[cryptography] binding to channel params to prevent MITM

Ralf Philipp Weinmann ralf at coderpunks.org
Sun Dec 5 04:37:40 EST 2010

On Dec 4, 2010, at 9:50 PM, travis+ml-rbcryptography at subspacefield.org wrote:

> Hey I don't know what it's called, but I'm wondering how one binds a
> challenge/response (or whatever you authenticate with) inside a secure
> tunnel to prevent the peer from relaying it on to another party to
> answer.
> I assume it could be as simple as signing a nonce and some parameter
> of the channel (such as an ephemeral key) and sending that (or something
> derived from it) as the challenge, but curious what the options and
> tradeoffs are.

Hi Travis,

it depends on /what exactly/ you are using for authentication. If you want to bootstrap trust, I suggest you have a look into the Socialist Millionaire Protocol [1]. This is used by OTR and builds on zero-knowledge proofs. A decent description is even given on Wikipedia these days:



[1] Markus Jakobsson, Moti Yung: Proving without knowing: On oblivious, agnostic and blindfolded provers. 
    Advances in Cryptology - CRYPTO '96, LNCS 1109, pp. 186–200, Springer, Berlin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20101205/01731b32/attachment.html>

More information about the cryptography mailing list