From dawagner@tucson.princeton.edu Tue Jul 25 13:21:43 EDT 1995 Article: 37631 of sci.crypt Path: cnn.Princeton.EDU!tucson.princeton.edu!dawagner From: dawagner@tucson.princeton.edu (David A. Wagner) Newsgroups: sci.crypt Subject: Re: -NEW- Voice Encryption Software using modem/soundcard Date: 25 Jul 1995 17:19:27 GMT Organization: Princeton University Lines: 30 Message-ID: <3v392v$h5e@cnn.Princeton.EDU> References: <3ud9sl$k44@newsbf02.news.aol.com> <1995Jul20.162528.4910@schbbs.mot.com> <3uugnv$42g@news3.digex.net> NNTP-Posting-Host: tucson.princeton.edu In article <3uugnv$42g@news3.digex.net>, Peter Wayner wrote: > > Man-in-the-middle attacks can be virtually stopped by building in > a little alphanumerical display on the box. After a connection is > established, the session key is hashed down to 4 or 5 digits and > displayed in this alpha numerical box. One party says the number > on their box and the other party checks to see that it is the same. > One nitpick: I think you should ask for more than 4 or 5 digits on your display. Here's the attack. M is the monkey in the middle: A->M: g^a M->B: g^x B->M: g^b [ M & B now share g^(bx) as their key. ] [ M now tries different values of y until he finds one for which hash(g^(bx)) = hash(g^(ay)). ] M->A: g^y [ M & A now share g^(ay) as their key. ] A->B: ``My display says hash(g^(ay)).'' B->A: ``My display says hash(g^(bx)).'' If the display is only 4 or 5 digits, M will only need ~ 10^4 or 10^5 trial exponentiations before finding a valid value of y -- difficult to do in real time, but probably not infeasible. ------------------------------------------------------------------------------- David Wagner dawagner@princeton.edu