anonymous DH & MITM
Steven M. Bellovin
smb at research.att.com
Fri Oct 3 14:52:18 EDT 2003
In message <3F7DB08C.30105 at gmx.de>, Benja Fallenstein writes:
>
>Hi,
>
>bear wrote:
>>>>>starting with Rivest & Shamir's Interlock Protocol from 1984.
>>>>
>>>>Hmmm. I'll go read, and thanks for the pointer.
>>
>> Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
>> which are on my shelf. Where was it published?
>
>Communications of the ACM: Rivest and
>Shamir, "How to expose an eavesdropper", CACM vol 24 issue 4, 1984. If
>you have an ACM Digital Library account, it's at
>
>http://portal.acm.org/ft_gateway.cfm?id=358053&type=pdf&coll=ACM&dl=ACM&CFID=1
>2683735&CFTOKEN=40809148
>
>I've started writing a short summary earlier today, after reading, but
>then I got distracted and didn't have time... sorry :) Hope this helps
>anyway.
>
>The basic idea is that Alice sends *half* of her ciphertext, then Bob
>*half* of his, then Alice sends the other half and Bob sends the other
>half (each step is started only after the previous one was completed).
>The point is that having only half of the first ciphertext, Mitch can't
>decrypt it, and thus not pass on the correct thing to Bob in the first
>step and to Alice in the second, so both can actually be sure to have
>the public key of the person that made the other move.
>
You have to be careful how you apply it; sometimes, there are attacks.
See Steven M. Bellovin and Michael Merritt, "An Attack on the Interlock
Protocol When Used for Authentication," in IEEE Transactions on
Information Theory 40:1, pp. 273-275, January 1994,
http://www.research.att.com/~smb/papers/interlock.ps for an example of
how it's a bad protocol to use to send passwords.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list