[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure phone
At 12:05 PM 10/6/97 -0700, Eric Blossom wrote:
>None of this is designed to provide authentication of the end point.
>It is designed to ensure that you've got a private channel to the end
>point.
Therefore, man-in-the-middle can be more precisely described as an
unauthenticated end-point problem. Therefore, without authentication,
there is no defense (yet) against MITM attacks.
One of the previous threads got me thinking: the original thought was
something on the order of "make it so complex it takes so long to compute
that we know there was an MITM." Obviously, Mallory can be given enough
resources to defeat a computationally bound challenge. However, could
there be a way to use a trusted third party (Trent) to validate such a scheme?
Lets say that Trent is a trusted third party that operates a Digital
Notary, and will sign and datestamp any packet. Can we use the old "one
oracle always lies, one oracle always tells the truth" riddle to pass a
request through Bob (or in the MITM case, Mallory) to Trent, who always
tells the truth?
(The riddle works like this: You enter a room with two doors. In front of
each sits an oracle. A sign says that, "One oracle always lies, one always
tells the truth; behind one exit is a hungry tiger, and behind the other is
freedom. You are allowed to ask the oracles any questions you wish."
The answer is: ask one of the oracles "which door would the OTHER oracle
say contains the tiger?", then you pick the OPPOSITE door to make your
getaway. The idea is that you use the truth of one to include the lie of
the other to ensure your safety, without attempting to discover the
irrelevant fact of which oracle lies.)
Can we somehow use this to force a MITM to tip his hand? Can we ask the
other end "make this request of Trent, and send me the response?" Any
request Alice makes of Bob will instead be made by Mallory on Bob's behalf,
so it has to be for something either non-duplicatable or externally
verifiable.
Perhaps Alice and Bob can both ask Trent to do something externally
verifiable. They could both ask Trent to lock up for a ten-second period
of time. I know the MITM could use Trent for the conversation with Alice,
and Terrance for the conversation with Bob, but if Trent is somehow agreed
to or implied by the protocol, it might work. But, of course, nobody would
want to sit around waiting for their 10 seconds of holding. And if you had
to wait, it would give time for Mallory to spoof the waits.
What if both sides asked Trent to display a list of all "registered"
conversations that were taking place at a particular point in time? Trent
could list that between 9:48:01 and 9:48:06 there were 20 conversations
being authenticated. Among them are: Alice PK 1234 was talking to Bob PK
1111 and also a Bob PK 5678 was talking to an Alice PK 2222.
Of course, this guarantees externally auditable traffic analysis. But if
we're trying to assure that an unauthenticated Bob can talk securely to an
unauthenticated Alice, it might be an acceptable tradeoff.
All this assumes that the MITM can't get between Alice and Trent. If an
authenticated public key is used for Trent, then Alice is OK as long as
Mallory isn't Trent's operator!
Obviously, the easy solution is to use authenticated public keys all
around. Replace Trent in the above with Trusted Public Key Server, and
authentication is guaranteed.
John
--
J. Deters "Don't think of Windows programs as spaghetti code. Think
of them as 'Long sticky pasta objects in OLE sauce'."
+--------------------------------------------------------------------+
| NET: mailto:[email protected] (work) mailto:[email protected] (home) |
| PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) |
| ICBM: 44^58'36"N by 93^16'27"W Elev. ~=290m (work) |
| For my public key, send mail with the exact subject line of: |
| Subject: get pgp key |
+--------------------------------------------------------------------+