Starium (was Re: article: german secure phone)

Eric Blossom eb at
Thu Jun 14 19:34:32 EDT 2001

On Thu, Jun 14, 2001 at 02:50:20PM +0100, Paul Crowley wrote:
> codehead at writes:
> > In the spring of 1999, at the request of a VC, I went to a garage. 
> > com meeting where one of the Starium versions was demonstrated.  At 
> > the time it was "a bump in the line" version, but instead of having a 
> > "green light" indicator, there was a 4-digit LCD display.
> > 
> > Eric Blossom said that the display showed the last four digits of the 
> > Diffie-Hellman key that was negotiated at the start of conversation.  
> > The participants in the conversation could read the digits off and 
> > confirm that there had not been a MITM attack.
> This is only secure if all parties are forced to commit to the DH
> information they're going to send before they send it.  Otherwise,
> it's trivial to collect g^x_1, g^y_2 from the two parties, then
> generate y_1, x_2 s.t. the resulting g^{x_1 y_1}, g^{x_2 y_2} collide
> in the last four digits by trying about a hundred candidates for each
> in a birthday attack.
> -- 
>   __  Paul Crowley

There is an commitment phase prior to sending g^x, g^y.  SHA-1 hashes
of g^x, g^y are exchanged.  The hash displayed is 6 hex digits, and is
derived from the publicly exchanged info, not the key itself.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list