Score:0

Avoid MITM Attack in ECDH Without HTTPS or a Third Party Certificate Authority

cn flag

My context: I have a ECHD protocol, my main concern is MITM attack, it doesn't matters if you do HMAC or anything else in future to sign requests if your key exchange is compromised,

Far from https and third party certificate authority, is it possible to protect this channel, taking in account (supposing https is not safe, and we don't have a certificate authority) from MITM attacks?

What I have in mind: Do ECDSA, with a hardcoded "salt" or "pepper" present in mobile and backend, which essentially is never shared in an "Hostile" channel through networK:

Mobile: ECDSA(message+salt/pepper) -> Send to backend with public key Backend: (incoming data + salt/pepper) _> Verify signature with mobile's public key

This process is in two sides (We'll do the same when we get a service response)

This is a humble approach, we work in the finance industry and we are looking to level up our security in the worst case; i know that having hardcoded and non-rotating data/key/salt is not, in most cases, a good idea; the feedback from experts, in this context is priceless, how you protect this channel without https or certificate authorities? of course, maybe it's impossible, but maybe not, I hear you and thanks in advance!

knaccc avatar
es flag
The easiest and safest thing to do is to use TLS with your own self-signed CA cert which you install into the trust stores on each client. If you are re-inventing the wheel, then you can achieve the same thing by hard-coding a server public key into the client, and then just have the server sign its ephemeral ECDH public key with the hard-coded server public key so that there isn't a MITM attack. I'm assuming that the client will also be authenticated to the server with a password or some other mechanism once the session is established.
Freddy Maldonado Pereyra avatar
cn flag
yes, the way we authenticate the connection is with http headers, sending an api key and api user which we provide earlier; we'll go with tls-self-signed CA, thank you for your response!! @knaccc
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.