17 06 | 2013

Encryption without a certification layer is (partly) useless

Written by Tanguy

Classified in : Homepage, Debian, Grumble

With the PRISM scandal, there has been some talk about encrypted communication systems. For instance, BitMessage is often introduced as an easy and secure message system, that would allow you to communicate with no possible eavesdropping. Apple is also making similar claims about their systems iMessage and FaceTime.

This is a good time to remind this: without direct contact or a certification layer, encryption systems are not secure! Or at least, not as secure as you would expect, as they do allow some kind of eavesdropping.

Let us take the example of BitMessage:

  1. Alice sends her BitMessage address to Bob by email, an insecure channel;
  2. Mallory catches that email message and changes Alice's BitMessage address with his own;
  3. Bob sends a BitMessage for Alice to the address he received, which he thinks is Alice's, but is in fact Mallory's;
  4. Mallory receives the message, reads it, modifies it if he wants, and sends it to Alice.

This is a man-in-the-middle attack, a kind of active eavesdropping technique that requires read-modify access to a communication line. Without a specific way to ensure that a cryptographic key really belongs to its alleged owner, a cryptographic system is vulnerable to such attacks, even if it does protect against simpler attacks (like passive eavesdropping or introduction of MiTM after the introduction sequence). When you read that a cryptographic system provides end-to-end security and is impervious to eavesdropping, while it provides no mean to make sure you are in contact to the right person, remember to consider this affirmation as what it is: a lie.

5 comments

monday 17 june 2013 à 20:47 Anonymous said : #1

There *is* value in opportunistically preventing non-MITM eavesdropping. Not as much value, but value.

monday 17 june 2013 à 21:19 Tanguy said : #2

@Anonymous : Yes, there is value, I just wanted to react to the many articles saying that this or that cannot be eavesdropped, which is often simply wrong.

tuesday 18 june 2013 à 09:13 Sebastian Weisgerber said : #3

Authentication really matters in encryption.
But there are possibilities without certificates, to ensure the identity of the person you are talking to, or at least to prevent MitM attacks.
See for example ZRTP for voice encryption or OTR for message encryption.

With the aid of shared secrets, you can _increase_ the likeliness, that the identity is correct, but you can't be 100% sure.
If someone steals your contact's phone or your contact person is extorted while talking to you, third parties can still eavesdrop your communication...
=> At least one party knows what happened in these scenarios, which doesn't help if your are the unaware one...

tuesday 18 june 2013 à 09:39 Tanguy said : #4

@Sebastian Weisgerber : Well, if you can meet someone to define or check a shared secret, you might as well exchange public keys with each other…

friday 20 september 2013 à 18:15 dolanor said : #5

Except that a shared secret could be a simple, uncomplicated password that you whisper in one's ear. Saying the full fingerprint or the full public key in base64 or hexa would be less practical.

I agree though that giving a usb key could be an easy solution though

Write a comment

What is the fourth letter of the word mofdsn? : 

Archives