Avoid MITM Attack in ECDH Without HTTPS or a Third Party Certificate Authority

Freddy Maldonado Pereyra

5/22/23, 5:06 AM

My context: I have a ECHD protocol, my main concern is MITM attack, it doesn't matters if you do HMAC or anything else in future to sign requests if your key exchange is compromised,

Far from https and third party certificate authority, is it possible to protect this channel, taking in account (supposing https is not safe, and we don't have a certificate authority) from MITM attacks?

What I have in mind: Do ECDSA, with a hardcoded "salt" or "pepper" present in mobile and backend, which essentially is never shared in an "Hostile" channel through networK:

Mobile: ECDSA(message+salt/pepper) -> Send to backend with public key Backend: (incoming data + salt/pepper) _> Verify signature with mobile's public key

This process is in two sides (We'll do the same when we get a service response)

This is a humble approach, we work in the finance industry and we are looking to level up our security in the worst case; i know that having hardcoded and non-rotating data/key/salt is not, in most cases, a good idea; the feedback from experts, in this context is priceless, how you protect this channel without https or certificate authorities? of course, maybe it's impossible, but maybe not, I hear you and thanks in advance!

0 + 0

dsa

diffie-hellman

knaccc

5/22/23, 6:35 AM

The easiest and safest thing to do is to use TLS with your own self-signed CA cert which you install into the trust stores on each client. If you are re-inventing the wheel, then you can achieve the same thing by hard-coding a server public key into the client, and then just have the server sign its ephemeral ECDH public key with the hard-coded server public key so that there isn't a MITM attack. I'm assuming that the client will also be authenticated to the server with a password or some other mechanism once the session is established.

Freddy Maldonado Pereyra

5/22/23, 11:40 PM

yes, the way we authenticate the connection is with http headers, sending an api key and api user which we provide earlier; we'll go with tls-self-signed CA, thank you for your response!! @knaccc

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Avoid MITM Attack in ECDH Without HTTPS or a Third Party Certificate Authority

TH: หลีกเลี่ยงการโจมตี MITM ใน ECDH โดยไม่มี HTTPS หรือผู้ออกใบรับรองบุคคลที่สาม

RO: Evitați atacul MITM în ECDH fără HTTPS sau o autoritate de certificare terță

RU: Избегайте атаки MITM в ECDH без HTTPS или стороннего центра сертификации

VI: Tránh tấn công MITM trong ECDH mà không cần HTTPS hoặc Cơ quan cấp chứng chỉ bên thứ ba

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.