Instructions: To add a question/comment to a specific line, equation, table or graph simply click on it.
Click on the annotations on the left side of the paper to read and reply to the questions and comments.
The authors of this paper are Ronald L. Rivest and Adi Shamir. Rive...
In other words, the main goal of this protocol is to make it harder...
**There is no** central authority (at a global level) that distribu...
In this case **transparent** means that for `A` and `B` their commu...
Here the authors describe a typical man-in-the-middle attack where ...
This is a very important note. This protocol only works if `A` and ...
It’s important to understand that this scheme forces the eavesdropp...
**Baud rate** is the rate at which information is transferred in a ...
RESEARCH CONTRIBUTIONS
Programming
Techniques and
Data Structures
Ellis Horowitz
Editor
How to Expose
an Eavesdropper
RONALD
L
RIVEST
and ADI
SHAMIR
ABSTRACT:
We present a new protocol for establishing
secure communications over an insecure communications
channel in the absence of trusted third parties or
authenticated keys. The protocol is an improvement over
the simpler protocol in which the communicating parties
exchanged their public encryptiort keys and used them to
encrypt messages. It forces a potential eavesdropperif he
wants to understand the messagesto reveal his existence
by modifying and serioiisly garbling the communication.
1.
INTRODUCTION
Public-key cryptosystems [1, 2] with central directories
that authenticate and distribute the keys give their
users a high degree of protection. However, for large,
loosely organized and continuously changing networks
(telephones, home computers, electronic mail, etc.), a
central directory is almost impossible to maintain, and
the communicating parties have to rely on local, inse-
cure directories or they have to exchange their public
keys themselves. The purpose of this paper is to suggest
a new communications protocol that protects the net-
work members against eavesdroppers even in this case.
An application we have in mind is one in which two
company executives Who can recognize each other's
voice but who do not have each other's key want to
communicate via a scrambled telephone line. All the
key exchanges and encryption/decryption parts of the
This research was partially supported by NSF Grant No. MCS-8006938.
© 1984 ACM 0001-0782/84/0400-0393 75(t
protocol are handled automatically, and the two execu-
tives are aware only of each other's unscrambled voice.
2.
THE EAVESDROPPER SCENARIO
Consider the following eavesdropper scenario. We de-
fine an eavesdropper to be someone who Wants to mon-
itor the communication between two parties without
tampering with the data and without exposing his ex-
istence. He may modify the ciphertext stream in atiy
manner whatsoever (deleting, delaying, substituting, or
inserting ciphertexts) as lohg as he does not change the
cleartexts received by the communicating parties. Note
that, in the context of a public-key cryptosystem, a
successful eavesdropper must actively participate in the
key-exchange protocol; but, if he wants to monitor the
communications for a long period of time, he would
have to try to behave as transparently as possible, since
any trace he leaves in the cleartexts is likely to arous6
suspicion.
A well-known and serious problem with unauthenti-
cated public-key exchange protocols is that the commu-
nication between the two parties, A and B, can be trans-
parently monitored by an eavesdropper, C, who inserts
into the communication line an encryption/decryption
device as follows:
KA KC
T
c
KB
April 1984 Volume 27 Number 4 Communications of the ACM 393
Research Contributions
When
A
wants
to
communicate with B, C replaces both
the public key, KA, that
A
sends
to
B
and the
public
key, KB, that
B
sends to
A by his
own public key,
KC
(or
by
a
pair
of
keys,
KC and
KC",
if
the keys contain
an
identifying prefix). Whenever
A
sends
an
encrypted
message EKC(MA)
to
B,
C
intercepts
it,
decrypts
it in
order
to
read
MA,
and
then reencrypts
it
as EKB[MA)
before sending
it to
B.
Messages, MB, sent
by
B
to
A
are
handled
in a
similar way.
The communicating parties
can try to
trap C by send-
ing their public keys again
for
verification
as
part
of
the
cleartexts they exchange.
If
C
is
not
allowed
to
change
such messages,
he
may
get
into trouble. To avoid this
technical difficulty,
we
allow eavesdroppers
to
change
all
the
key-related portions
of
messages
and
assume
that they
are
clever enough
to
detect them
in
real time.
One
can
almost prove that when
all the
communica-
tion lines between
A and
B
are
controlled
by
C, this
cryptanalytic attack cannot
be
foiled. If
A
and
B cannot
authenticate
the
keys they receive,
KC
looks just
as
legal
as
KA
and
KB.
Since
all of
C's actions
are
transpar-
ent,
A and
B
cannot possibly distinguish between
a
scenario
in
which C exists
and a
scenario
in
which
C
does
not
exist. Yet,
we
claim that
a
simple change
in
the communications protocol
can
dramatically reduce
the danger posed
by
eavesdroppers.
We note that
no
such protocol
can be
perfect since
it
is conceivable that
C
could pretend
to be
B
sufficiently
well that
A
would have
no
means
of
determining that
he was talking
to
C rather than
B.
This possibility
is
of
particular concern when
A and
B
are
merely machines.
However,
the net
effect
of
the protocol
to be
proposed
is
that any authentication provided by A's a
priori
knowl-
edge
of
B's communication patterns, knowledge
or
voice
is
used
to
expose
the
would-be eavesdropper.
This
is a
feature that
the
ordinary "exchange
of
public
keys"
protocols does
not
possess, s