Diffie-Hellman and MITM

[Marcel Popescu]

From: "gfgs pedo" <jtrjtrjtr2001 at yahoo.com>

> One solution suggested against the man in the middle
> attack is using the interlock protocol

This is the one I vaguely recalled, thank you.

> All mallory would have to do is send the half of the
> (n th) packet when he receives the half of (n+1)th
> packet since the 1 st packet was faked by mallory.

Interesting attack... assuming that a one-block delay doesn't look
suspicious.

What if every message except the very first one has a hash of the previously
received message?

A -> (M ->) B: half 1 of message A1
B -> (M ->) A: half 1 of message B1 | hash (half 1 of message A1)
A -> (M ->) B: half 2 of message A1 | hash (half 1 of message B1)
B -> (M ->) A: half 2 of message B1 | hash (half 2 of message A1)
A -> (M ->) B: half 1 of message A2 | hash (half 2 of message B1)
... and so on

Nah... won't work; since M captures A1 and B1, he can compute the hashes for
both the initial bogus message and the (delayed) genuine ones. Same if they
try hasing all the previous messages.

What if they send the hash of the *other* half? (The program splitting the
messages already has the full ones.)

A -> (M ->) B: half 1 of message A1 | hash (half 2 of message A1)
B -> (M ->) A: half 1 of message B1 | hash (half 2 of message B1)
A -> (M ->) B: half 2 of message A1 | hash (half 1 of message A1)
B -> (M ->) A: half 2 of message B1 | hash (half 1 of message B1)
... and so on

Nope, no good... M fakes the first message in both direction, and then he
always has a good one, so he can compute the hashes.

The only thing that might, as far as I can see, succeed (with a high
probability) would be for everyone to hash the *next* half - meaning that,
together with half 2 of message N, there will be the hash of half one of
message N + 1. However, I don't see how this would be possible for an
interactive communication...

Thanks,
Mark