Permanently Deleted

  • gammison [none/use name]
    ·
    edit-2
    4 years ago

    It's a bit esoteric, the point is that A can be tricked into thinking it sent a message to someone, but in actuality it was sent to someone else without C needing to coerce anything to B. Like there's a series of mathematically precise steps done, without violating the protocol (well it's a violation but not a noticeable one). The attacker here is presumed to be computationally bounded. We're not modeling a scenario where C can go and break Bs legs for the keys. C is not even the attacker here, B is. B does not actually even get the key in this attack, they trick A into sending it to C without needing any private information from C. The important part is that from As perspective, without violating the protocol, they don't know they shared keys with the wrong person. Also note I'm like 90 percent sure this got fixed years ago.

    From the paper: Suppose Bart (Pb) wants to trick his friend Milhouse (Pa). Bart knows that Milhouse will invite him to his birthday party using TEXTSECURE (e.g., because Lisa already told him). He starts the UKS attack by replacing his own public key with Nelsons (Pe) public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered, as that requires less effort than restoring an encrypted backup of the existing key material. Now, as explained in more detail below, if Milhouse invites Bart to his birthday party, then Bart may just forward this message to Nelson who will believe that this message was actually sent from Milhouse. Thus, Milhouse (Pa) believes that he invited Bart (Pb) to his birthday party, where in fact, he invited Nelson (Pe).

    • Civility [none/use name]
      ·
      4 years ago

      Thanks!

      I think I get it now.

      So the problem is B is essentially forging A's private key by redirecting A's messages to whoever they want to while A thinks they're sending them to B and C thinks the messages are directly from A and has no idea about Bs involvement?

      • gammison [none/use name]
        ·
        4 years ago

        It's not forging the key, they can't make their own messages, or even read the messages A sent them that they're redirecting. Everything else, yeah that's pretty much right.