I'll show you mine if you show me, er, mine
<http://www.theregister.co.uk/2005/02/21/crypto_wireless/print.html> The Register Biting the hand that feeds IT The Register ; Security ; Identity ; Original URL: http://www.theregister.co.uk/2005/02/21/crypto_wireless/ I'll show you mine if you show me, er, mine By Lucy Sherriff (lucy.sherriff at theregister.co.uk) Published Monday 21st February 2005 17:11 GMT Security researchers have developed a new cryptographic technique they say will prevent so-called stealth attacks against networks. A stealth attack is one where the attacker acts remotely, is very hard to trace, and where the victim may not even know he was attacked. The researchers say this kind of attack is particularly easy to mount against a wireless network. The so-called "delayed password disclosure" protocol was developed by Jakobsson and Steve Myers of Indiana University. The protocol allows two devices or network nodes to identify themselves to each other without ever divulging passwords. The protocol could help secure wireless networks against fraud and identity theft, and protect sensitive user data. The technique will be particularly useful in ad-hoc networks, where two or more devices or network nodes need to verify each others' identity simultaneously. Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. The researchers say that this will prevent consumers connecting to fake wireless hubs at airports, or in coffee shops. It could also be used to notify a user about phishing attacks, scam emails that try to trick a user into handing over their account details and passwords to faked sites, provide authentication between two wireless devices, and make it more difficult for criminals to launder money through large numbers of online bank accounts. Jakobsson is hoping to have beta code available for Windows and Mac by the spring, and code for common mobile phone platforms later in 2005. More info available here (http://www.stealth-attacks.info). . Related stories Hotspot paranoia: try to stay calm (http://www.theregister.co.uk/2005/01/24/wi_fi_hotspot_security/) Crypto researchers break SHA-1 (http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/) Cyberpunk authors get the girls (http://www.theregister.co.uk/2005/02/17/cyberpunk/) ) Copyright 2005 -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
"R.A. Hettinga" <rah@shipwright.com> forwarded:
Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password.
Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). Peter.
-- On 24 Feb 2005 at 2:29, Peter Gutmann wrote:
Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah.
(Either this is a really bad idea or the details have been mangled by the Register).
It is a badly bungled implementation of a really old idea. An idea, which however, was never implemented on a large scale, resulting in the mass use of phishing attacks. Mutual authentication and password management should have been designed into SSH/PKI from the beginning, but instead they designed it to rely wholly on everyone registering themselves with a centralized authority, which of course failed. SSH/PKI is dead in the water, and causing a major crisis on internet transactions. Needs fixing - needs to be fixed by implementing cryptographic procedures that are so old that they are in danger of being forgetten. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG Dn3N69hcbr+mL/HUTw8OhGtKmD9rHYOMN4NTBkIY 47AOCXrb7e35xm5QBsHbFVr/jfm+XwTUvzdiytKpG
On Thu, 24 Feb 2005, Peter Gutmann wrote:
(Either this is a really bad idea or the details have been mangled by the Register).
No, it's just a really bad idea. A small group of us looked at this a few weeks ago when it was announced, and while none of us are professional cryptographers, we all thought this was just, well, silly. -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF "Quadriplegics think before they write stupid pointless shit...because they have to type everything with their noses." http://www.tshirthell.com/
| >Briefly, it works like this: point A transmits an encrypted message to point | >B. Point B can decrypt this, if it knows the password. The decrypted text is | >then sent back to point A, which can verify the decryption, and confirm that | >point B really does know point A's password. Point A then sends the password | >to point B to confirm that it really is point A, and knows its own password. | | Isn't this a Crypto 101 mutual authentication mechanism (or at least a | somewhat broken reinvention of such)?... The description has virtually nothing to do with the actual algorithm proposed. Follow the link in the article - http://www.stealth-attacks.info/ - for an actual - if informal - description. -- Jerry
The description has virtually nothing to do with the actual algorithm proposed. Follow the link in the article - http://www.stealth-attacks.info/ - for an actual - if informal - description.
There is no actual description publically available (there are three completely different protocols described in the press). I talked to the author about this; he sent me a fourth, somewhat reasonable document. At *best*, this is something akin to SRP with the server constantly proving its true nature with every character (yes, shoulder surfers get to attack keys one at a time). It could get pretty bad though, so rather than support it or bash it, I'd just reserve judgement until it's publically documented at Financial Crypto. --Dan
participants (6)
-
Dan Kaminsky -
J.A. Terranson -
James A. Donald -
Jerrold Leichter -
pgut001@cs.auckland.ac.nz -
R.A. Hettinga