1997-10-10 - Re: authentication suggestion for secure phone (Re: computationally infeasible jobs for MITMs)

Header Data

From: John Deters <jad@dsddhc.com>
To: Adam Back <stewarts@ix.netcom.com
Message Hash: 8f5b6c97d0b84a99773da16297d03e0f9f3aecd3be8e413273530518bd5b4f64
Message ID: <3.0.3.32.19971010100231.00a56c60@labg30>
Reply To: <3.0.3.32.19971009111805.006aedf0@popd.ix.netcom.com>
UTC Datetime: 1997-10-10 15:12:56 UTC
Raw Date: Fri, 10 Oct 1997 23:12:56 +0800

Raw message

From: John Deters <jad@dsddhc.com>
Date: Fri, 10 Oct 1997 23:12:56 +0800
To: Adam Back <stewarts@ix.netcom.com
Subject: Re: authentication suggestion for secure phone (Re: computationally infeasible jobs for MITMs)
In-Reply-To: <3.0.3.32.19971009111805.006aedf0@popd.ix.netcom.com>
Message-ID: <3.0.3.32.19971010100231.00a56c60@labg30>
MIME-Version: 1.0
Content-Type: text/plain



At 01:15 PM 10/10/97 +0100, Adam Back you wrote:
>Persistence authentication suggestion:
>A way to use the fact that you have had one or more non-MITM'd calls
>is for the unit to remember the number and exchange a secret with the
>called unit inside the encryption envelope.

The problems with this solution are twofold:

1.  Eric may have to redesign the unit to have persistent read-write
storage.  And maybe a *lot* of storage, if you use it a lot.  Maybe a lot
of expen$ive $torage at that.  His phone is already priced way out of the
consumer market, let's not add to that.

2.  I had problems with UUCP when my machines got out of sync (way back
when.)  Just think how bad they'll look if they refuse to light up "secure"
because one guy had to change batteries.

I agree with you that external authentication is the only way to fly.  And
if it is simply accepted, lets let Eric's unit survive unmolested and use
PGP out-of-band (as per Monty's suggestion) or use PGP to exchange session
keys (like in Speak Freely.)

I also think the most likely avenue of attack will be a black bag job on
the individual user's phone.  MITM attacks seem too risky and expensive to
pay off.

John
--
J. Deters "Don't think of Windows programs as spaghetti code.  Think
          of them as 'Long sticky pasta objects in OLE sauce'."
+--------------------------------------------------------------------+
| NET:   mailto:jad@dsddhc.com (work)   mailto:jad@pclink.com (home) |
| PSTN:  1 612 375 3116 (work)          1 612 894 8507 (home)        |
| ICBM:  44^58'36"N by 93^16'27"W Elev. ~=290m (work)                |
| For my public key, send mail with the exact subject line of:       |
| Subject: get pgp key                                               |
+--------------------------------------------------------------------+






Thread