Mitigating risks from MITM attacks on plain-text Protocols

[coinsolidation]

I was wondering if anybody has documented approaches to validating the integrity of addresses which have been sent over plain text protocols?

Talking it out in the usual fashion:

Bob sends a payment request url to Mary.
Mary wishes to verify that Bob does control the private key corresponding to the address she received, cryptographically.
Harry cannot know the address, or that Mary and Bob have transacted.

Sign the address and publish the signature in a collection somewhere?

Input?

[1715320622]

1715320622

[1715320622]

1715320622

[1715320622]

1715320622

[azeteki]

This is kind of a 'turtles all the way down' problem.

Bob can sign a message with his PGP key that says something along the lines of 'I have the ability to spend from address 1abcdef'.
Or he can sign a BitMessage with the addresses' privkey.

But Alice still needs to authenticate Bob is who he says he is. Web of trust, key signing party, root authority, whatever.

If both parties have each others' PGP keys already then they can just chat with each other. Harry knows they're talking, doesn't know what is being said.
Second level: initial conversation establishes pseudonyms for Alice and Bob and new key material.
Alice and Bob then go off using their pseudonyms in all following communication and Harry now knows nothing (unless he's also tapping their connections at ISP level or has some other identification mechanism).

How do you know I am the real 'azeteki'? I can sign this message using my PGP key. I signed one of my first posts with it, so in the absence of my key material being compromised you've shown that we're the same person.

But could an attacker edit that first post and resign with his own key? Maybe.

Was the first post made by the same 'azeteki' that originated the pseudonym? Maybe not.

Key management and auth are difficult problems.

[coinsolidation]

Very good points, turtles all the way down.

AuthN and AuthZ can be handled separately, any approaches described should be agnostic.

If we assume that a well-known network accessible resource Y is established as being under Bob's control, and that Mary knows of Y. What machine readable information can be be made available at Y, such that Mary can establish that the private key of ADDRESS is also controlled by the controller of Y?

What is the least amount of information that can be provided?

If we can establish that, then later we can consider perhaps shared secrets, ACL, etcetera.

Is this a fair approach?

[TRYpolar]

You would need to have previously received some key whose signature you are able to verify when you receive some kind of text from a 3rd party.

If you are on a trusted site that is using HTTPS I don't think this would be an issue though.

[azeteki]

If we assume that a well-known network accessible resource Y is established as being under Bob's control, and that Mary knows of Y. What machine readable information can be be made available at Y, such that Mary can establish that the private key of ADDRESS is also controlled by the controller of Y?

Be careful here.

Signing using a private key does not indicate sole control.
It may not indicate full control either.
I could hold my neighbour's key and perform tasks for him (imagine he's not very computer focused, for example).

If you establish that Bob actually does what he says he does (e.g. Bob says 'this key is under my sole control), you can move forward.
That's a social construct, not a technological one.

Now;

'well-known network accessible resource Y is established as being under Bob's control'.

You need authentication, it's paramount, it can't be swept away as a side concern.

If you have a secure channel to Y and it's authed, Bob can send his address over it. He wouldn't send you an address that he couldn't access, that would be silly of him.

If you don't have a secure channel to Y, you need a way of Bob authenticating. E.g. PGP key or similar; Bob signs an address.
The channel could be censored but only Bob can send signed addresses over it.

This is kind of Crypto 101, I'm not familiar with all of the terminology. The basic minimum is to establish an identity for Bob. Asymmetric key seems like the best approach.

[Peter R]

I was wondering if anybody has documented approaches to validating the integrity of addresses which have been sent over plain text protocols?

The place to start is probably the payment protocol (BIP 70):


Abstract. This BIP describes a protocol for communication between a merchant and their customer, enabling both a better customer experience and better security against man-in-the-middle attacks on the payment process.

https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki

[coinsolidation]

The basic minimum is to establish an identity for Bob.

I was going to reply, consider this to be a way of further establishing trusted identification of bob, which led to me to think of it in a different way... BitID may hold some approaches.

To clarify I wasn't downplaying the role of establishing identification, it's an area I am very familiar with and was hoping to avoid creating another auth* protocol, and also tightly coupling to any specific existing ones.

The place to start is probably the payment protocol (BIP 70):

Abstract. This BIP describes a protocol for communication between a merchant and their customer, enabling both a better customer experience and better security against man-in-the-middle attacks on the payment process.

https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki

Thank you Peter, I had forgotten about this.

I will merge seems applicable from BitID and BIP0070, then return to this subject later.

Thank you all for your valuable input so far, it is appreciated.