From dawagner@tucson.princeton.edu Tue Jul 25 13:21:43 EDT 1995
Article: 37631 of sci.crypt
Path: cnn.Princeton.EDU!tucson.princeton.edu!dawagner
From: dawagner@tucson.princeton.edu (David A. Wagner)
Newsgroups: sci.crypt
Subject: Re: -NEW- Voice Encryption Software using modem/soundcard
Date: 25 Jul 1995 17:19:27 GMT
Organization: Princeton University
Lines: 30
Message-ID: <3v392v$h5e@cnn.Princeton.EDU>
References: <3ud9sl$k44@newsbf02.news.aol.com> <1995Jul20.162528.4910@schbbs.mot.com> <3uugnv$42g@news3.digex.net>
NNTP-Posting-Host: tucson.princeton.edu
In article <3uugnv$42g@news3.digex.net>,
Peter Wayner wrote:
>
> Man-in-the-middle attacks can be virtually stopped by building in
> a little alphanumerical display on the box. After a connection is
> established, the session key is hashed down to 4 or 5 digits and
> displayed in this alpha numerical box. One party says the number
> on their box and the other party checks to see that it is the same.
>
One nitpick: I think you should ask for more than 4 or 5 digits on
your display. Here's the attack. M is the monkey in the middle:
A->M: g^a
M->B: g^x
B->M: g^b
[ M & B now share g^(bx) as their key. ]
[ M now tries different values of y until he finds one for
which hash(g^(bx)) = hash(g^(ay)). ]
M->A: g^y
[ M & A now share g^(ay) as their key. ]
A->B: ``My display says hash(g^(ay)).''
B->A: ``My display says hash(g^(bx)).''
If the display is only 4 or 5 digits, M will only need ~ 10^4 or 10^5
trial exponentiations before finding a valid value of y -- difficult
to do in real time, but probably not infeasible.
-------------------------------------------------------------------------------
David Wagner dawagner@princeton.edu