From: Bill Stewart <stewarts@ix.netcom.com>
To: Bill Frantz <kelsey@plnet.net
Message Hash: 10cd06f433c31da923b067894632e0d2f9e866e467bb7629e40c8e1257218cc8
Message ID: <3.0.3.32.19971010195814.006b4024@popd.ix.netcom.com>
Reply To: <199710091908.UAA00790@server.test.net>
UTC Datetime: 1997-10-11 08:41:17 UTC
Raw Date: Sat, 11 Oct 1997 16:41:17 +0800
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 11 Oct 1997 16:41:17 +0800
To: Bill Frantz <kelsey@plnet.net
Subject: Re: Defeating MITM with Eric's Secure Phone
In-Reply-To: <199710091908.UAA00790@server.test.net>
Message-ID: <3.0.3.32.19971010195814.006b4024@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
>>> 1. Exchange PGP-encrypted e-mail establishing a set of
>>> sixteen different words, labeled for 0..f in each direction.....
>>> ``My checksum is Swordsman Swordsman Marxist, or 33f.''
That really does seem easier than all this checksum business;
if you're exchanging secrets anyway you could also type your
half-keys into some friendly application program, but this is fun.
On the other hand, for Alice's Fax Machine calling Bob's Fax Machine,
it's tougher to automate this stuff. Does the phone have some way
to output the checksums to a data port for checking later?
(stuffing it into the fax header field would be a nice touch.)
> Either Mallory is in the middle or he isn't. If he isn't, no problem.
> The word list remains secure.
>
>If he is in the middle, he has 15 chances in 16 of being caught on the
>first exchange. He only survives if the first digit of the Alice-Mallory
>connection is the same as the first digit of the Mallory-Bob connection.
If there's a failure, you're going to burn this list anyway;
if Alice and Bob each read all their codewords, Mallory can trick them
about 1/16**6 times (1/16Million), which is pretty low -
Mallory learns up to six codewords, but they're only useful if
he doesn't get caught or if Alice and Bob decide to reuse the list
because they don't have a chance to exchange more email.
So if you're not worried about denial of service, catch him.
You do have to make sure Alice and Bob _notice_ they've been hosed;
you can get a bit fancier by using two lists, one for use
in case of errors or other interruptions
Alice: Swordsman Swordsman Marxist ->
Mallory: Marxist COUGH COUGH ->
<- Bob: Dilbert Marxist Aardvark, and repeat please
<- Mallory: Swordsman Dilbert COUGH, and repeat please
Alice: Swordsman Swordsman Marxist, sounds like you have a cold? ->
Mallory: Marxist Dilbert Aardvark, and I've got a cold too. ->
As opposed to
<- Bob: Bogus Suspicious Fnord, and repeat please
Alice: Swordsman Swordsman Marxist, and I've got a bad feeling about this....
Even just using one list for Alice and one for Bob helps this attack.
>If Alice and Bob catch Mallory, they talk about the weather and exchange a
>new list by email. If they don't, there is a very high probability that
>the word list has not been compromised, and they can safely continue to use
>it for the next call.
Thanks!
Bill
Bill Stewart, stewarts@ix.netcom.com
Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Return to October 1997
Return to ““John Kelsey” <kelsey@plnet.net>”