Newsgroups: sci.crypt
Path: msuinfo!uchinews!linac!uwm.edu!rpi!batcomputer!cornell!rochester!cantaloupe.srv.cs.cmu.edu!mnr
From: mnr+@cs.cmu.edu (Marc Ringuette)
Subject: Re: the trusted public-key distribution problem
Message-ID: <1992Feb18.202048.296452@cs.cmu.edu>
Date: Tue, 18 Feb 92 20:20:48 GMT
Organization: School of Computer Science, Carnegie Mellon
Nntp-Posting-Host: daisy.learning.cs.cmu.edu
Lines: 54

Dan writes,
> If you intercept *everything* at Carl's end, and forge Carl's key to the
> public, then you can certainly do this. Otherwise I don't see how such a
> situation can possibly arise.

I'd like to convince you that it's not necessary to spoof the whole world in
order to spoof communications between Dan and Carl.  This is an important
point, because if spoofing isn't global, it is much more insidious and harder
to detect.

I didn't adequately demonstrate this in the previous post.  I forgot that
if the correct public key is known in _either_ direction, then spoofing
can be detected.

I propose the following revised scheme.  Let's say I want to play games with
Carl by intercepting any communications he starts up with anybody on
sci.crypt who has a name starting with D.  I install a daemon on Carl's
machine which does the following:

   1.  Replace each sci.crypt post from someone whose name starts with D
       with one containing a new public key of my own.

   2.  If Carl ever sends one of them email, replace his public key with
       my own in communications with that person.  Now I have control of
       both directions in the link.

This should be great fun.

If Carl later posts on sci.crypt about what an asshole this guy named
(Dan,57293456) is, everybody else can say "who?" and the spoofing will be
caught out.  Until that point, they're none the wiser.

---

So basically what I'm saying is, as long as I can intercept all
communications between Dan and Carl from rendezvous onward, security
is thoroughly broken.  This suggests that an essential part of your
scheme should be to 

  --> ensure that you're never ever a leaf node (i.e. where someone
      can successfully intercept all of your communications)        <--

or perhaps to

  --> ensure that you check out each public key you receive with 
      somebody who's not on the same leaf as you                    <--

The first is impractical.  The second may be workable, but needs some work.
Who do you check it with?  Perhaps a quorum of your friends, or a quorum
of randoms off the net?


[ Marc Ringuette | Cranberry Melon University, Cucumber Science Department  ]
[ mnr@cs.cmu.edu | 412-268-3728 | "I've half a mind to be a vegetable."     ]
