Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Is there some standard protocol for mutual authentication of two parties when th

ID: 649824 • Letter: I

Question

Is there some standard protocol for mutual authentication of two parties when there is possibility to use public key cryptography? The problem is that two parties can use public key cryptography but public keys are not embedded within any kind of certificates. Is there a way to avoid MITM attacks? Simple use of public keys for authentication does not solve the problem of MITM attack (I would have to be sure about public key authenticity first). If I understand correctly FIPS 196 requires usage of authenticated keys so this is no solution. Is it possible? If there is no previous communication and no certificates then how would it be possible for Alice and Bob to recognize that there is Eve trying to do something nasty? And if there would be possibility for Alice to verify the fingerprint of Bob's public key that would be possible? Is there some standard protocol for this?

Explanation / Answer

Without an out-of-band channel, no.

If all Alice has only a public key , she can't tell the difference between Bob's key and Mallory's. Hence Mallory can mount a man in the middle attack.

To prevent this you either need a certificate or a a trusted out of band channel though which you conform the key. The channel could be something that is harder to man in the middle ( e.g. the phone network) which you use to exchange key fingerprints, it could be an in person meeting(some people of pgp fingerprints on their business cards), or it could be that you remember the key from the last time you connected ( which only prevents subsequent man in the middle attacks)

A somewhat novel application of this is used the ZRTP key agreement protocol used in VOIP. ZRTP generates a short authentication string(SAS) based on the user's keys. Bob can read that SAS to Alice and assuming Mallory can't forge Bob's voice in realtime, the channel is secure and the key is authenticated.

Related Questions

Is there any way someone can post the solution for problem 4.9 (its not included
Question #1803865
Is there any way someone can post the solution for problem 4.9 (its not included
Question #1932265
Is there any way someone could help me complete this page? Still not sure what t
Question #1017254
Is there any way that you can make the output of the forloop into a vector you c
Question #3811703
Is there any way to condense this code (below)? I have been trying to use for lo
Question #3751286
Is there any way to condense this code (below)? I have been trying to use for lo
Question #3751289
Is there any way to implement encryption/decryption using ECC, like RSA does? Fo
Question #660867
Is there any way to rewrite this method to make it simpler and more efficient? p
Question #3685789
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Is there some kind of library or framework to support a redundantly distributed
Next
Is there someone that can answer the question marks for this accounting assignme

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.