Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It so is. A plain old Diffie Hellman key exchange will give you encryption without authentication.

All you need for encryption is to be able to share a secret - this in no way requires authentication.



I have a secret. I want to share this secret with only my best friend. I do this by telling the secret to everybody I meet, whether they look like my friend or not. Eventually I meet my friend, and tell them too.

This is confidentiality without authenticity. It is an incoherent idea.


It's incoherent at a high level, and it stays incoherent as you delve deeper into the theory. For instance, systems that lack authentication tend to lose confidentiality to error oracles.


Without authentication your connection is susceptible to undetectable man-in-the-middle attacks that DHE does nothing to prevent. That they're separable is superficially true, but not interesting, as encryption alone doesn't stop people from reading your traffic, which is the whole point.


This argument comes up so regularly, one might speculate that some people are trying to keep the internet in plaintext[1].

Yet again, encryption is a replacement for plantext, which is the only thing it should be compared to. Of course you can MitM attack it, but that's not something that is easily done in bulk.

Simple encryption raises the cost of an attack from "trivial wiretaps, DPI optional" to the time, money, and effort required to do a targeted MitM attack. Additionally, while it is generally impossible to detect wiretaps, MitM can leak information that betrays the presence of an attack.

Remember, this isn't intended to stop all types of attacks. It is simply a very easy to implement feature that lets you replace plaintext with something resistant (not proof) to eavesdropping in general, and proof against some types of bulk surveillance.

Note: I haven't said anything about presenting this type of non-authenticated communication to the user as "secure".

[1] see PHK's "Operation Orchestra" talk


It doesn't raise the bar high enough that the people who are currently snarfing internet traffic wholesale would bat an eye at.

It doesn't matter how secure the phone line is when you have no idea who you're actually talking to. Especially when there are people with money, means and access to make sure that you're always talking to them.


currently everything is in plaintext so having to do a man-in-the-middle to read what's going on is already an improvement.


To follow up on what apendleton has said - I have been involved in implementing standard protocols (e.g. IKEv2) that involve DHE to set up an encrypted connection. The first step in all of these is ALWAYS to verify that the Diffie-Hellman value you got from the other side is actually from who you want to talk to, otherwise it is trivial to run a MITM.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: