Dumb anti-MITM hacks / CAPTCHA application
From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 12/21/03
- Previous message: Paul Crowley: "Re: Does OTP need authentication?"
- Next in thread: David Wagner: "Re: Dumb anti-MITM hacks / CAPTCHA application"
- Reply: David Wagner: "Re: Dumb anti-MITM hacks / CAPTCHA application"
- Reply: Anne & Lynn Wheeler: "Re: Dumb anti-MITM hacks / CAPTCHA application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Dec 2003 20:46:30 -0800
Alice and Bob, two random strangers, discover each other through an
online personals ad and want to have a secure phone conversation or
online chat.
Ivan is a trusted introducer known to Alice and Bob. "Known" means
Alice and Bob have Ivan's public key. "Trusted" means they believe
Ivan won't cheat on the protocol. Ivan of course doesn't know Alice
or Bob, who aren't enrolled in any system and who may actually want to
stay anonymous to both each other and to Ivan.
Alice and Bob can't authenticate to each other because they have no
credentials, but they at least want to know there's no computer
between them acting as a MITM. This protocol uses Turing tests to
detect computerized MITM's and maybe less reliably detect human
MITM's. Mitch is a possible MITM.
Alice and Bob do an unauthenticated DH key exchange with what they
hope is each other, so that Alice agrees on secret key KA and Bob
agrees on secret key KB. If there's no MITM, then KA = KB, but if
there's a MITM, then KA != KB.
1. Low-paranoia protocol: Alice and Bob each open an SSL connection to
Ivan, authenticated at Ivan's end by Ivan's public key which Alice
and Bob trust. Alice sends sha1(KA) to Ivan and Bob sends sha1(KB)
to Ivan. Ivan now sends Alice and Bob each an automated Turing
test (http://www.captcha.net) which they answer. Assuming they
answer correctly, Ivan simply checks that the two hashes match, and
that shows there's no automated MITM (unless the MITM can break the
Turing test). Alice and Bob can now exchange persistent public
keys (or a shared secret) that they can use to authenticate future
conversations, so they don't need to get Ivan involved and do more
Turing tests every time they want to talk to each other. Of course
Mitch can have humans sitting around answering the Turing tests
just to run MITM attacks against chat users (imagine a room full of
people in front of consoles like Mission Control from the Apollo
project), so this is unsatisfying to the very paranoid.
2. Higher-paranoia protocol #1: Alice and Bob open SSL connections to
Ivan. Ivan agrees to act as a proxy server, forwarding messages
from Alice to Bob and vice versa. Before forwarding any message in
either direction, Ivan inserts a 5 second delay. So if Alice sends
a challenge to Bob and Bob sends back a response with no MITM, the
round trip delay is 10 seconds. But if there's a MITM, the round
trip delay is 20 seconds. Alice and Bob can now quiz each other
about topics of mutual interest, contents of past conversations,
etc, and run typical interlock protocols (send hash(x) in one
message and x in another message), carefully noting the delay
before each response. If Mitch wants Alice and Bob to see answers
in less than 20 seconds, he has to send his own answers rather than
relaying Alice and Bob's answers to each other. That means he has
to actually social-engineer Alice and Bob, which is presumably
harder than answering automated Turing tests. Eventually Alice and
Bob satisfy each other and then they can again record each other's
public (or secret) keys for later use.
Note that both of these protocols amount to shared-secret protocols,
where the shared secret is some nebuolus aspect of personal identity,
rather than a mere bit string.
Thoughts/comments/improvements?
- Previous message: Paul Crowley: "Re: Does OTP need authentication?"
- Next in thread: David Wagner: "Re: Dumb anti-MITM hacks / CAPTCHA application"
- Reply: David Wagner: "Re: Dumb anti-MITM hacks / CAPTCHA application"
- Reply: Anne & Lynn Wheeler: "Re: Dumb anti-MITM hacks / CAPTCHA application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
