[14471] in cryptography@c2.net mail archive
Re: anonymous DH & MITM
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Oct 3 15:03:03 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@research.att.com>
To: Benja Fallenstein <b.fallenstein@gmx.de>
Cc: bear <bear@sonic.net>, "Zooko O'Whielacronx" <zooko@zooko.com>,
Ian Grigg <iang@systemics.com>, M Taylor <mctylr@privacy.nb.ca>,
Cryptography list <cryptography@metzdowd.com>
In-Reply-To: Your message of "Fri, 03 Oct 2003 20:23:24 +0300."
<3F7DB08C.30105@gmx.de>
Date: Fri, 03 Oct 2003 14:52:18 -0400
In message <3F7DB08C.30105@gmx.de>, Benja Fallenstein writes:
>
>Hi,
>
>bear wrote:
>>>>>starting with Rivest & Shamir's Interlock Protocol from 1984.
>>>>
>>>>Hmmm. I'll go read, and thanks for the pointer.
>>
>> Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
>> which are on my shelf. Where was it published?
>
>Communications of the ACM: Rivest and
>Shamir, "How to expose an eavesdropper", CACM vol 24 issue 4, 1984. If
>you have an ACM Digital Library account, it's at
>
>http://portal.acm.org/ft_gateway.cfm?id=358053&type=pdf&coll=ACM&dl=ACM&CFID=1
>2683735&CFTOKEN=40809148
>
>I've started writing a short summary earlier today, after reading, but
>then I got distracted and didn't have time... sorry :) Hope this helps
>anyway.
>
>The basic idea is that Alice sends *half* of her ciphertext, then Bob
>*half* of his, then Alice sends the other half and Bob sends the other
>half (each step is started only after the previous one was completed).
>The point is that having only half of the first ciphertext, Mitch can't
>decrypt it, and thus not pass on the correct thing to Bob in the first
>step and to Alice in the second, so both can actually be sure to have
>the public key of the person that made the other move.
>
You have to be careful how you apply it; sometimes, there are attacks.
See Steven M. Bellovin and Michael Merritt, "An Attack on the Interlock
Protocol When Used for Authentication," in IEEE Transactions on
Information Theory 40:1, pp. 273-275, January 1994,
http://www.research.att.com/~smb/papers/interlock.ps for an example of
how it's a bad protocol to use to send passwords.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
