Re: Question on transport protocol

[Jeffrey Hutzelman <jhutz%cmu.edu@localhost>]

On Tue, 15 Jan 2002, Richard E. Silverman wrote:

> On Tue, 15 Jan 2002, Derek Fawcus wrote:
> 
> > Or is the intention that if a non DH exchange is used,  then this delay
> > is required (i.e in the more general case).
> 
> Exactly.  In your next post, you write:
> 
> > The obvious problem with implicit server authentication is that it
> > leaves one open to a MITM attack...
> 
> This doesn't make sense, as a big objective of anything called "server
> authentication" is exactly to *prevent* MITM.  Perhaps you have some model
> of implicit authentication in mind, but the spec does not specify a
> mechanism for "implicit server authentication."  The idea is merely that
> it might happen as an integral part of some future key-exchange method,
> which could then do without explicit server auth mechanism described here.
> For examples, see the server auth method of SSH-1, as well as the
> proprosed GSSAPI/Kerberos method for SSH-2.

FWIW, the GSSAPI key exchange doesn't rely on this -- during key exchange,
a GSSAPI security context is established and then used to sign a DH
exchange, similarly to the way the host key is used during the normal
signed DH exchange described in the transport draft.  Once GSSAPI keyex is
complete, you know the server's identity and that there is no MITM. 

However, there's something in the back of my mind saying that removing
this requirement would be a bad idea.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+%cmu.edu@localhost>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA