1997-10-10 - Re: Defeating MITM with Eric’s Secure Phone

Header Data

From: John Deters <jad@dsddhc.com>
To: cypherpunks@Algebra.COM
Message Hash: f618bd50eb5503c36c24162d684dfa555520559afadf9e357e653c89636fb7d0
Message ID: <3.0.3.32.19971010095530.00a32ce0@labg30>
Reply To: <bf93dd7a6705c63ca0db70676cb3e3af@anon.efga.org>
UTC Datetime: 1997-10-10 15:01:48 UTC
Raw Date: Fri, 10 Oct 1997 23:01:48 +0800

Raw message

From: John Deters <jad@dsddhc.com>
Date: Fri, 10 Oct 1997 23:01:48 +0800
To: cypherpunks@Algebra.COM
Subject: Re: Defeating MITM with Eric's Secure Phone
In-Reply-To: <bf93dd7a6705c63ca0db70676cb3e3af@anon.efga.org>
Message-ID: <3.0.3.32.19971010095530.00a32ce0@labg30>
MIME-Version: 1.0
Content-Type: text/plain



At 11:31 PM 10/9/97 -0400, an Anonymous Monty Cantsin wrote:
>My apologies if this has already been discussed, but wouldn't this be
>a straightforward solution?

Yes, your PGP solution will work.  Information-theoretically speaking, it's
a simple XOR, and is as secure as the random number generator used and the
PGP systems used to exchange your secret key.

However, so will a thousand other schemes that use PGP, or any other
"out-of-band" form of authentication.  At this point you realize that you
are using PGP for authentication, not the "Secure Phone".  Our discussion
so far has been ways of authenticating the connection WITHOUT external
references.  No pre-exchanged public keys, no pre-arranged passwords or
secrets or any of that.  (They even disallowed me a trip to ask a trusted
authorizer!)

To restate the problem in its current form:  using the secure phone
channel, (and only the secure phone channel) can we "prove" that we are
connecting only two endpoints, and that there is no man-in-the-middle
between the voices that are speaking to each other?  Remember that Mallory
(the man in the middle) has full knowledge of the protocol and of the
public keys belonging to both parties.  He can even spoof the voices.

The latest candidates for solutions have been "have the users identify this
flaw in the audio" which is probably as good as we can hope for on an
unauthenticated conversation.

As it is, Eric's current solution to have each party simply read their half
of the hash.  Real-time impersonating the audio to the point where you can
fool a careful human is already putting a great deal of exposure risk on
Mallory.

My bottom line:  I would trust Eric's current phone to all but eliminate
the MITM, and with external authentication I wouldn't have any problems at
all.

John
--
J. Deters "Don't think of Windows programs as spaghetti code.  Think
          of them as 'Long sticky pasta objects in OLE sauce'."
+--------------------------------------------------------------------+
| NET:   mailto:jad@dsddhc.com (work)   mailto:jad@pclink.com (home) |
| PSTN:  1 612 375 3116 (work)          1 612 894 8507 (home)        |
| ICBM:  44^58'36"N by 93^16'27"W Elev. ~=290m (work)                |
| For my public key, send mail with the exact subject line of:       |
| Subject: get pgp key                                               |
+--------------------------------------------------------------------+






Thread