From: Mix <mixmaster@remail.obscura.com>
Date: Sat, 11 Oct 1997 05:39:46 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Defeating MITM with Eric's Secure Phone
Message-ID: <199710102112.OAA29175@sirius.infonex.com>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

Adam Back wrote:
>Monty Cantsin writes:
>> My apologies if this has already been discussed, but wouldn't this be
>> a straightforward solution?
>
>John Kelsey described the same system.
>
>[adding hex passphrase digits exchanged via PGP to display digits]
>
>> Any flaws?
>
>See my other recent post in this thread... I think it doesn't work
>because Mallet can recover the passphrase.  You must remember that
>when Mallet is actively doing a MITM attack he knows the digits on
>the display of each party.  With that info he can recover the
>passphrase by subtracting.  Then he can give Alice the correct
>checksum for the link A<->M and Bob the correct checksum for the link
>M<->B.

Oh, I get it.  Thanks.

And now I get why people want to assign passwords to each digit.
Mallory has no way of knowing all the mappings, even when one is
revealed.

Just to get a feel for what this looks like, a table like this one
could be exchanged in advance of each telephone call.  (Nothing here
is my invention, of course.)  The columns are used once successively
for each digit.

0: Tientsin           bedeviling         Menominee          bonneted           coincides          quotation
1: handling           Bernadine          prouder            Navaho             fittingly          Swinburne
2: degrading          Puritanizes        allophone          acquaint           jack               renditions
3: clientele          homo               Verderer           diskettes          overview           surmounts
4: delimiting         probes             sobering           modulating         situated           jelly
5: bewail             reflex             multistage         plastics           stigmata           scandal
6: Genoa              divider            synonym            bipeds             tale               denominators
7: aborts             carbons            welding            amalgam            chain              innovation
8: salvaging          Fargo              transitional       relishes           Ozarks             meditations
9: overlapping        Tehran             desperation        initiated          intimidate         beggars
A: whereby            muffins            Soddy              miniatures         diagnostic         proportionment
B: flour              pistils            aback              despatched         Rydberg            tales
C: lifespan           sallying           Arianist           kindness           side               corporal
D: wrongs             nervousness        minting            totaller           feather            copyrightable
E: intoxicated        Yukon              Boyd               response           ingredients        numismatist
F: stairway           imitation          consulted          printably          anesthetizes       interval

This has about 85 bits of entropy assuming the words are randomly
selected from a pool of 20,000.  As Mallory only gets one try, those
are very good odds.  This is completely practical and secure because
the table is easy to generate and exchange.

(Not that an in-band method wouldn't be way cool!)

Monty Cantsin
Editor in Chief
Smile Magazine
http://www.neoism.org/squares/smile_index.html
http://www.neoism.org/squares/cantsin_10.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEUAwUBND56bpaWtjSmRH/5AQGcfQf3Y8tpnovD2tVVqUdJwHBg4ZgKfulxP2EH
nuXSuvg7eMJ1veHw3ObmsiA+MzPzoBbrEkYM6u5TN3U+ytZbb5A/ogvD3fZepwhW
Sns5l0J6y5gK4nRd9AqvU7MBp21iugJy6VEPwQzKwTIj/lkUydKeODluZSOqatyL
NHr9qdZQrvvzsmvRL6EGvf2yEmYTeLg5XscLWPIyyA24jEMJNUXyQ5+W6bTx3Pxc
aUBiSbVtoYIJDGKdzNGUu7QtlQP0DSQ+81kW4R86CreFx7H8rwRdr7dpwgTMADgZ
ps2Nj0M71x9R8W9Jukg1eBw/xoyihldEo4SGrpDECv+Iawu+HSgZ
=CEWV
-----END PGP SIGNATURE-----