1997-10-09 - Re: computationally infeasible jobs for MITMs (Re: Secure phone)

Header Data

From: John Deters <jad@dsddhc.com>
To: Adam Back <aba@dcs.ex.ac.uk>
Message Hash: d0a2dca74e6d860c32dfe6a9f2605c3a0b10642a497e3adf9f264fd508173a61
Message ID: <>
Reply To: <>
UTC Datetime: 1997-10-09 03:08:36 UTC
Raw Date: Thu, 9 Oct 1997 11:08:36 +0800

Raw message

From: John Deters <jad@dsddhc.com>
Date: Thu, 9 Oct 1997 11:08:36 +0800
To: Adam Back <aba@dcs.ex.ac.uk>
Subject: Re: computationally infeasible jobs for MITMs (Re: Secure phone)
In-Reply-To: <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain

At 11:48 PM 10/8/97 +0100, Adam Back wrote:
>I wonder if we can come up with a way to formalise this technique and
>automate it.  I think it was James voiced something similar earlier in
>the thread.

I think that's the problem:  once it's formalized and automated, it's
spoofable by a MITM.  The informal, "Hi Adam, my first digit's the third
digit of your phone number today, how's your end?" type of query, perhaps
made before or after the entire "I've got 78F, what's yours?" sequence, is
going to remain secure.  If we assume the MITM can spoof your digits, he
can also spoof a whole query without weird digit splicing in the middle.
It's like the cartoon cat looking the cartoon dog image in the mirror,
waving and trying to trick the image.  You can attempt to outmaneuver a
MITM with trick questions which will almost certainly expose him, but if
the stakes are high enough...where there's a will, there was a dead body.

Without some external reference, be it the knowledge of the public key of
the other participant, or using a trusted arbitrator, keyserver or
whatever, I don't think you *can* mathematically authenticate the other
end.  The MITM with full knowledge will always be able to reconstruct the
proper replies.  Your best defenses will be:
    1) External (out-of-band) authentication, as in a PGP key
       signing party, or even just having Bob's key fingerprint
       from a piece of e-mail posted to cypherpunks a year ago.
    2) Wetware outclevering the MITM.

Re:  your noise introduction protocol.  Cute idea, but what if Mallory
simply audio-couples his two phones together along with a noise compander
circuit a la Dolby?  That kind of noise is precisely what the simple
electronic filters can remove, and the digital portion is passed via the
coupling computer system (the one that spoofs the voices.)

"Hey, Bob, I think we've got a MITM!  This connection is too clear!"  :-)

I think the hardest to defeat will be the case where Mallory hires Alicia
and Bobby to impersonate Alice and Bob to each other.  
Alice <---------------------------> Bob  (what they think is happening)
Alice <---> Bobby______Alicia <---> Bob  (what actually is happening)
           /                 \
          under Mallory's control

where Bobby and Alicia have the translator's gift of speaking while
listening.  They could fill in the cracks with idle chatter, have their own
personalities, and basically run both shows.  They could even run offline
from each other, being intelligent humans.  As long as Alice and Bob only
communicate through Mallory's intermediaries (i.e. never meet in real life,
out-of-band), Mallory owns the show.  (Tell me you've never seen something
like that on a rerun of _Mission_Impossible_!  :-)

Would you know if you were talking to the REAL John Deters?  All I could
assume about you is that if my phone rang and a voice claimed to be Adam
Back, I'd expect to hear it in a British accent, and with just a bit of
time delay so I'd know it was coming across the Atlantic.  About 50 million
people could pass themselves off as you today, and I'd never know the
difference.  I can't even tell a Liverpool accent from a London accent!
And if I had a voice recognition system, well, then I'd hope if I was
taking a voice sample from you that I'd be smart enough to exchange public
keys so we could do our authentication the right way.

Again, my position is:
  o  internal authentication is *not* information-theoretically possible; 
  o  out-of-band authentication *can be* theoretically secure;
  o  MITM attacks are *almost* infeasible, and *always* expensive; and
  o  if you still suspect a MITM after trying to outwit one, you're just
     being paranoid.  Stop it.


P.S.  Even if I exchanged PGP keys with you face-to-face, compared picture
ID's, checked your fingerprints, read a signed letter from your Mom (moms
don't lie,) and *knowing* that you are indeed Adam Back, I still won't know
if you work for MI-5 or not!  Nothing's perfect, so lets take what we can
J. Deters "Don't think of Windows programs as spaghetti code.  Think
          of them as 'Long sticky pasta objects in OLE sauce'."
| NET:   mailto:jad@dsddhc.com (work)   mailto:jad@pclink.com (home) |
| PSTN:  1 612 375 3116 (work)          1 612 894 8507 (home)        |
| ICBM:  44^58'36"N by 93^16'27"W Elev. ~=290m (work)                |
| For my public key, send mail with the exact subject line of:       |
| Subject: get pgp key                                               |