[SGVLUG] Security riddle

Emerson, Tom (*IC) Tom.Emerson at wbconsultant.com
Mon Nov 23 14:29:00 PST 2009 

> -----Original Message----- Of Rae Yip
>
> Depends if your postal system uses DNSSEC or not. ;)

[actually, I have an insidious comment on this as well, that points to a "real-world" scenario if you were to attempt this, but I'll save it for after the "proper" solution is revealed]

> Seriously, the riddle has a better solution that doesn't
> involve putting the locks inside an unlocked box. If you
> eliminate some of the operations in the proposed solution,
> you'll arrive at the answer.

Yup - after I saw the original solution, I thought of the (presumably shorter) version of "the recipient sends you an unlocked lock" first, but realized it was specifically subject to "man-in-the-middle" - not having seen the recipient's lock beforehand, you have no way of knowing the lock you received was indeed "his lock" - same is true for sending YOUR lock (unlocked) in the original direction - the recipient has no guarantee he actually received YOUR lock [this, BTW, will make for a cool visual demonstration at a future meeting on security, which is why I brought it up] -- either way an "unlocked" lock travels, it can be intercepted and replaced with a different unlocked lock for which the "carrier" has the key, and on the return trip opened and replaced with the original lock.

> I can't claim any credit since I learned this one from a job
> interview.

Since I learned of this via a webpage myself, the answer is out there if you search for it ...

There is a three-phase answer involving a fox, cabbage, and a chicken (or was it a duck?) and crossing a creek and a small boat - that should give you another clue...


> On Mon, Nov 23, 2009 at 12:44 PM, Mike Rubel
> > Is there any worry about a "man in the middle" intercepting the
> > original shipment and replacing your open lock with his own?  (Then
> > replacing the recipient's lock in the return shipment, and
> so forth?)
> >
> >> Send the unlocked box with one of your locks. the recipient places
> >> his lock inside and locks the box with your lock. You
> unlock the box
> >> with your key, put the item in the box and lock the box with his
> >> lock. he unlocks it with his key.

More information about the SGVLUG mailing list