met this - I am not asking anything very complicated.
>  So please, what protocol is used to open the connection?

What you're missing here is that CAs *are* shared secret. The only reason
they can circumvent a man in the middle attack is that you have a shared
secret, although you're not always aware of it: Your SSL-enabled browser
comes with the root certificates for the biggest CAs already embedded when
you download it. Thus, you have a shared secret. Of course, if you have such
a persistent man in the middle, he could have been sitting in the middle when
you downloaded the browser too, so the only way you can be sure is if the
browser you're using came with your OS (which it sometimes does).

Now, if you're using SSL, and you don't have a CA cert, then you get a popup
in your browser that asks you if you want to accept the SSL connection even
though it's not signed by the CA. If you accept this, SSL is as receptive to
man in the middle attacks as any other similar scheme. Maybe more, since as
far as I know, SSL implementations don't commonly let you store the signature
of the host, so you can get a warning when it's changed.

The reason I don't see using SSL with CAs as a usable way to solve this
problem is that CAs are not open, that is, every participant in the scheme
would need to get a certificate, from VeriSign (since they have a practical
monopoly after buying Thawte), and pay for that, and they can't use that
certificate to certify others. In addition, we're not going to be using
Internet Explorer or Netscape as the base for the SSL system, so your system
doesn't come with the root cert signature in the code, hence making them
mainly useless for foiling a man in the middle attack anyway.

For the protocol, Hans Petter wrote a fairly lengthy mail about that, so I'll
leave that up to him.

-- 
Joakim Ziegler - simplemente r&d director - joakim at simplemente.net
 FIX sysop - free software coder - FIDEL & Conglomerate developer
      http://www.avmaria.com/ - http://www.simplemente.net/

More information about the Peerpress-main mailing list