undefined | Better HN

0 pointsH8crilA1y ago0 comments

Maybe I should have added what an encrypted, but not authenticated link looks like, because I meant it in both directions. An example would be doing unauthenticated Diffie-Hellman (without any signatures, or proving knowledge of a secret, or anything of this sort), then proceeding using the shared key with even the best of schemes. Another example would be a spy sending and receiving one-time-pad encrypted data via an untrusted, malleable channel - the only authenticity is in hoping that adversarial modifications will cause one of the endpoints to fail at "parsing" the message. It is indeed useless.

Also, this property of Signal is called repudiation (or non-non-repudiation :) ), meaning that you as a party in the communication can repudiate the origin of the message, i.e. say that you didn't write it. It is a nice extra feature, on top of authenticity and secrecy.

0 comments

tialaramex1y ago

> then proceeding using the shared key with even the best of schemes

Unlike with your "spy" scenario, this situation is in fact what TLS 1.3 builds initially and it's not useless at all, nor is the resulting link unauthenticated.

1. First Alice sends her fresh parameters to Bob

2a. Then Bob sends his fresh parameters to Alice

2b. Alice and Bob now have all the DH parameters and they now have a shared secret X

2c. Bob calculates a Digest of a transcript of the entire conversation so far and sends this Digest, encrypted with X to Alice, he can send this alongside the parameters if he wants

3. Alice also likewise calculates a Digest and sends the encrypted digest to Bob

Both Alice and Bob now have a shared secret and have an authenticated (because they've seen the other party's view of the conversation in the digest and confirmed it matches their expectation) communication channel which they can use. They don't learn each others' identity but, of course, it is easy to additionally offer this as part of the same protocol and HTTPS does so in one direction in the typical case.

Edited: Renumbered to clarify that only three messages are sent, parts 2a, 2b and 2c are actually a single message from Bob to Alice

H8crilAOP1y ago

I meant that man in the middle attacks make this effectively unauthenticated.

tialaramex1y ago

Suppose that Eric is in the middle.

Eric could allow those initial three messages to pass unmolested. In this case Alice and Bob now have an authenticated connection and Eric is unable to read or modify their messages. So I suppose you don't mean that.

What if Eric just substitutes his own message for Alice's in step 1? He provides his own parameters. Since these were not Alice's parameters, Alice will not provide an acceptable Digest for the conversation, the parameters Eric sent to Bob are different and do not match the transcript, the connection is terminated.

What if Eric substitutes Bob's only message in step 2? He provides his own parameters, and he can respond with a transcript digest for this alternate conversation. Now in fact the TLS 1.3 connection exists as normal, but it is between Alice and Eric. We're actually fine! We have a properly authenticated connection, with unidentified participants (we know they're Alice and Eric but Alice and Eric don't know that). Bob's connection fails, or he is unaware that Alice tried to connect.

Finally if Eric waits until Alice's second message in step 3, no message Eric knows how to construct is satisfactory. Only Alice's original message will work, other messages cause the connection to fail because Bob will not accept them.

1 more reply

j / k navigate · click thread line to collapse

0 comments

tialaramex1y ago

> then proceeding using the shared key with even the best of schemes

Unlike with your "spy" scenario, this situation is in fact what TLS 1.3 builds initially and it's not useless at all, nor is the resulting link unauthenticated.

1. First Alice sends her fresh parameters to Bob

2a. Then Bob sends his fresh parameters to Alice

2b. Alice and Bob now have all the DH parameters and they now have a shared secret X

2c. Bob calculates a Digest of a transcript of the entire conversation so far and sends this Digest, encrypted with X to Alice, he can send this alongside the parameters if he wants

3. Alice also likewise calculates a Digest and sends the encrypted digest to Bob

Edited: Renumbered to clarify that only three messages are sent, parts 2a, 2b and 2c are actually a single message from Bob to Alice

H8crilAOP1y ago

I meant that man in the middle attacks make this effectively unauthenticated.

tialaramex1y ago

Suppose that Eric is in the middle.

1 more reply

j / k navigate · click thread line to collapse