At 12:44 PM 10/7/97 -0700, Eric Blossom you wrote:
I wrote:
Therefore, man-in-the-middle can be more precisely described as an unauthenticated end-point problem. Therefore, without authentication, there is no defense (yet) against MITM attacks.
I concur from the theoretical point of view.
Really, that's the only point I was attacking. I agree that from a practical standpoint that you probably would be able to detect a fake voice today. However, a weakness is a weakness, and from a practical standpoint, digital audio technology is not getting worse as time goes on. The phone phreaker world has a blue box (available on the net and called bluebox, I think) that uses the sound card to generate tones to fool phone systems into giving them free long distance. It also will use a recorded human voice to "read" credit card numbers and phone numbers to a telephone operator. While it's not perfect, it does manage to get inflection and tone properly across. The imperfections are ostensibly covered up by the omnipresent telephone network noise (from which your box does not suffer.) It would not take an enormous amount of recorded conversation to have enough samples to extract the complete set of hex digits from any given speaker. But, it would take an enormous amount of chutzpah for a MITM to try it. It would be easy enough to "trick" the MITM into exposing their existance anyway, just by using digits that come up in conversation. Humans would be able to come up with unique situations that the MITM would find all but impossible to predict. "Hey, Eric, I noticed that the third digit of your IP address' second octet is the same as the second digit of our exchange. How's by you?" A sudden dropout of sound (or "accidental" loss of connection) while the MITM recognizes the trap and tries to backpedal will be instantly noticed. Human protocols are resilient, whereas mathematical protocols are precise. Having a working theory behind securing the exchange (whether or not you implement it) makes for a nice mind exercise, anyway. Your working boxes are a far cry above any theory we discuss here. If I had one of your nifty boxes, I'm sure I wouldn't lose sleep over the theoretical holes. John -- J. Deters "Don't think of Windows programs as spaghetti code. Think of them as 'Long sticky pasta objects in OLE sauce'." +--------------------------------------------------------------------+ | NET: mailto:jad@dsddhc.com (work) mailto:jad@pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'36"N by 93^16'27"W Elev. ~=290m (work) | | For my public key, send mail with the exact subject line of: | | Subject: get pgp key | +--------------------------------------------------------------------+