At 4:40 PM -0800 11/20/03, Ralf-P. Weinmann wrote:
Hmm.. Does this mean the users have to read of SHA-256 hash values to each other after the connection has been established? Oh. Right. It says "Readout hash based key authentication" on the left hand side of the spec.
You probably don't have to read all 256 bits. One way this had been handled (in the Starium (sp?) phone), is to display a number derived from the hash. One person reads the first half of the number, and the other person reads the second half. If both halves verify, there is no man-in-the-middle. The length of the number determines the security, but since it is derived from the Diffie-Hellman exchange, neither side can control its value. Probably 6 digits is enough.
... There should be a means to cache credentials after an initial trust relationship between communicating parties has been established.
Cache entries would be a way for someone who obtains the phone to be able to trace your contacts. (So would a in-phone address book.) Automatic authentication also might make it easier to spoof the phone's owner. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032
At 05:45 PM 11/20/2003 -0800, Bill Frantz wrote:
At 4:40 PM -0800 11/20/03, Ralf-P. Weinmann wrote:
... There should be a means to cache credentials after an initial trust relationship between communicating parties has been established. Cache entries would be a way for someone who obtains the phone to be able to trace your contacts. (So would a in-phone address book.) Automatic authentication also might make it easier to spoof the phone's owner.
If you've got an in-phone address book, might as well let the user cache some randomly-generated password string with it. That doesn't protect you against someone stealing the phone, but it means you've got an authentic connection to your co-conspirator's stolen phone rather than to somebody else's phone. If your threat model assumes that they can trick your phone into doing things, you're already toast anyway. If you're worried that Interpol will subpoena your phone and show that the "Alice" and "Bob" passwords in your phone correspond to Alice the Narc and Bob, your prisoner's-dilemma ex-co-conspirator who's busy ratting you out, they can probably do the same thing just from the phone numbers (IP or otherwise.)
participants (2)
-
Bill Frantz -
Bill Stewart