It has been mentioned several places that the Diffie-Hellman key exchange algorithm is subject to the man-in-the-meddle attack. There is a weakness in the attack that I understand. I suppose that the attack goes as follows where I am the man in the middle: I am able to install an active wire tap that allows me to substitute the data traveling in either direction. I have a fast computer to help me. I want to conceal my activity but learn what transpires. Upon receiving signals to begin DH protocol I respond to each side separatly "lets go". I establish a secret session key with each side. I am unable to cause the two keys to be equal except by passing the b^x going one way and b^y going the other. In this case I know neither x or y and can't read the traffic. I must choose my own random numbers zx and zy and replace b^x with b^zx and b^y with b^zy. X and Y now enter secure mode with the secret keys b^(x*zy) between me and X and b^(zx*y) between me and Y. I can read the traffic. If the connection is digitized voice and if X should happen to mention the low ten bits of b^zy to Y then Y would notice the discrepency since Y knows that he sent b^y. The jig is up. I don't know how to do voice recognition so as to intercept the vocal quotation of b^zy and change it to a quotation of b^y in a way that Y would not notice. I would have to simulate X's voice. Curiously there seems to be no analog of this precaution for digital DH communicators. If there is a secret protocol for comparing b^y over the nominally secured channel then there may as well have been a secret key in the first place. If there is a public protocol for comparing b^y then I can follow that protocol my self.
If you compare the digital interceptor, to the voice interceptor, fairly, you will see they are in equally strong positions. When I am phoneing a person I know, I am automatically checking the `signature' of their voice. The other party on the line might be able to convince me they have a cold, but I hope I will have enough wisdom to postpone discussing the March 15th assassination plot untill the cold clears up. So we should compare a voice interceptor on a channel where the two people don't know each other's voice to the unsigned digital interceptor. In this case, the interceptor can claim to one party to be the other party, and remain undetected. This is the Diffe-Helman weakness. Alternatively we should compare the voice interceptor on a channel where the two people do know each other's voice to the signed digital interceptor. In this case, the interceptor will either be detected should some minimal authentication and verification be tried, or the interceptor will be unable to even listen in. The weakness remains here, but it has been patched over with authentication, and signed verification of the channel key. This is the Diffe-Helman weakness weakness. The (potential) interceptor is the reason why we must be so very carefull when validating other people's public keys. I know there is no interceptor between me and the people who's keys I sign. If I can be sure of no interceptors between one of them, and the person I wish to speak to, then I will be able to establish a secure channel. BTW props (respect, and thanks) to Diffe for his work creating this fascinating field of mathematics and cryptography. j' -- O I am Jay Prime Positive jpp@markv.com 1250 bit key fingerprint = B8 95 E0 AF 9A A2 CD A5 89 C9 F0 FE B4 3A 2C 3F 524 bit key fingerprint = 8A 7C B9 F2 D5 46 4D ED 66 23 F1 71 DE FF 51 48 Public keys by `finger jpp @hermix.markv.com' or pgp-public-keys@pgp.mit.edu Your feedback is welcome, directly or via symbol JPP on hex@sea.east.sun.com
jpp@markv.com says:
If you compare the digital interceptor, to the voice interceptor, fairly, you will see they are in equally strong positions.
When I am phoneing a person I know, I am automatically checking the `signature' of their voice. The other party on the line might be able to convince me they have a cold, but I hope I will have enough wisdom to postpone discussing the March 15th assassination plot untill the cold clears up.
What if you are using a cheap vocoder because you don't have lots of available CPU? With cheap vocoders, voices are not easily recognized. What if you are using data and not voice? DH key exchange is great -- if you are willing to do something to actively authenticate the other end. Several protocols to do this have been developed. Personally, I would not recommend doing without them just on the basis that "I can recognise Fred's voice". Perry
participants (3)
-
jpp@markv.com
-
norm@netcom.com
-
Perry E. Metzger