[Next] [Up] [Previous] [Index]

The Interlock Protocol

Public-key cryptography allows two parties to communicate securely without having had to have previously met to exchange a secret key. It is enough to know the other party's public key to send messages that only the other party, with his private key, can read.

But if one does not have any direct contact with the other party, there is the possibility of the man-in-the-middle attack. An active eavesdropper could arrange for you to see his public key in place of the public key of the party you actually want to send a message to, then take your message when you send it, decode it and read it, then encipher it again, this time in the other party's real public key, and send it on.

One method of dealing with this is through the use of key certificates. A trusted central authority, having had direct contact with the intended recipient of your message, uses public key methods to digitally sign a message that states what the public key of your intended recipient actually is.

Another type of method has also been proposed to combat the man-in-the-middle attack. These methods, by themselves, don't prove the identity of the party with whom you are communicating: but they do prevent a man-in-the-middle from passing on messages in both directions between two other parties at the same time. Thus, if these methods are coupled with some other form of identity check, they can be useful.

The original interlock protocol, as devised by Ron Rivest and Adi Shamir, worked like this: after both parties exchanged public keys, then each sent, in turn, the first half of an encrypted message, and then each sent, in turn, the second half of his or her own message.

This required that the messages were encrypted in such a way that only a whole message, not half of one, could be decrypted with the key. This protocol works well with RSA, since it enciphers data in large blocks, numbers modulo M, the product of two large primes, and nothing can be done with half of the digits of a block.

With a public-key system like Diffie-Hellman, a similar result can be obtained by first sending messages enciphered in a symmetric key system, and then afterwards sending that symmetric key as a message enciphered using the normal Diffie-Hellman session key.

But an interlock protocol only allows a man-in-the-middle attack to be detected after the fact, if the attacker can at least temporarily pretend to be one of the two parties to the communication. However, there is a case where that would be enough to prevent any successful eavesdropping.

Since an interlock protocol is only usable when two parties are communicating in real time, it can't be used for E-mail. Could it be useful with a secure telephone?

A secure telephone can be protected against a man-in-the-middle attack by displaying a checksum of the session key in a display at both ends, which one party could then read off to the other. This (provided, of course, that both parties recognize each other's voices) would prevent a man-in-the-middle attack quite effectively, and it would do so without any need to use an interlock protocol for the previous exchange of keys.

[Next] [Up] [Previous] [Index]

Table of Contents
Home Page