[Cryptography] Public-key auth as envisaged by first-year science students
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Aug 10 07:06:57 EDT 2016
I've been helping out with a student session where a group of first-year
science students get exposed to various interesting things outside their usual
field of study. This year, one of the exercises we set was to give them an
overview of DH via the paint-mixing analogy, explain what a MITM was, and ask
them to come up with a means of dealing with it. This is what they came up
with...
Location-limited channels: Detect how long it takes for messages to go back
and forth, the MITM will introduce delays.
OOB auth/Multipath messaging: This group was having some difficulties ("we're
biologists", to which my response was something like "great, your minds
haven't been polluted by 30 years of doing the wrong thing over and over",
I was thinking of the "obvious" solution of suggesting PKI here), their
solution was "Send an owl". Perfect, now develop it. So the end result was
to send a block of 50 owls on the assumption that all of them couldn't be
intercepted by an attacker.
OOB/Multipath #2: Send multiple pigeons trained to eat different colours of
M&Ms (this was based on the explanation of DH using paint mixing).
TTPs: Use a Skype call in which you hold up your passport to prove your
identity. You have to trust that Skype isn't controlled by the attacker as
well, but that's a pretty big step up from MITMing your Internet connection.
TTP #2: Use Instagram, with the authenticator, a photo, deleted after it's
used.
Multipath over the Internet: This one was from the computer scientists, route
the comms over multiple channels on the assumption that the attacker can't
control every path (which is what things like Perspectives do).
Remember, all this was from students who had been in high school the previous
year, and most of whom weren't computer scientists.
Peter.
More information about the cryptography
mailing list