[87644] in Cypherpunks
Re: Secure phone
daemon@ATHENA.MIT.EDU (Eric Blossom)
Fri Oct 3 20:39:11 1997
Date: Fri, 3 Oct 1997 16:26:07 -0700
From: Eric Blossom <eb@comsec.com>
To: jad@dsddhc.com
Cc: jamesd@echeque.com, cypherpunks@algebra.com
In-Reply-To: <3.0.3.32.19971002155954.00bfc7e0@labg30> (message from John Deters on Thu, 02 Oct 1997 15:59:54 -0500)
Reply-To: Eric Blossom <eb@comsec.com>
>The MITM attack is thwarted by Lucky's note:
>>> DH and have the parties each read half of a hash of the public
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> exponentials. No keys to store, no keys to remember, no keys to compromise.
> ^^^^^^^^^^^^^
>
>Each party reads off a series of digits displayed on their screen. Out
>loud. To each other. Over the secure phone.
>
>The MITM attacker can't duplicate the hash on both ends, because a hash of
>the public keys used to make the connection are different between the
>MITM's public key and the real public keys.
In addition, to keep life even more interesting, prior to exchanging
the public exponentials g^x and g^y, commitments (hashes) to those
values are exchanged... If the commitments don't match the final
values, the protocol terminates. See http://www.comsec.com/vp1-protocol.ps
for all the details.
Eric
