Hacker News new | ask | show | jobs
by MauranKilom 1887 days ago
It bears note that this is still subject to a MITM attack on whatever channel is used for the information exchange. You cannot generate a shared secret without either an existing shared secret or some form of secure authenticated communication channel in the first place. I mean, you can, but you can't be sure who it is that you're sharing the new secret with.
2 comments
boris1 1886 days ago
That's why you have the Check Digits. There's no way to communicate a long and cryptic password on the phone. But it is easy to compare check digits on the phone.
link
MauranKilom 1885 days ago
I'm not convinced that transmitting the first, say, 5 characters of the full password is any less secure than transmitting the sum of all its "digits". In fact, I would expect the latter to be significantly easier to match by brute force by a MITM adversary.
link
boris1 1883 days ago
There's no difference for the MITM how I pick the Short Authentication String (SAS) (the check digits).

But there's a difference in terms of strength of the encryption key, if you are planning to use the full password as input to Key Derivation Function (KDF). If you make public the first 5 letters of a 44 letter password, you've just made lost some of the entropy.

By the way, based on a comment in this thread, I added a SHA-256 stage. I now hash the full password, and sum the bytes of the hash to generate the check digits.

link
TickleSteve 1886 days ago
(https://security.stackexchange.com/questions/91699/why-cant-...)

TLDR: "Without authentication, impersonation is feasible, ..."

link
libeclipse 1886 days ago
tldr: preventing MITM attacks requires setting up an authentication workflow. Without this, you have no guarantees about who you're speaking to.

For example, TLS 1.3 does this by (after performing ephemeral DH key exchange) signing the conversation transcript with the server's long term identity key. After this the client is sure that they are speaking to the correct server, but the server has no authenticity guarantees about the client.

link
boris1 1883 days ago
The only way is to use another channel for the Short Authentication String (SAS) (check digits in my case). I recommend that people SMS them the check digits, and exchange the DH offers by email.
link