At 12:05 PM 10/6/97 -0700, Eric Blossom wrote:
None of this is designed to provide authentication of the end point. It is designed to ensure that you've got a private channel to the end point.
Therefore, man-in-the-middle can be more precisely described as an unauthenticated end-point problem. Therefore, without authentication, there is no defense (yet) against MITM attacks.
I concur from the theoretical point of view. In a practical sense I guess it all boils down to what our working definition of authentication is. If I'm using one of my phones and talking to somebody that I know (recognize voice, speech patterns, shared history, ...) and the verification codes check out, I'm highly confident that there is no man-in-the-middle. I'm free to have whatever conversation I like, modulo bugs in the room, laser window bounce listeners, etc. On the "beat the verification codes by spoofing the voice" thread: I don't think that this is a practical threat. You've got the computational challenge (described in the previous posts) and the human part. The complications come from the fact that you've got two live people having a conversation with each other. At least in the conversations I have, we don't read these things back and forth like robots to each other. In secure mode there are 6 hex digits displayed on each unit. On one unit, the first three digits are underlined. On the other unit, the last three digits are underlined. By convention, you say the three that are underlined, and listen for the other three. This seems to work out pretty well in practice. There is generally a "Hi, I'm looking at 1FC", "4D9, good. What's up?" type of interaction. <Blatant_Commercial_Pitch> I'm running a "Privacy Extremist" special on the GSP's. $795 for one, or two for $1500. Cash/Check/MO/MC/VISA/AMEX. Add $16 shipping for one, $20 for two. CA residents add sales tax. US and Canada only. 30 day money back. 1 year warranty. Communication Security Corp. 1275 Fourth St., Suite 194 Santa Rosa, CA 95404 v: 707-577-0409 f: 707-577-0413 eb@comsec.com http://www.comsec.com </Blatant_Commercial_Pitch> Eric