The Instant Answer Protocol.

Alice verifies Bob by phone.

Sometimes I have to trade information with people I’ve never met. I know who they are, in the sense that I know what they’re working on, why we’re collaborating, etc. But I wouldn’t recognize their face or voice. Occasionally, the information we’re trading is sensitive — news of a software security vulnerability, for example, or the address of a mutual collaborator who cares about privacy.

How can you know that the person you’re talking to is the person you think they are? You can send them encrypted messages, but you still need to verify that you’re using the right encryption key. So you call them up or find them in an online chat room and verify the key fingerprint… but how do you know that the person you’re verifying with is the right person and not some man-in-the-middle attacker?

It may all sound a bit spy-vs-spy, but anyone who works on widely-used open source software can find themselves in this situation. It’s happened to me more than once.

The solution I use is something I call the Instant Answer Protocol:

Alice wants to verify that the person she’s talking to in real-time is Bob. She digs up a few random facts about Bob on the Internet, or by talking to someone they both know, then phones or chats online with Bob and asks him about those facts. In the absence of a very dedicated impersonator, only Bob would be able to instantaneously answer unexpected questions about himself, so his identity would then be established to a high degree of certainty. After that, she can voice-verify Bob’s encryption key fingerprint or do whatever else she needs to do.

Such a check still wouldn’t protect against a determined and well-funded imposter… but then, how can you even be sure it’s you reading this?

I’ve used the protocol several times. I’ve never caught my interlocutor trying to fake someone else’s identity, but it gave me peace of mind anyway.

Obviously, this is a very old protocol. It predates the Internet, and probably literacy itself. Does anyone know if this protocol already has a name in cryptography circles?

4 Responses to “The Instant Answer Protocol.”

  1. Crosbie Fitch Says:

    I don’t know if it has a name, but it resonates with an article I wrote about distributed approaches to identity systems: Ideating Identity.

  2. Karl Fogel Says:

    Yes — very similar, even the same, though you take the idea philosophically farther than I am here (I was just looking for a way to voice-verify my fellow coders!).

  3. Nick Parker Says:

    This sounds similar to the ideas behind the Socialist Millionaire Problem; it was nice to meet you down at RightsCon Rio!

    Nick Parker

  4. Karl Fogel Says:

    Hey, Nick! It was great to meet you too. Yes, I do think there is similarity at least at a conceptual level, to SMP and OTR (a friend has remarked on it before to me). The difference is important too, though: that no “implementation” is needed to run the Instant-Answer Protocol — you don’t need a calculator or special software, just a real-time communications mechanism.

    In practice, just about the only thing I ever use it for is exchanging key fingerprints. (Obviously, there is a M-i-t-M attack in that case, but one that would require such dedicated resources that, as the saying goes, “you have bigger problems in that case” :-) ).

Leave a Reply