Starium (was Re: article: german secure phone)

Eric Blossom eb at comsec.com
Thu Jun 14 19:34:32 EDT 2001


On Thu, Jun 14, 2001 at 02:50:20PM +0100, Paul Crowley wrote:
> codehead at ix.netcom.com writes:
> > In the spring of 1999, at the request of a VC, I went to a garage. 
> > com meeting where one of the Starium versions was demonstrated.  At 
> > the time it was "a bump in the line" version, but instead of having a 
> > "green light" indicator, there was a 4-digit LCD display.
> > 
> > Eric Blossom said that the display showed the last four digits of the 
> > Diffie-Hellman key that was negotiated at the start of conversation.  
> > The participants in the conversation could read the digits off and 
> > confirm that there had not been a MITM attack.
> 
> This is only secure if all parties are forced to commit to the DH
> information they're going to send before they send it.  Otherwise,
> it's trivial to collect g^x_1, g^y_2 from the two parties, then
> generate y_1, x_2 s.t. the resulting g^{x_1 y_1}, g^{x_2 y_2} collide
> in the last four digits by trying about a hundred candidates for each
> in a birthday attack.
> -- 
>   __  Paul Crowley


There is an commitment phase prior to sending g^x, g^y.  SHA-1 hashes
of g^x, g^y are exchanged.  The hash displayed is 6 hex digits, and is
derived from the publicly exchanged info, not the key itself.

Eric



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list