[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

20 questions (was Re: Man in the middle attacks)

At 08:49 3/8/96, David P. Kemp <dpkemp@missi.ncsc.mil> wrote:
>> From: cme@cybercash.com (Carl Ellison)
>> Yes!  If you've met Bob in person, then you have a body of common knowledge
>> that most likely can be converted to a shared secret.  That shared secret,
>> in turn, can be used to verify that there is no eavesdropper.  This
>> in-person meeting is the second channel which defeats Eve.

>I'd like to see your proposal for converting wetware shared secrets
>into a cryptographic shared secret, reliably and with more than a
>trivial number of bits.
>  "Hey Bob, remember that restaurant we went to at the last IETF?
>   What was the waitress' name and how many people were at the table?"
>What does that get you?  About 8 bits of entropy?

about.  It takes several such questions/answers to get up to 160 bits
-- in fact, 20, if you're right.

>And what if you remember the waitress as "Lori", but Bob remembers
>her as "Lorrie"?

You permit several spellings.  Such options lose you a couple of bits.  You
also allow him to make some mistakes.  He has to make the right number of
successes to get all those bits.

I'm preparing a real paper on this subject - will send you a copy when it's
available, if you care.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |