sen-material: handouts/ho05.tex@06a04b3b2dda (annotated)

245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	\documentclass{article}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	\usepackage{../style}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3	\usepackage{../langs}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	4	\usetikzlibrary{patterns,decorations.pathreplacing}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	5
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	6	\begin{document}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8	\section*{Handout 5 (Protocols)}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	9
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	10	Protocols are the computer science equivalent to fractals and
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	11	the Mandelbrot set in mathematics. With the latter two you
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	12	have a simple formula, which you just iterate and then you
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	13	test whether a point is inside or outside a region\ldots{}it
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	14	does not look exciting, but voila something magically
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	15	happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal},
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	16	\url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	17	are similar: they are simple exchanges of messages, but in the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	18	end something ``magical'' can happen---for example a secret
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	19	channel has been established or two entities have
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	20	authenticated themselves to each other. Even in face of strong
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	21	adversaries where we have no control over the network over
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	22	which our messages are exchanged. The problem with magic is of
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	23	course it is poorly understood and even experts often got, and
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	24	get, it wrong with protocols.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	25
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	26	To have an idea what kind of protocols we are interested in, let
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	27	us look at a few examples. One example are (wireless) key
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	28	fobs, which operate the central locking system and the
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	29	ignition in a car.
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	30
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	31	\begin{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	32	\includegraphics[scale=0.075]{../pics/keyfob.jpg}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	33	\quad
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	34	\includegraphics[scale=0.2025]{../pics/startstop.jpg}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	35	\end{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	36
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	37	\noindent The point of these key fobs is that everything is
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	38	done over the ``air''---there is no physical connection
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	39	between the key, doors and engine, as was the case with the
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	40	old solid metal keys. With the key fobs we must achieve
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	41	security by exchanging certain messages between the key fob on
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	42	one side and the doors and engine on the other. Clearly what
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	43	we like to accomplish is that I can get into my car and start
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	44	it, but that thieves are kept out. The problem is that
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	45	everybody can ``overhear'' or skim the exchange of messages
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	46	between the key fob and car. In this scenario the simplest
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	47	attack you need to defend against is a person-in-the-middle
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	48	attack. For this imagine you park your car in front of a
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	49	supermarket. One thief follows you with a strong transmitter.
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	50	A second thief ``listens'' to the signals from the car and
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	51	wirelessly transmits them to the ``colleague'' who followed
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	52	you. This thief silently enquires what the key fob answers.
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	53	This answer is then send back to the thief at the car. If done
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	54	properly the car will dutifully open and possibly start. No
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	55	need to steal your keys anymore.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	56
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	57	But there are many more such protocols we like to treat.
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	58	Another example is Wifi---you might sit at a Starbucks and
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	59	talk wirelessly to the free access point there and from there
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	60	talk to your bank. Moreover, even if your have to touch your
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	61	Oyster card at the reader each time you enter or exit the
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	62	Tube, it actually operates wirelessly and with appropriate
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	63	equipment over some quite large distance (several meters). But
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	64	there are many, many more examples (Bitcoins, mobile
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	65	phones,\ldots). The common characteristics of the protocols we
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	66	are interested in is that an adversary or attacker is assumed
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	67	to be in complete control over the network or channel over
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	68	which we exchanging messages. An attacker can install a packet
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	69	sniffer on a network, inject packets, modify packets, replay
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	70	old messages, or fake pretty much everything else. In this
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	71	hostile environment, the purpose of a protocol (that is
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	72	exchange of messages) is to achieve some security goal. For
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	73	example only allow the owner of the car in, but everybody else
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	74	should stay out.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	75
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	76	The protocols we are interested here are generic descriptions
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	77	of how to exchange messages in order to achieve a goal. Unlike
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	78	the distant past where, for example, we had to meet a person in
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	79	order to authenticate him or her (via a passport for example),
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	80	the problem we are facing on the Internet is that we cannot
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	81	easily be sure who we are ``talking'' to. The obvious reason
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	82	is that only some electrons arrive at our computer; we do not
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	83	see the person, or computer, behind the incoming electrons
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	84	(messages).
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	85
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	86	To start, let us look at one of the simplest protocols that
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	87	are part of the TCP protocol (which underlies the Internet).
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	88	This protocol does not do anything security relevant, it just
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	89	establishes a ``hello'' from a client to a server which the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	90	server answers with ``I heard you'' and the client answers
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	91	in turn with something like ``thanks''. This protocol
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	92	is often called a \emph{three-way handshake}. Graphically it
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	93	can be illustrated as follows
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	94
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	95	\begin{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	96	\includegraphics[scale=0.5]{../pics/handshake.png}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	97	\end{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	98
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	99	\noindent On the left-hand side is a client, say Alice, on the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	100	right-hand side is a server, say. Time is running from top to
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	101	bottom. Alice initial SYN message needs some time to travel to
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	102	the server. The server answers with SYN-ACK, which will
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	103	require some time to arrive at Alice. Her answer ACK will
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	104	again take some time to arrive at the server. After the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	105	messages are exchanged Alice and the server simply have
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	106	established a channel to communicate over. Alice does
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	107	not know whether she is really talking to the server (somebody
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	108	else on the network might have intercepted her message
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	109	and replied in place of the server). Similarly, the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	110	server has no idea who it is talking to. That this can be
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	111	established depends on what is exchanged next and is the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	112	point of the protocols we want to study in more detail.
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	113
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	114	Before we start in earnest, we need to fix a more
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	115	convenient notation for protocols. Drawing pictures like
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	116	the one above would be awkward in the long-run. The
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	117	notation already abstracts away from a few details we are
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	118	not interested in: for example the time the messages
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	119	need to travel between endpoints. What we are interested
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	120	in is in which order the messages are sent. For the SYN-ACK
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	121	protocol we will therefore use the notation
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	122
264 0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	123
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	124	\begin{equation}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	125	\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	126	A \to S: & SYN\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	127	S \to A: & SYN\_ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	128	A \to S: & ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	129	\end{array}\label{SYNACK}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	130	\end{equation}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	131
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	132
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	133	\noindent The left-hand side specifies who is the sender and
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	134	who is the receiver of the message. On the right of the colon
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	135	is the message that is send. The order from top to down
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	136	specifies in which order the messages are sent. We also
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	137	have the convention that messages like above $SYN$ are send
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	138	in clear-text over the network. If we want that a message is
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	139	encrypted, then we use the notation
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	140
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	141	\[
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	142	\{msg\}_{K_{AB}}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	143	\]
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	144
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	145
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	146	\noindent for messages. The curly braces indicate a kind of
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	147	envelope which can only be opened if you know the key $K_{AB}$
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	148	with which the message has been encrypted. We always assume
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	149	that an attacker, say Eve, cannot get the content of the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	150	message, unless she is also in the possession of the key. We
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	151	explicitly exclude in our study that the encryption can be
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	152	broken.\footnote{\ldots{}which of course is what a good
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	153	protocol designer needs to ensure and more often than not
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	154	protocols are broken. For example Oyster cards contain a very
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	155	weak encryption mechanism which has been attacked.} It is also
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	156	possible that an encrypted message contains several parts. In
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	157	this case we would write something like
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	158
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	159	\[
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	160	\{msg_1, msg_2\}_{K_{AB}}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	161	\]
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	162
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	163	\noindent But again Eve would not be able to know
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	164	this unless she also has the key. We also allow the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	165	possibility that a message is encrypted twice under
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	166	different keys. In this case we write
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	167
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	168	\[
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	169	\{\{msg\}_{K_{AB}}\}_{K_{BC}}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	170	\]
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	171
264 0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	172	\noindent The idea is that even if attacker Eve has the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	173	key $K_{BC}$ she could decrypt the outer envelop, but
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	174	still do not get to the message, because it is still
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	175	encrypted with the key $K_{AB}$. Note, however,
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	176	while an attacker cannot obtain the content of the message
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	177	without the key, encrypted messages can be observed
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	178	and be recorded and then replayed at another time, or
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	179	send to another person!
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	180
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	181	Another very important point is that the notation for
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	182	protocols such as shown in \eqref{SYNACK} is a
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	183	\underline{schema} how the protocol should proceed.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	184	It could be instantiated by an actual protocol run
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	185	between Alice, say, and the server Calcium at King's. In this
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	186	case the specific instance would look like
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	187
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	188	\[
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	189	\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	190	\text{Alice} \to \text{Calcium}: & SYN\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	191	\text{Calcium} \to \text{Alice}: & SYN\_ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	192	\text{Alice} \to \text{Calcium}: & ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	193	\end{array}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	194	\]
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	195
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	196	\noindent But a server like Calcium of course needs to
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	197	serve many clients. So there could be the same protocol
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	198	also running with Bob, say
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	199
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	200	\[
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	201	\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	202	\text{Bob} \to \text{Calcium}: & SYN\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	203	\text{Calcium} \to \text{Bob}: & SYN\_ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	204	\text{Bob} \to \text{Calcium}: & ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	205	\end{array}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	206	\]
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	207
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	208	\noindent And these two instances of the protocol could be
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	209	running in parallel or be at different stages. So the protocol
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	210	schema shown in \eqref{SYNACK} can be thought of how two
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	211	programs need to run on the side of $A$ and $S$ in order to
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	212	successfully complete the protocol. But it is really just a
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	213	blue print how the communication is supposed to proceed.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	214
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	215	This is actually already a way how such protocols can fail.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	216	Although very simple the $SYN\_ACK$ protocol can cause
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	217	headaches for system administrators where an attacker
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	218	starts the protocol, but does not complete it. This looks
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	219	graphically like
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	220
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	221	\begin{center}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	222	\includegraphics[scale=0.4]{../pics/synflood.png}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	223	\end{center}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	224
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	225	\noindent The attacker sends lots of $SYN$ requests which the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	226	server dutifully answers, but needs to keep track of such
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	227	protocol exchanges. So every time a little bit of memory
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	228	resource will be eaten away on the server side until all
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	229	resources are exhausted and when Alice tries to contact the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	230	server then the server is overwhelmed and does not respond
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	231	anymore. This kind of attack are called \emph{SYN
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	232	floods}.\footnote{\url{http://en.wikipedia.org/wiki/SYN_flood}}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	233
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	234	After reading four pages, you might be wondering where the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	235	magic is. For this let us take a closer look at authentication
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	236	protocols.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	237
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	238	\subsubsection*{Authentication Protocols}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	239
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	240	The simplest authentication protocol between principals
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	241	$A$ and $B$, say is
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	242
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	243	\begin{center}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	244	$A \to B: K_{AB}$
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	245	\end{center}
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	246
265 2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	247	\noindent It can be sought of as $A$ sends a common secret to
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	248	$B$ like a password. The idea is that if only $A$ and $B$ know
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	249	the key $K_{AB}$ then this should be sufficient for $B$ to
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	250	infer it is talking to $A$. But this is of course too naive,
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	251	if the message can be observed by everybody else on the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	252	network. Eve could just record this message $A$ just send, and
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	253	next time send the same message to $B$ and $B$ would believe
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	254	it talked to $A$. But actually it talked to Eve which now
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	255	clears out $A$s back account if $B$ had been a bank.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	256
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	257	A more sophisticated protocol which tries to avoid the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	258	replay attack is as follows
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	259
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	260	\begin{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	261	\begin{tabular}{l@{\hspace{2mm}}l}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	262	$A \to B:$ & $HELLO$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	263	$B \to A:$ & $N$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	264	$A \to B:$ & $\{N\}_{K_{AB}}$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	265	\end{tabular}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	266	\end{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	267
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	268	\noindent With this protocol the idea is that $A$ first sends
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	269	a message to $B$ saying ``I want to talk to you''. $B$ sends
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	270	then a challenge in form of a random number $N$. In protocols
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	271	such random numbers are often called \emph{nonce}. What is the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	272	purpose of this nonce? Well, if an attacker records $A$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	273	answer, it will not make sense to replay this message, because
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	274	next time this protocol is run the nonce $B$ sends will be
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	275	different. So if we run this protocol, what can $B$ infer:
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	276	it has send out an (unpredictable) nonce to $A$ and
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	277	received this challenge back, but encoded under the key
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	278	$K_{AB}$. If $B$ assumes only $A$ and $B$ know the key $K_{AB}$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	279	and the nonce is unpredictable, then $B$ is able to
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	280	infer it must be talking to $A$. Of course the implicit
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	281	assumption on this inference are that nobody else knows
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	282	about the key $K_{AB}$ and nobody else can decrypt the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	283	message. $B$ of course can decrypt the answer from $A$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	284	and check whether the answer corresponds to the challenge
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	285	(nonce) $B$ has send earlier.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	286
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	287	But what about $A$? Can $A$ make any assumptions about who it
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	288	talks to? It dutifully answered the challenge and hopes its
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	289	bank, say, will be the only one to understand her answer. But
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	290	is this the case? No! Lets consider an attacker Eve who has
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	291	control over the network. She could have intercepted the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	292	message $HELLO$ and just replied herself to $A$ using a random
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	293	number\ldots{} for example one which she observed in a
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	294	previous run of this protocol. Remember that if a message is
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	295	send without curly braces it is sent in clear text. Then
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	296	$A$ would encrypt the nonce with the key $K_{AB}$ and send
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	297	it back to Eve. She just throws the answer away. $A$ would
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	298	hope that she talked to $B$ because she followed the protocol,
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	299	but unfortunately she cannot be sure who she is talking to.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	300
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	301	The solution is to follow a \emph{mutual challenge-response}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	302	protocol. There $A$ already starts off with a challenge (nonce)
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	303	on her own.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	304
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	305	\begin{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	306	\begin{tabular}{l@{\hspace{2mm}}l}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	307	$A \to B:$ & $N_A$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	308	$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	309	$A \to B:$ & $N_B$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	310	\end{tabular}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	311	\end{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	312
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	313	\noindent As seen, $B$ receives this nonce, $N_A$, adds his
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	314	own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	315	receives this message, is able to decrypt it since we assume
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	316	she has the key $K_{AB}$, and sends back the nonce of $B$.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	317	Let us analyse which assumptions $A$ and $B$ can make after
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	318	the protocol has run. $B$ received a challenge and answered
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	319	correctly to $A$ (in the encrypted message). An attacker
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	320	would just not be able to answer this challenge correctly
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	321	because the attacker is assumed to not be in the possession of
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	322	the key $K_{AB}$; so could not have formed this message.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	323	It could also not have just replayed an old message, because
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	324	$A$ would send out each time a fresh nonce. So with this
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	325	protocol you can ensure also for $A$ that it talks to $B$.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	326	I leave you to argue that $B$ can be sure to talk to $A$.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	327	Of course these arguments will depend on the assumptions that
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	328	only $A$ and $B$ know the key $K_{AB}$ and that nobody can
266 e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	329	break the encryption unless they have this key and that the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	330	nonces are fresh each time the protocol is run.
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	331
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	332	There might be something mysterious about the nonces, the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	333	random numbers, that are sent around. They need to be
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	334	unpredictable and in this way fulfil an important role in
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	335	protocols. Suppose
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	336
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	337	\begin{enumerate}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	338	\item I generate a nonce and send it to you encrypted with a
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	339	key we share
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	340	\item you increase it by one, encrypt it under a key I know
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	341	and send it back to me
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	342	\end{enumerate}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	343
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	344	\noindent In our notation this would correspond to the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	345	protocol
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	346
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	347	\begin{center}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	348	\begin{tabular}{l@{\hspace{2mm}}l}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	349	$I \to Y:$ & $\{N\}_{K_{IY}}$\\
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	350	$Y \to I:$ & $\{N + 1\}_{K_{IY}}$\\
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	351	\end{tabular}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	352	\end{center}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	353
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	354	\noindent What can I infer from this simple exchange:
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	355
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	356	\begin{itemize}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	357	\item you must have received my message (it could not just be
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	358	deflected by somebody on the network, because the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	359	response required some calculation; doing the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	360	calculation and sending the answer requires the key
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	361	$K_{IY}$)
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	362
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	363	\item you could only have generated your answer after I send
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	364	you my initial message (since my $N$ is always new, it
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	365	could not have been a message that was generated before
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	366	I myself knew what $N$ is)
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	367
274 1e1008403f17 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 273 diff changeset	368	\item if only you and me know the key $K_{IY}$, the message
266 e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	369	must have come from you
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	370	\end{itemize}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	371
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	372	\noindent Even if this does not seem much information I can
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	373	glean from such an exchange, it is in fact the basic building
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	374	blocks for establishing some secret or achieving some
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	375	security goal (like authentication).
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	376
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	377	While the mutual challenge-response protocol solves already
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	378	the authentication problem, there are some problems. One is of
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	379	course that it requires a pre-shared secret key. That is
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	380	something that needs to be established beforehand. Not all
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	381	situations allow such an assumption. For example if I am a
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	382	whistle blower (say Snowden) and want to talk to a journalist
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	383	(say Greenwald) then I might not have a secret pre-shared key.
265 2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	384
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	385
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	386	Another problem is that such mutual challenge-response systems
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	387	often work in the same system in the ``challenge mode'' but
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	388	also in the ``response mode''. For example if two servers want
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	389	to talk to each other---they would need the protocol in
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	390	response mode, but also if they want to talk to other servers
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	391	in challenge mode. Similarly if you in an military aircraft
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	392	you have to challenge everybody you see, in case there is a
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	393	friend amongst the targets you like to shoot, but you also
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	394	have to respond to any of your own anti-aircraft guns on the
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	395	ground lest they shoot you. In these situations you have to be
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	396	careful to not decode, or answer, your own challenge. Recall
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	397	the protocol is
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	398
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	399	\begin{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	400	\begin{tabular}{l@{\hspace{2mm}}l}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	401	$A \rightarrow B$: & $N_A$\\
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	402	$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	403	$A \rightarrow B$: & $N_B$\\
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	404	\end{tabular}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	405	\end{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	406
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	407	\noindent but it does not specify who is $A$ and who is $B$.
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	408	If, as supposed, the protocol works in response and in
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	409	challenge mode, then $A$ will be $A$ in one instance, but $B$
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	410	in the other. I hope this makes sense. Let us look at the
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	411	details and lets assume our adversary is $E$ who just deflects
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	412	our messages back to us.
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	413
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	414	\begin{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	415	\begin{tabular}{lllll}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	416	& \multicolumn{2}{l}{challenge mode:} &
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	417	\multicolumn{2}{l}{response mode:}\smallskip\\
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	418	1. & $A \rightarrow E$: & $N_A$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	419	2. & & & $E \rightarrow A$: & $N_A$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	420	3. & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	421	4. & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	422	5. & $A \rightarrow E$: & $N_A'$\\
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	423	\end{tabular}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	424	\end{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	425
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	426	\noindent In the first step we challenge $E$ with a nonce we
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	427	created. Since we also run the protocol in ``response mode'',
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	428	$E$ can now feed us the same challenge in step 2. We do not
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	429	know where it came from (it's over the air), but if we are in
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	430	an aircraft we should better quickly answer it, otherwise we
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	431	risk to be shot. So we add our own challenge $N'_A$ and
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	432	encrypt it under the secret key $K_{AB}$ (step 3). Now $E$
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	433	does not need to know this key in order to form the correct
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	434	answer for the first protocol. It will just replays this
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	435	message back to us in the challenge mode (step 4). I happily
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	436	accept this message---after all it is encrypted under the
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	437	secret key $K_{AB}$ and it contains the correct challenge from
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	438	me, namely $N_A$. So I accept that $E$ is a friend and send
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	439	even back the challenge $N'_A$. The problem is that $E$ now
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	440	starts firing at me and I have no clue what is going on. I
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	441	might suspect, erroneously, that an idiot must have leaked the
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	442	secret key. Because I followed in both cases the protocol to
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	443	the letter, but somehow $E$, unknowingly to me with my help,
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	444	managed to disguise as a friend. As a pilot, I would be a bit
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	445	peeved at that moment and would have preferred the designer of
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	446	this challenge-response protocol had been a tad smarter. For
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	447	one thing they violated the best practice in protocol design
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	448	of using the same key, $K_{AB}$, for two different
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	449	purposes---challenging and responding. They better had used
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	450	two different keys. This would have averted this attack and
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	451	would have saved me a lot of trouble.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	452
268 43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	453	\subsubsection*{Trusted Third Parties}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	454
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	455	One limitation the protocols we discussed so far is
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	456	that they pre-suppose a secret shared key. As already
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	457	mentioned, this is a convenience we cannot always assume.
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	458	How to establish a secret key then? Well, if both parties,
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	459	say $A$ and $B$, mutually trust a third party, say $S$,
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	460	then they can use the following protocol:
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	461
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	462	\begin{center}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	463	\begin{tabular}{l@{\hspace{2mm}}l}
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	464	$A \to S :$ & $A, B$\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	465	$S \to A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	466	$A \to B :$ & $\{K_{AB}\}_{K_{BS}}$\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	467	$A \to B :$ & $\{m\}_{K_{AB}}$\\
268 43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	468	\end{tabular}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	469	\end{center}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	470
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	471	\noindent The assumption in this protocol is that $A$ and $S$
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	472	share a secret key, and also $B$ and $S$ ($S$ being the
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	473	trusted third party). The goal is that $A$ can send $B$ a
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	474	message $m$ under a shared secret key $K_{AB}$, which at the
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	475	beginning of the protocol does not exist yet. How does this
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	476	protocol work? In the first step $A$ contacts $S$ and says
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	477	that it wants to talk to $B$. In turn $S$ invents a new key
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	478	$K_{AB}$ and sends two messages back to $A$: one message is
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	479	$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	480	$S$ share, and also the message
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	481	$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$. which is encrypted with
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	482	$K_{AB}$ but also a second time with $K_{BS}$. The point of
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	483	the second message is that it is a message intended for $B$.
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	484	So a receives both messages and can decrypt them---in the
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	485	first case it obtains the key $K_{AB}$ which $S$ suggested to
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	486	use. In the second case it obtains a message it can forward to
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	487	$B$. $B$ receives this message and since it knows the key it
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	488	shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	489	start to exchange messages with the shared secret key
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	490	$K_{AB}$. What is the advantage of $S$ sending $A$ two
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	491	messages instead of contacting $B$ instead? Well, for one
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	492	there can now be a time-delay between the second and
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	493	third step in the protocol. At some point in the past
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	494	$A$ and $S$ need to have come together to share
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	495	a key, similarly $B$ and $S$. After that $B$ does not need to
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	496	be ``online'' anymore until $A$ actually starts sending messages
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	497	to $B$. $A$ and $S$ can completely on their own negotiate a
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	498	new key.
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	499
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	500	The major limitation of this protocol however is that I need
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	501	to trust a third party. And in this case completely, because
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	502	$S$ can of course also read easily all messages $A$ sends to
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	503	$B$. The problem is that I cannot really think of any
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	504	institution who could serve as such a trusted third party. One
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	505	would hope the government would be such a trusted party, but
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	506	in the Snowden-era we know that this is wishful thinking in
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	507	the West, and if I lived in Iran or North Korea, for example,
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	508	I would not even start to hope for this.
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	509
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	510	The cryptographic ``magic'' of public-private keys
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	511	seems to offer an elegant solution for this, but as we shall
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	512	see in the next section, this requires some very clever
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	513	protocol design.
268 43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	514
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	515	\subsubsection*{Averting Person-in-the-Middle Attacks}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	516
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	517	The idea of public-private key encryption is that one can make
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	518	public the key $K^{pub}$ which people can use to encrypt
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	519	messages for me. and I can use my key $K^{priv}$ to be the
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	520	only one that can decrypt them. While this sounds all good, it
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	521	relies that people can associate me, for example, with my
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	522	public key. That i snot so trivial as it sounds. For example,
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	523	if I would be the government, say Cameron, and try to find out
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	524	who are the trouble makers in the country, I would publish an
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	525	innocent looking webpage and say I am The Guardian newspaper
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	526	(or alternatively The Sun for all the juicy stories), publish
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	527	a public key on it, and then just wait for incoming messages.
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	528
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	529	This problem is supposed to be solved by using certificates.
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	530	The purpose of certification organisations is that they verify
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	531	that a public key, say $K^{pub}_{Bob}$, really belongs to Bob.
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	532	This is also the mechanism underlying the HTTPS protocol. The
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	533	problem is that this system is essentially completely
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	534	broken\ldots{}but this is a story for another time. Suffice
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	535	to say for now that one of the main certification
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	536	organisations, VeriSign, has limited its liability to \$100 in
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	537	case it issues a false certificate. This is really a joke and
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	538	really the wrong incentive for the certification organisations
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	539	to clean up their mess.
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	540
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	541	The problem we want to study closer here is that protocols
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	542	based on public-private key encryption are susceptible to
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	543	person-in-the-middle attack. Consider the following protocol
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	544	where $A$ and $B$ attempt to exchange secret messages using
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	545	public-private keys.
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	546
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	547	\begin{itemize}
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	548	\item $A$ sends public key to $B$
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	549	\item $B$ sends public key to $A$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	550	\item $A$ sends a message encrypted with $B$'s public
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	551	key,\\ $B$ decrypts it with its private key
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	552	\item $B$ sends a message encrypted with $A$'s public
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	553	key,\\ $A$ decrypts it with its private key
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	554	\end{itemize}
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	555
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	556	\noindent In our formal notation for protocols, this would
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	557	look as follows:
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	558
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	559	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	560	\begin{tabular}{l@{\hspace{2mm}}l}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	561	$A \to B :$ & $K^{pub}_A$\smallskip\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	562	$B \to A :$ & $K^{pub}_B$\smallskip\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	563	$A \to B :$ & $\{A,m\}_{K^{pub}_B}$\smallskip\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	564	$B \to A :$ & $\{B,m'\}_{K^{pub}_A}$
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	565	\end{tabular}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	566	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	567
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	568	\noindent Since we assume an attacker, say $E$, has complete
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	569	control over the network, $E$ can intercept the first two
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	570	messages and substitutes her own public key. The protocol
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	571	run would therefore be
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	572
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	573	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	574	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	575	1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	576	2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	577	3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	578	4. & $E \to A :$ & $K^{pub}_E$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	579	5. & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	580	6. & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	581	7. & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	582	8. & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	583	\end{tabular}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	584	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	585
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	586	\noindent where in steps 6 and 8, $E$ can modify the messages
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	587	by including the $E$ in the message. Both messages are
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	588	received encrypted with $E$'s public key; therefore it can
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	589	decrypt it and repackage it with new content. $A$ and $B$ have
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	590	no idea that they talking to an attacker. To them all messages
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	591	look legit. Because $E$ can modify messages, it seems very
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	592	difficult to defend against this attack.
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	593
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	594	But there is a clever trick\ldots{}dare I say some magic.
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	595	Modify the protocol above so that $A$ and $B$ send their
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	596	messages in two halves, like
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	597
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	598	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	599	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	600	1. & $A \to B :$ & $K^{pub}_A$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	601	2. & $B \to A :$ & $K^{pub}_B$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	602	3. & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	603	& & $\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$\\
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	604	4. & $A \to B :$ & $H_1$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	605	5. & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	606	6. & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	607	7. & $B \to A :$ & $M_2$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	608	\end{tabular}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	609	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	610
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	611	\noindent The idea is that in step 3, $A$ encrypts the
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	612	message (with $B$'s public key) and then splits the encrypted
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	613	message into two halves. Say the encrypted message is
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	614
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	615	\begin{center}
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	616	$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G+H70mMjAM8piY0sI}}}_{\{A,m\}_{K^{pub}_B}}$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	617	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	618
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	619	\noindent then $A$ splits it up into two halves
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	620
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	621	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	622	$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G}}}_{H_1}$\qquad
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	623	$\underbrace{\texttt{\Grid{+H70mMjAM8piY0sI}}}_{H_2}$
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	624	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	625
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	626	\noindent Similarly $B$ splits its message into two halves
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	627	$M_1$ and $M_2$. However, $A$ initially only sends the first
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	628	half $H_1$ to $B$. Which $B$ answers with the message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	629	consisting of the received $H_1$ and its own first half $M_1$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	630	encrypted with $A$'s public key. The message in step 5. $A$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	631	receives this message, decrypts it and only when the $H_1$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	632	matches with its first half it send out earlier, $A$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	633	will send out the second half. See step 6. For this $A$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	634	adds the received $M_1$ and encrypts both parts with $B$'s
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	635	public key. Finally $B$ checks whether the received $M_1$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	636	matches with its first half, and if yes sends $A$ its
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	637	second half $M_2$. Now $A$ and $B$ are in the possession
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	638	of $H_1$ and $H_2$, respectively $M_1$ and $M_2$ and can
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	639	decrypt the corresponding messages.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	640
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	641	Now the big question is, why on earth does this splitting
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	642	of messages in half and additional message exchange help
274 1e1008403f17 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 273 diff changeset	643	with defending against person-in-the-middle attacks? Well,
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	644	lets try to be such an attacker. As before we intercept
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	645	the messages where public keys are exchanged and inject
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	646	our own.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	647
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	648	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	649	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	650	1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	651	2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	652	3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	653	4. & $E \to A :$ & $K^{pub}_E$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	654	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	655	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	656
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	657	\noindent
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	658	Now $A$ and $B$ build the message halves:
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	659
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	660	\[
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	661	\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	662	\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	663	\]
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	664
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	665	\noindent and $A$ sends $E$ its first half of the message.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	666
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	667	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	668	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	669	5. & $A \to E :$ & $H_1$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	670	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	671	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	672
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	673	\noindent Neither $E$ nor $B$ can do much with this message.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	674	Remember it is only half of some ``garbled'' text that cannot
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	675	be decrypted. $E$ could try to forward the message to $B$ and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	676	see what its reply is.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	677
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	678	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	679	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	680	6. & $E \to B :$ & $H_1$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	681	7. & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	682	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	683	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	684
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	685	\noindent Although $E$ can decrypt the message with its
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	686	private key, but it only gets the halves $H_1$ and $M_1$ which
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	687	are of no use yet. In order to get more information it
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	688	can send the message to $A$ with $A$'s public key.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	689
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	690	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	691	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	692	8. & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	693	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	694	\end{center}
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	695
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	696	\noindent $A$ would receive this message, decrypt it and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	697	find out it matches with its expectation. It therefore
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	698	sends out the message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	699
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	700	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	701	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	702	9. & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	703	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	704	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	705
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	706	\noindent Now $E$ is in the possession of $H_1$ and $H_2$,
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	707	which it can join together in order to obtain
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	708	$\{A,m\}_{K^{pub}_E}$ which it can decrypt. It seems
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	709	like from now on all is lost, but lets see: in order to
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	710	stay undetected it must send a message to $B$. It now has two
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	711	options: one is to use the newly obtained knowledge and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	712	modify $A$'s message to be
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	713
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	714	\[
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	715	\{E,m\}_{K^{pub}_B} \;\mapsto\; H'_1,H'_2
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	716	\]
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	717
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	718	\noindent But notice since $E$ changed the message,
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	719	it will now receive two different halves. Let us call
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	720	them $H'_1$ and $H'_2$. If $E$ now sends $B$ the $H'_2$,
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	721	$B$ will be in the possession of $H_1$ and $H'_2$. But
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	722	after joining both halves it will not be able to
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	723	decrypt the resulting message---the two halves simply
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	724	do not fit. So it can only send out the original $H_2$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	725	as follows:
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	726
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	727	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	728	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	729	10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	730	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	731	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	732
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	733	\noindent
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	734	In this case $B$ can make sense out of the message and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	735	as a result sends $E$ back its second half $M_2$.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	736
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	737	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	738	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	739	11. & $B \to E :$ & $M_2$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	740	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	741	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	742
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	743	\noindent $E$ might be ecstatic by now, because it has now
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	744	also received $M_1$ and $M_2$ which it can join to
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	745	get $\{B, m'\}_{K^{pub}_E}$. It can decrypt this message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	746	but still is not finished completely, because it has to send
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	747	$A$ a message. It could try to build the message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	748	$\{E, m'\}_{K^{pub}_A}$, but like above $A$ would not be able
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	749	to make sense out of the two halves (which again do not fit
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	750	together). So the only option is to send $M_2$.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	751
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	752	With this the protocol has ended. $E$ was able to decrypt all
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	753	messages, but what messages did $A$ and $B$ receive and from
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	754	whom? Do you notice that they will find out that something
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	755	strange has happened and probably not talk on this channel
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	756	anymore? I leave you to think about it.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	757
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	758	Recall from the beginning that a person-in-the middle
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	759	attack can easily be mounted at the key fob and car
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	760	protocol unless we are careful. If you look at actual
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	761	key fob protocols, they use a variant of the protocol
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	762	described above. Suppose $C$ is the car and $T$ is the key fob
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	763	(transponder). The HiTag2 protocol used in cars of
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	764	VW \& friends is as follows:
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	765
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	766	\begin{enumerate}
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	767	\item $C$ generates a random number $N$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	768	\item $C$ calculates $\{N\}_K \mapsto F,G$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	769	\item $C \to T$: $N, F$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	770	\item $T$ calculates $\{N\}_K \mapsto F',G'$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	771	\item $T$ checks that $F = F'$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	772	\item $T \to C$: $N, G'$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	773	\item $C$ checks that $G = G'$
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	774	\end{enumerate}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	775
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	776	\noindent The assumption is that the key $K$ is only known to
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	777	the car and the transponder. The claim is that $C$ and $T$ can
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	778	authenticate to each other. Again, I leave it to you to find
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	779	out the magic why this protocol is immune from
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	780	person-in-the-middle attacks.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	781
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	782
264 0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	783	\subsubsection*{Further Reading}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	784
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	785	If you want to know more about how cars can be hijacked,
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	786	the paper
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	787
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	788	\begin{center}
274 1e1008403f17 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 273 diff changeset	789	\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	790	\end{center}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	791
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	792	\noindent is quite amusing to read. Obviously an even more amusing
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	793	paper would be ``Dismantling Megamos Crypto: Wirelessly Lockpicking a
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	794	Vehicle Immobilizer'' by the same authors, but because of the court
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	795	injuction by VW in this case, we are denied this entertainment.
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	796
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	797	Person-in-the-middle-attacks from the ``wild'' are described
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	798	with real data in the blog post
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	799
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	800	\begin{center}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	801	\url{http://www.renesys.com/2013/11/mitm-internet-hijacking}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	802	\end{center}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	803
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	804	\noindent The conclusion in this post is that person-in-the-middle-attacks
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	805	can be launched from any place on Earth---it is not required
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	806	that you sit in the ``middle'' of the communication of two people.
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	807	You just have to route their traffic through a node you own.
249 31a749eba8c1 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 245 diff changeset	808
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	809	\end{document}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	810
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	811	%%% Local Variables:
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	812	%%% mode: latex
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	813	%%% TeX-master: t
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	814	%%% End:

author	Christian Urban <christian dot urban at kcl dot ac dot uk>
	Thu, 30 Oct 2014 01:17:51 +0000
changeset 275	06a04b3b2dda
parent 274	1e1008403f17
child 279	5616e664c020
permissions	-rw-r--r--