
How to Expose an Eavesdropper (1984) - joaobatalha
http://fermatslibrary.com/s/how-to-expose-an-eavesdropper
======
thenewwazoo
Neat concept! This protocol appears to be a response to weaknesses in DH key
exchange, which I understand to already be thoroughly broken. Can someone with
more expertise perhaps explain if my understanding is correct, and whether
this interlock technique is applicable or has been adopted anywhere?

~~~
Kenji
Yes, you are correct, it addresses the well-known possibility for an active
eavesdropper in the DH protocol.

The interlock technique is very clever, I have never seen anything quite like
it. However, at first glance, I do not know where the data blocks _MA_ and
_MB_ for the interlocking come from. If they are hard-coded, breaking the
scheme is trivial for _C_. If they are dependent on _A_ or _B_ , then we
presuppose knowledge about the other party, and in that case, why not just use
public key infrastructure with public keys for A and B?

I think the most important stepping stone that makes it hard to apply this
protocol in practice is that you somehow need these blocks _MA_ and _MB_ of
information that C does not have. If we are talking about voice samples here,
it is likely that _you_ can recognize them, but not your computer. Therefore,
you'd also need some complex UI interactions to make sure it really is the
other person. I'm having a hard time thinking about a practical application
and its security implications right now.

~~~
AKrumbach
As I understood the paper, blocks _MA_ and _MB_ can have arbitrary contents as
long as possessing the following block ( _MA '_ or _MB '_ respectively) is
required for decoding.

An eavesdropper cannot then substitute the contents of either _MA_ or _MB_
without either breaking the decoding process or dropping portions of the
conversation. Either way, the eavesdropper cannot fully conceal their
presence.

------
g_p
For anyone interested in this, it's worth also taking a look at a related
follow-up paper discussing a weakness in the use of the interlock technique
for authentication [0]. I recognised the title here and recalled reading this
paper some time ago.

[0] Bellovin, Steven M., and Michael Merritt. "An attack on the interlock
protocol when used for authentication." IEEE Transactions on Information
Theory 40.1 (1994): 273-275.

PDF at
[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.112...](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.112.1529&rep=rep1&type=pdf)

From the abstract,

> [...] We demonstrate that an active attacker can, at the cost of a timeout
> alarm, bypass the password exchange, and capture the passwords used.
> Furthermore, if the attack is from a terminal or workstation attempting to
> contact a computer, the attacker will have access before any alarm can be
> sounded.

------
whatgoodisaroad
Link to a regular PDF: [https://people.csail.mit.edu/rivest/RivestShamir-
HowToExpose...](https://people.csail.mit.edu/rivest/RivestShamir-
HowToExposeAnEavesdropper.pdf)

