From: Eric Blossom <eb@comsec.com>
To: jad@dsddhc.com
Message Hash: e9d3b7fa7e73503136efae97a0a55b34dc02c6e55b57c6270005a99e0a2466b6
Message ID: <199710071944.MAA24493@comsec.com>
Reply To: <3.0.3.32.19971007102724.00a499c0@labg30>
UTC Datetime: 1997-10-07 20:06:54 UTC
Raw Date: Wed, 8 Oct 1997 04:06:54 +0800
From: Eric Blossom <eb@comsec.com>
Date: Wed, 8 Oct 1997 04:06:54 +0800
To: jad@dsddhc.com
Subject: Re: Secure phone
In-Reply-To: <3.0.3.32.19971007102724.00a499c0@labg30>
Message-ID: <199710071944.MAA24493@comsec.com>
MIME-Version: 1.0
Content-Type: text/plain
> At 12:05 PM 10/6/97 -0700, Eric Blossom wrote:
> >None of this is designed to provide authentication of the end point.
> >It is designed to ensure that you've got a private channel to the end
> >point.
>
> Therefore, man-in-the-middle can be more precisely described as an
> unauthenticated end-point problem. Therefore, without authentication,
> there is no defense (yet) against MITM attacks.
I concur from the theoretical point of view.
In a practical sense I guess it all boils down to what our working
definition of authentication is. If I'm using one of my phones and
talking to somebody that I know (recognize voice, speech patterns,
shared history, ...) and the verification codes check out, I'm highly
confident that there is no man-in-the-middle. I'm free to have
whatever conversation I like, modulo bugs in the room, laser window
bounce listeners, etc.
On the "beat the verification codes by spoofing the voice" thread:
I don't think that this is a practical threat. You've got the
computational challenge (described in the previous posts) and the
human part. The complications come from the fact that you've got two
live people having a conversation with each other. At least in the
conversations I have, we don't read these things back and forth like
robots to each other.
In secure mode there are 6 hex digits displayed on each unit. On one
unit, the first three digits are underlined. On the other unit, the
last three digits are underlined. By convention, you say the three
that are underlined, and listen for the other three. This seems to
work out pretty well in practice. There is generally a "Hi, I'm
looking at 1FC", "4D9, good. What's up?" type of interaction.
<Blatant_Commercial_Pitch>
I'm running a "Privacy Extremist" special on the GSP's.
$795 for one, or two for $1500. Cash/Check/MO/MC/VISA/AMEX.
Add $16 shipping for one, $20 for two. CA residents add sales tax.
US and Canada only. 30 day money back. 1 year warranty.
Communication Security Corp.
1275 Fourth St., Suite 194
Santa Rosa, CA 95404
v: 707-577-0409
f: 707-577-0413
eb@comsec.com
http://www.comsec.com
</Blatant_Commercial_Pitch>
Eric
Return to October 1997
Return to “The Spook <ts@dev.null>”