author | cu |
Mon, 16 Oct 2017 19:11:47 +0100 | |
changeset 551 | 321877915a05 |
parent 495 | f5172bb6cf45 |
child 554 | 490079e16157 |
permissions | -rw-r--r-- |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
\usepackage{../langs} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
4 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
5 |
\begin{document} |
551 | 6 |
\fnote{\copyright{} Christian Urban, King's College London, 2014, 2016, 2017} |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
|
443
67d7d239c617
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
415
diff
changeset
|
8 |
%% the expectation is that anything encrypted today, will be |
67d7d239c617
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
415
diff
changeset
|
9 |
%% decrypted in 20 years time |
67d7d239c617
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
415
diff
changeset
|
10 |
|
456
f65e4fa6e902
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
443
diff
changeset
|
11 |
%http://www.net.in.tum.de/fileadmin/TUM/teaching/netzsicherheit/ws1516/07_PKI.pdf |
f65e4fa6e902
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
443
diff
changeset
|
12 |
|
458
aebcaa545f81
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
13 |
%wifi-pumkin (real man-in-the-middle attacks) |
aebcaa545f81
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
14 |
%http://www.hackingarticles.in/hack-password-using-rogue-wi-fi-access-point-attack-wifi-pumpkin/ |
aebcaa545f81
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
15 |
%https://github.com/P0cL4bs/WiFi-Pumpkin |
aebcaa545f81
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
16 |
|
469
7d4aa41b748e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
458
diff
changeset
|
17 |
%http://routersecurity.org/index.php |
7d4aa41b748e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
458
diff
changeset
|
18 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
19 |
\section*{Handout 5 (Protocols)} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
20 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
21 |
Protocols are the computer science equivalent to fractals and |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
22 |
the Mandelbrot set in mathematics. With the latter two you |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
23 |
have a simple formula, which you just iterate and then you |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
24 |
test whether a point is inside or outside a region\ldots{}it |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
25 |
does not look exciting, but voila something magically |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
26 |
happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal}, |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
27 |
\url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
28 |
are similar: they are simple exchanges of messages, but in the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
29 |
end something ``magical'' can happen---for example a secret |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
30 |
channel has been established or two entities have |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
31 |
authenticated themselves to each other. This can happen even |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
32 |
in face of strong adversaries who have complete control over |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
33 |
the network involved in the message exchange. The problem with |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
34 |
magic is of course it is poorly understood and even experts |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
35 |
often got, and get, it wrong with protocols. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
36 |
|
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
37 |
To have an idea what kind of protocols we are interested in, let |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
38 |
us look at a few examples. One example are (wireless) key |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
39 |
fobs, which operate the central locking system and the |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
40 |
ignition in a car. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
41 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
42 |
\begin{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
43 |
\includegraphics[scale=0.075]{../pics/keyfob.jpg} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
44 |
\quad |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
45 |
\includegraphics[scale=0.2025]{../pics/startstop.jpg} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
46 |
\end{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
47 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
48 |
\noindent The point of these key fobs is that everything is |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
49 |
done over the ``air''---there is no physical connection |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
50 |
between the key, doors and engine, as was the case with the |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
51 |
old solid metal keys. With the key fobs we must achieve |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
52 |
security by exchanging certain messages between the key fob on |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
53 |
one side and the doors and engine on the other. Clearly what |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
54 |
we like to accomplish is that I can get into my car and start |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
55 |
it, but that thieves are kept out. The problem is that |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
56 |
everybody can ``overhear'' or skim the exchange of messages |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
57 |
between the key fob and car. In this scenario the simplest |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
58 |
attack you need to defend against is a person-in-the-middle |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
59 |
attack. For this imagine you park your car in front of a |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
60 |
supermarket. One thief follows you with a strong transmitter. |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
61 |
A second thief ``listens'' to the signals from the car and |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
62 |
wirelessly transmits them to the ``colleague'' who followed |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
63 |
you. This thief silently enquires what the key fob answers. |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
64 |
This answer is then send back to the thief at the car. If done |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
65 |
properly, the car will dutifully open and possibly start. No |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
66 |
need to steal your keys anymore. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
67 |
That this is an attack one needs to reckon with is |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
68 |
demonstrated by the fact that dodgy |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
69 |
websites\footnote{\url{http://autokeydevices.com/product/wave/} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
70 |
\ldots{} funnily this webpage says ``not intended for illegal |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
71 |
use'', but I have a hard time finding any legal purpose for |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
72 |
such a device.} sell the necessary equipment for top Ruble. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
73 |
This webpage is notable for the very helpful picture |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
74 |
of a person-in-the-middle attack (see Figure~\ref{rsa}). |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
75 |
|
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
76 |
\begin{figure}[t] |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
77 |
\begin{center} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
78 |
\includegraphics[scale=0.15]{../pics/rsa_attack_eng.jpg} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
79 |
\end{center} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
80 |
\caption{From a dodgy webpage about modern car theft. Note the |
327
03da67991ff0
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
293
diff
changeset
|
81 |
stylish attackers.\label{rsa}} |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
82 |
\end{figure} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
83 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
84 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
85 |
But there are many more such protocols we like to study. |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
86 |
Another example is Wifi---you might sit at a Starbucks and |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
87 |
talk wirelessly to the free access point there and from there |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
88 |
talk to your bank (see The Guardian article cited at the very |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
89 |
end of this handout). Moreover, even if you have to touch in |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
90 |
and out your Oyster card at the reader each time you enter or |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
91 |
exit the Tube, it actually operates wirelessly and with |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
92 |
appropriate equipment over some quite large distance (several |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
93 |
meters). But there are many, many more examples for protocols |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
94 |
(Bitcoins, Tor, mobile phones,\ldots). |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
95 |
|
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
96 |
The common characteristics of the protocols we are interested |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
97 |
in is that an adversary or attacker is assumed to be in |
495 | 98 |
complete control of the network or channel over which we |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
99 |
exchanging messages. An attacker can install a packet sniffer |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
100 |
on a network, inject packets, intercept packets, modify |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
101 |
packets, replay old messages, or fake pretty much everything |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
102 |
else. In this hostile environment, the purpose of a protocol |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
103 |
(that is exchange of messages) is to achieve some security |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
104 |
goal. For example only allow the owner of the car in, but |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
105 |
everybody else should be kept out. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
106 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
107 |
The protocols we are interested here are generic descriptions |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
108 |
of how to exchange messages in order to achieve a goal. Unlike |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
109 |
the distant past where, for example, we had to meet a person in |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
110 |
order to authenticate him or her (via a passport for example), |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
111 |
the problem we are facing on the Internet is that we cannot |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
112 |
easily be sure who we are ``talking'' to. The obvious reason |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
113 |
is that only some electrons arrive at our computer; we do not |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
114 |
see the person, or computer, behind the incoming electrons |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
115 |
(messages). |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
116 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
117 |
To start, let us look at one of the simplest protocols that |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
118 |
are part of the TCP protocol (which underlies the Internet). |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
119 |
This protocol does not do anything security relevant, it just |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
120 |
establishes a ``hello'' from a client to a server which the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
121 |
server answers with ``I heard you'' and the client answers |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
122 |
in turn with something like ``thanks''. This protocol |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
123 |
is often called a \emph{three-way handshake}. Graphically it |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
124 |
can be illustrated as follows |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
125 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
126 |
\begin{center} |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
127 |
\includegraphics[scale=0.45]{../pics/handshake.png} |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
128 |
\end{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
129 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
130 |
\noindent On the left-hand side is a client, say Alice, on the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
131 |
right-hand side is a server, say. Time is running from top to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
132 |
bottom. Alice initial SYN message needs some time to travel to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
133 |
the server. The server answers with SYN-ACK, which will |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
134 |
require some time to arrive at Alice. Her answer ACK will |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
135 |
again take some time to arrive at the server. After the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
136 |
messages are exchanged, Alice and the server simply have |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
137 |
established a channel to communicate over. Alice does not know |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
138 |
whether she is really talking to the server (somebody else on |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
139 |
the network might have intercepted her message and replied in |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
140 |
place of the server). Similarly, the server has no idea who it |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
141 |
is talking to. Whether they can authenticate themselves |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
142 |
depends on what is exchanged next and is the point of the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
143 |
protocols we want to study in more detail. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
144 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
145 |
Before we start in earnest, we need to fix a more convenient |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
146 |
notation for protocols. Drawing pictures like the one above |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
147 |
would be awkward in the long-run. The notation we will adopt |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
148 |
abstracts away from a few details we are not interested in: |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
149 |
for example the time the messages need to travel between |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
150 |
endpoints. What we are interested in is in which order the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
151 |
messages are sent. For the SYN-ACK protocol we will therefore |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
152 |
use the notation |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
153 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
154 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
155 |
\begin{equation} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
156 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
157 |
A \to S: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
158 |
S \to A: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
159 |
A \to S: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
160 |
\end{array}\label{SYNACK} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
161 |
\end{equation} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
162 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
163 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
164 |
\noindent The left-hand side of each clause specifies who is |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
165 |
the sender and who is the receiver of the message. On the |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
166 |
right of the colon is the message that is send. The order from |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
167 |
top to down specifies in which order the messages are sent. We |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
168 |
also have the convention that messages, like $SYN$ above, are |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
169 |
send in clear-text over the network. If we want that a message |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
170 |
is encrypted, then we use the notation |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
171 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
172 |
\[ |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
173 |
\{msg\}_{K} |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
174 |
\] |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
175 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
176 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
177 |
\noindent for messages. The curly braces indicate a kind of |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
178 |
envelope which can only be opened if you know the key $K$ |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
179 |
with which the message has been encrypted. We always assume |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
180 |
that an attacker, say Eve, cannot get to the content of the |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
181 |
message, unless she is also in the possession of the key. We |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
182 |
explicitly exclude in our study that the encryption can be |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
183 |
broken.\footnote{\ldots{}which of course is what a good |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
184 |
protocol designer needs to ensure and more often than not |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
185 |
protocols are broken because of a weak encryption method. For |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
186 |
example Oyster cards contain a very weak encryption mechanism |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
187 |
which has been attacked and broken.} It is also |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
188 |
possible that an encrypted message contains several parts. In |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
189 |
this case we would write something like |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
190 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
191 |
\[ |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
192 |
\{msg_1, msg_2\}_{K} |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
193 |
\] |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
194 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
195 |
\noindent But again Eve would not be able to know |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
196 |
this unless she also has the key. We also allow the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
197 |
possibility that a message is encrypted twice under |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
198 |
different keys. In this case we write |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
199 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
200 |
\[ |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
201 |
\{\{msg\}_{K_1}\}_{K_2} |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
202 |
\] |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
203 |
|
494 | 204 |
\noindent This protocol is called lockstep protocol. |
205 |
The idea is that even if attacker Eve has the |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
206 |
key $K_2$ she could decrypt the outer envelop, but |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
207 |
still does not get to the message, because it is still |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
208 |
encrypted with the key $K_1$. Note, however, |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
209 |
while an attacker cannot obtain the content of the message |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
210 |
without the key, encrypted messages can be observed |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
211 |
and be recorded and then replayed at another time, or |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
212 |
send to another person! |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
213 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
214 |
Another very important point is that our notation for |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
215 |
protocols such as shown in \eqref{SYNACK} is a |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
216 |
\underline{schema} how the protocol should proceed. |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
217 |
It could be instantiated by an actual protocol run |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
218 |
between Alice, say, and the server Calcium at King's. In this |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
219 |
case the specific instance would look like |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
220 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
221 |
\[ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
222 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
223 |
\text{Alice} \to \text{Calcium}: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
224 |
\text{Calcium} \to \text{Alice}: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
225 |
\text{Alice} \to \text{Calcium}: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
226 |
\end{array} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
227 |
\] |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
228 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
229 |
\noindent But a server like Calcium of course needs to |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
230 |
serve many clients. So there could be the same protocol |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
231 |
also running with Bob, say |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
232 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
233 |
\[ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
234 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
235 |
\text{Bob} \to \text{Calcium}: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
236 |
\text{Calcium} \to \text{Bob}: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
237 |
\text{Bob} \to \text{Calcium}: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
238 |
\end{array} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
239 |
\] |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
240 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
241 |
\noindent And these two instances of the protocol could be |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
242 |
running in parallel or be at different stages. So the protocol |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
243 |
schema shown in \eqref{SYNACK} can be thought of how two |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
244 |
programs need to run on the side of $A$ and $S$ in order to |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
245 |
successfully complete the protocol. But it is really just a |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
246 |
blueprint for how the communication is supposed to proceed. |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
247 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
248 |
This is actually already a way how such protocols can fail. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
249 |
Although very simple, the $SYN\_ACK$ protocol can cause |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
250 |
headaches for system administrators where an attacker starts |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
251 |
the protocol, but then does not complete it. This looks |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
252 |
graphically like |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
253 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
254 |
\begin{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
255 |
\includegraphics[scale=0.4]{../pics/synflood.png} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
256 |
\end{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
257 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
258 |
\noindent The attacker sends lots of $SYN$ requests which the |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
259 |
server dutifully answers. But in doing so the server needs to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
260 |
keep track of such protocol exchanges. As a result every time |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
261 |
the protocol is initiated a little bit of memory will be eaten |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
262 |
away on the server side until all memory is exhausted. When |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
263 |
poor Alice then tries to contact the server, it is overwhelmed |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
264 |
and does not respond anymore. This kind of attack is called |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
265 |
\emph{SYN |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
266 |
floods}.\footnote{\url{http://en.wikipedia.org/wiki/SYN_flood}} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
267 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
268 |
After reading four pages, you might be wondering where the |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
269 |
magic is with protocols. For this let us take a closer look at |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
270 |
authentication protocols. |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
271 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
272 |
\subsubsection*{Authentication Protocols} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
273 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
274 |
The simplest authentication protocol between principals |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
275 |
$A$ and $B$, say is |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
276 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
277 |
\begin{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
278 |
$A \to B: K_{AB}$ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
279 |
\end{center} |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
280 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
281 |
\noindent It can be thought of as $A$ sends a common secret to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
282 |
$B$, for example a password. The idea is that if only $A$ and |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
283 |
$B$ know the key $K_{AB}$ then this should be sufficient for |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
284 |
$B$ to infer it is talking to $A$. But this is of course too |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
285 |
naive in the context where the message can be observed by |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
286 |
everybody else on the network. Eve, for example, could just |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
287 |
record this message $A$ just sent, and next time sends the same |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
288 |
message to $B$. $B$ has no other choice than believing it |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
289 |
talks to $A$. But actually it talks to Eve, who now clears |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
290 |
out $A$'s bank account assuming $B$ had been a bank. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
291 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
292 |
A more sophisticated protocol which tries to avoid the |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
293 |
replay attack is as follows |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
294 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
295 |
\begin{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
296 |
\begin{tabular}{l@{\hspace{2mm}}l} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
297 |
$A \to B:$ & $HELLO$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
298 |
$B \to A:$ & $N$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
299 |
$A \to B:$ & $\{N\}_{K_{AB}}$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
300 |
\end{tabular} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
301 |
\end{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
302 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
303 |
\noindent With this protocol the idea is that $A$ first sends |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
304 |
a message to $B$ saying ``I want to talk to you''. $B$ sends |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
305 |
then a challenge in form of a random number $N$. In protocols |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
306 |
such random numbers are often called \emph{nonce}. What is the |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
307 |
purpose of this nonce? Well, if an attacker records $A$'s |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
308 |
answer, it will not make sense to replay this message, because |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
309 |
next time this protocol is run, the nonce $B$ sends out will |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
310 |
be different. So if we run this protocol, what can $B$ infer? |
486 | 311 |
It has sent out an (unpredictable) nonce to $A$ and received |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
312 |
this challenge back, but encoded under the key $K_{AB}$. If |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
313 |
$B$ assumes only $A$ and $B$ know the key $K_{AB}$ and the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
314 |
nonce is unpredictable, then $B$ is able to infer it must be |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
315 |
talking to $A$. Of course the implicit assumption on this |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
316 |
inference is that nobody else knows about the key $K_{AB}$ |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
317 |
and nobody else can decrypt the message. $B$ of course can |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
318 |
decrypt the answer from $A$ and check whether the answer |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
319 |
corresponds to the challenge (nonce) $B$ has sent earlier. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
320 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
321 |
But what about $A$? Can $A$ make any inferences about whom it |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
322 |
talks to? It dutifully answered the challenge and hopes his or |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
323 |
her bank, say, will be the only one to understand her answer. |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
324 |
But is this the case? No! Let us consider again an attacker |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
325 |
Eve who has control over the network. She could have |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
326 |
intercepted the message $HELLO$ and just replied herself to |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
327 |
$A$ using a random number\ldots{}for example one which she |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
328 |
observed in a previous run of this protocol. Remember that if |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
329 |
a message is sent without curly braces it is sent in clear |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
330 |
text. $A$ would encrypt the nonce with the key $K_{AB}$ and |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
331 |
send it back to Eve. She just throws away the answer. $A$ |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
332 |
would hope that she talked to $B$ because she followed the |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
333 |
protocol, but unfortunately she cannot be sure who she is |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
334 |
talking to---it might be Eve. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
335 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
336 |
The solution is to follow a \emph{mutual challenge-response} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
337 |
protocol. There $A$ already starts off with a challenge (nonce) |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
338 |
on her own. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
339 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
340 |
\begin{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
341 |
\begin{tabular}{l@{\hspace{2mm}}l} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
342 |
$A \to B:$ & $N_A$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
343 |
$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
344 |
$A \to B:$ & $N_B$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
345 |
\end{tabular} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
346 |
\end{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
347 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
348 |
\noindent As seen, $B$ receives this nonce, $N_A$, adds his |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
349 |
own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
350 |
receives this message, is able to decrypt it since we assume |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
351 |
she has the key $K_{AB}$ too, and sends back the nonce of $B$. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
352 |
Let us analyse which inferences $A$ and $B$ can make after the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
353 |
protocol has run. $B$ received a challenge and answered |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
354 |
correctly to $A$ (inside the encrypted message). An attacker |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
355 |
would not be able to answer this challenge correctly because |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
356 |
the attacker is assumed to not be in the possession of the key |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
357 |
$K_{AB}$; so is not able to generate this message. It could |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
358 |
also not have been the case that it is an old message |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
359 |
replayed, because $A$ would send out each time a fresh nonce. |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
360 |
So with this protocol you can ensure also for $A$ that it |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
361 |
talks to $B$. I leave you to argue that $B$ can be sure to |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
362 |
talk to $A$. Of course these arguments will depend on the |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
363 |
assumptions that only $A$ and $B$ know the key $K_{AB}$ and |
551 | 364 |
that nobody can break the encryption |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
365 |
and that the nonces are fresh each time the protocol is run. |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
366 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
367 |
The purpose of the nonces, the random numbers that are sent |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
368 |
around, might be a bit opaque. Because they are unpredictable |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
369 |
they fulfil an important role in protocols. Suppose |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
370 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
371 |
\begin{enumerate} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
372 |
\item I generate a nonce and send it to you encrypted with a |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
373 |
key we share |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
374 |
\item you increase it by one, encrypt it under a key I know |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
375 |
and send it back to me |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
376 |
\end{enumerate} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
377 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
378 |
\noindent In our notation this would correspond to the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
379 |
protocol |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
380 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
381 |
\begin{center} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
382 |
\begin{tabular}{l@{\hspace{2mm}}l} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
383 |
$I \to Y:$ & $\{N\}_{K_{IY}}$\\ |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
384 |
$Y \to I:$ & $\{N + 1\}_{K_{IY}}$\\ |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
385 |
\end{tabular} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
386 |
\end{center} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
387 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
388 |
\noindent What can I infer from this simple exchange: |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
389 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
390 |
\begin{itemize} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
391 |
\item you must have received my message (it could not just be |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
392 |
deflected by somebody on the network, because the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
393 |
response required some calculation; doing the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
394 |
calculation and sending the answer requires the key |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
395 |
$K_{IY}$) |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
396 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
397 |
\item you could only have generated your answer after I have |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
398 |
sent you my initial message (since my $N$ is always new, |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
399 |
it could not have been a message that was generated |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
400 |
before I myself knew what $N$ is) |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
401 |
|
274
1e1008403f17
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
273
diff
changeset
|
402 |
\item if only you and me know the key $K_{IY}$, the message |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
403 |
must have come from you |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
404 |
\end{itemize} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
405 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
406 |
\noindent Even if this does not seem much information we can |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
407 |
glean from such an exchange, it is in fact the basic building |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
408 |
block in protocols for establishing some secret or for |
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
409 |
achieving some security goal (like authentication). This is |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
410 |
what I meant by magic: we send around ``just'' some random |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
411 |
numbers, but actually can use them to make some meaningful |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
412 |
inferences. |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
413 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
414 |
While the mutual challenge-response protocol solves the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
415 |
authentication problem, there are some limitations. One is of |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
416 |
course that it requires a pre-shared secret key. That is |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
417 |
something that needs to be established beforehand. Not all |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
418 |
situations allow such an assumption. For example if I am a |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
419 |
whistleblower (say Snowden) and want to talk to a journalist |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
420 |
(say Greenwald) then I might not have a secret pre-shared key. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
421 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
422 |
Another limitation is that such mutual challenge-response |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
423 |
systems often work in the same system in the ``challenge |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
424 |
mode'' but also in the ``response mode''. For example if two |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
425 |
servers want to talk to each other---they would need the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
426 |
protocol in response mode, but also if they want to talk to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
427 |
other servers in challenge mode. Similarly if you are in an |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
428 |
military aircraft you have to challenge everybody you see, in |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
429 |
case there is a friend amongst the targets you like to shoot, |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
430 |
but you also have to respond to any of your own anti-aircraft |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
431 |
guns on the ground, lest they shoot you. In these situations |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
432 |
you have to be careful to not decode, or answer, your own |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
433 |
challenge. Recall the protocol is |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
434 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
435 |
\begin{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
436 |
\begin{tabular}{l@{\hspace{2mm}}l} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
437 |
$A \rightarrow B$: & $N_A$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
438 |
$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
439 |
$A \rightarrow B$: & $N_B$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
440 |
\end{tabular} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
441 |
\end{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
442 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
443 |
\noindent but it does not specify who is $A$ and who is $B$. |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
444 |
If the protocol works in response and in challenge mode, then |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
445 |
$A$ will be $A$ in one instance, but $B$ in the other. I hope |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
446 |
this makes sense. Let us look at the details and let us assume |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
447 |
our adversary is $E$ who just deflects our messages back to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
448 |
us. |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
449 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
450 |
\begin{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
451 |
\begin{tabular}{lllll} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
452 |
& \multicolumn{2}{l}{challenge mode:} & |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
453 |
\multicolumn{2}{l}{response mode:}\smallskip\\ |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
454 |
1. & $A \rightarrow E$: & $N_A$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
455 |
2. & & & $E \rightarrow A$: & $N_A$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
456 |
3. & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
457 |
4. & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
458 |
5. & $A \rightarrow E$: & $N_A'$\\ |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
459 |
\end{tabular} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
460 |
\end{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
461 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
462 |
\noindent In the first step we challenge $E$ with a nonce we |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
463 |
created. Since we also run the protocol in ``response mode'', |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
464 |
$E$ can now feed us the same challenge in step 2. We do not |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
465 |
know where it came from (it's over the air), but if we are in |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
466 |
a fighter aircraft we better quickly answer it, otherwise we |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
467 |
risk to be shot. So we add our own challenge $N'_A$ and |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
468 |
encrypt it under the secret key $K_{AB}$ (step 3). Now $E$ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
469 |
does not need to know this key in order to form the correct |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
470 |
answer for the first protocol. It will just replays this |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
471 |
message back to us in the challenge mode (step 4). I happily |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
472 |
accept this message---after all it is encrypted under the |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
473 |
secret key $K_{AB}$ and it contains the correct challenge from |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
474 |
me, namely $N_A$. So I accept that $E$ is a friend and send |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
475 |
even back the challenge $N'_A$. The problem is that $E$ now |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
476 |
starts firing at me and I have no clue what is going on. I |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
477 |
might suspect, erroneously, that an idiot must have leaked the |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
478 |
secret key. Because I followed in both cases the protocol to |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
479 |
the letter, but somehow $E$, unknowingly to me with my help, |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
480 |
managed to disguise as a friend. As a pilot, I would be a bit |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
481 |
peeved at that moment and would have preferred the designer of |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
482 |
this challenge-response protocol had been a tad smarter. For |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
483 |
one thing they violated the best practice in protocol design |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
484 |
of using the same key, $K_{AB}$, for two different |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
485 |
purposes---namely challenging and responding. They better had |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
486 |
used two different keys. This would have averted this attack |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
487 |
and would have saved me a lot of inconvenience. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
488 |
|
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
489 |
\subsubsection*{Trusted Third Parties} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
490 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
491 |
One limitation the protocols we discussed so far have is that |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
492 |
they pre-suppose a secret shared key. As already mentioned, |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
493 |
this is a convenience we cannot always assume. How to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
494 |
establish a secret key then? Well, if both parties, say $A$ |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
495 |
and $B$, mutually trust a third party, say $S$, then they can |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
496 |
use the following protocol: |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
497 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
498 |
\begin{center} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
499 |
\begin{tabular}{l@{\hspace{2mm}}l} |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
500 |
$A \to S :$ & $A, B$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
501 |
$S \to A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
502 |
$A \to B :$ & $\{K_{AB}\}_{K_{BS}}$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
503 |
$A \to B :$ & $\{m\}_{K_{AB}}$\\ |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
504 |
\end{tabular} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
505 |
\end{center} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
506 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
507 |
\noindent The assumption in this protocol is that $A$ and $S$ |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
508 |
share a secret key, and also $B$ and $S$ ($S$ being the |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
509 |
trusted third party). The goal is that $A$ can send $B$ a |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
510 |
message $m$ under a shared secret key $K_{AB}$, which at the |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
511 |
beginning of the protocol does not exist yet. How does this |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
512 |
protocol work? In the first step $A$ contacts $S$ and says |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
513 |
that it wants to talk to $B$. In turn $S$ invents a new key |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
514 |
$K_{AB}$ and sends two messages back to $A$: one message is |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
515 |
$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
516 |
$S$ share, and also the message |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
517 |
$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$ which is encrypted with |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
518 |
$K_{AS}$ but also a second time with $K_{BS}$. The point of |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
519 |
the second message is that it is a message intended for $B$. |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
520 |
So $A$ receives both messages and can decrypt them---in the |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
521 |
first case it obtains the key $K_{AB}$ which $S$ suggested to |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
522 |
use. In the second case it obtains a message it can forward to |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
523 |
$B$. $B$ receives this message and since it knows the key it |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
524 |
shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
525 |
start to exchange messages with the shared secret key |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
526 |
$K_{AB}$. What is the advantage of $S$ sending $A$ two |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
527 |
messages instead of contacting $B$ instead? Well, there can be |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
528 |
a time-delay between the second and third step in the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
529 |
protocol. At some point in the past $A$ and $S$ need to have |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
530 |
come together to share a key, similarly $B$ and $S$. After |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
531 |
that $B$ does not need to be ``online'' anymore until $A$ |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
532 |
actually starts sending messages to $B$. $A$ and $S$ can |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
533 |
completely on their own negotiate a new key. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
534 |
|
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
535 |
The major limitation of this protocol however is that I need |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
536 |
to trust a third party. And in this case completely, because |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
537 |
$S$ can of course also read easily all messages $A$ sends to |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
538 |
$B$. The problem is that I cannot really think of any |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
539 |
institution who could serve as such a trusted third party. One |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
540 |
would hope the government would be such a trusted party, but |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
541 |
in the Snowden-era we know that this is wishful thinking in |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
542 |
the West, and if I lived in Iran or North Korea, for example, |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
543 |
I would not even start to hope for this. |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
544 |
|
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
545 |
The cryptographic ``magic'' of public-private keys |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
546 |
seems to offer an elegant solution for this, but as we shall |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
547 |
see in the next section, this requires some very clever |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
548 |
protocol design and does not solve the authentication |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
549 |
problem completely. |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
550 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
551 |
\subsubsection*{Averting Person-in-the-Middle Attacks} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
552 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
553 |
The idea of public-private key encryption is that one can |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
554 |
publish the key $K^{pub}$ which people can use to encrypt |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
555 |
messages for me and I can use my private key $K^{priv}$ to be |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
556 |
the only one that can decrypt them. While this sounds all |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
557 |
good, it relies on the ability that people can associate me |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
558 |
with my public key. That is not as trivial as it sounds. For |
486 | 559 |
example, if I would be the government, say Theresa Mayhem, and try to |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
560 |
find out who are the trouble makers in the country, I would |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
561 |
publish an innocent looking webpage and say I am The Guardian |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
562 |
newspaper (or alternatively The Sun for all the juicy |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
563 |
stories), publish a public key on it, and then just wait for |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
564 |
incoming messages. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
565 |
|
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
566 |
This problem is supposed to be solved by using certificates. |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
567 |
The purpose of certification organisations is that they verify |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
568 |
that a public key, say $K^{pub}_{Bob}$, really belongs to Bob. |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
569 |
This is also the mechanism underlying the HTTPS protocol. The |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
570 |
problem is that this system is essentially completely |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
571 |
broken\ldots{}but this is a story for another time. Suffice |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
572 |
to say for now that one of the main certification |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
573 |
organisations, VeriSign, has limited its liability to \$100 in |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
574 |
case it issues a false certificate. This is really a joke and |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
575 |
really the wrong incentive for the certification organisations |
495 | 576 |
to clean up their mess. The problem is compounded that |
577 |
browser vendors also play a crucial role for this to |
|
578 |
work (and they might have completely different incentives |
|
579 |
according to which they operate). |
|
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
580 |
|
495 | 581 |
The problem we want to study closer now is that protocols |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
582 |
based on public-private key encryption are susceptible to |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
583 |
simple person-in-the-middle attacks. Consider the following |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
584 |
protocol where $A$ and $B$ attempt to exchange secret messages |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
585 |
using public-private keys. |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
586 |
|
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
587 |
\begin{itemize} |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
588 |
\item $A$ sends public key to $B$ |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
589 |
\item $B$ sends public key to $A$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
590 |
\item $A$ sends a message encrypted with $B$'s public |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
591 |
key,\\ $B$ decrypts it with its private key |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
592 |
\item $B$ sends a message encrypted with $A$'s public |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
593 |
key,\\ $A$ decrypts it with its private key |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
594 |
\end{itemize} |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
595 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
596 |
\noindent In our formal notation for protocols, this would |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
597 |
look as follows: |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
598 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
599 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
600 |
\begin{tabular}{l@{\hspace{2mm}}l} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
601 |
$A \to B :$ & $K^{pub}_A$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
602 |
$B \to A :$ & $K^{pub}_B$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
603 |
$A \to B :$ & $\{A,m\}_{K^{pub}_B}$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
604 |
$B \to A :$ & $\{B,m'\}_{K^{pub}_A}$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
605 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
606 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
607 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
608 |
\noindent Since we assume an attacker, say $E$, has complete |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
609 |
control over the network, $E$ can intercept the first two |
495 | 610 |
messages and substitutes her own public key. The resulting protocol |
611 |
run would be |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
612 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
613 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
614 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
615 |
1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
616 |
2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
617 |
3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
618 |
4. & $E \to A :$ & $K^{pub}_E$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
619 |
5. & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
620 |
6. & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
621 |
7. & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
622 |
8. & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
623 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
624 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
625 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
626 |
\noindent where in steps 6 and 8, $E$ can modify the messages |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
627 |
by including the $E$ in the message. Both messages are |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
628 |
received encrypted with $E$'s public key; therefore it can |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
629 |
decrypt them and repackage them with new content. $A$ and $B$ |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
630 |
have no idea that they talking to an attacker. To them all |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
631 |
messages look legit. Because $E$ can modify messages, it seems |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
632 |
very difficult to defend against this attack. |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
633 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
634 |
But there is a clever trick\ldots{}dare I say some magic which |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
635 |
makes this attack very difficult to perform on people who know |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
636 |
each other---but not necessarily have a shared key. Modify the |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
637 |
protocol above so that $A$ and $B$ send their messages in two |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
638 |
halves, like |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
639 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
640 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
641 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
642 |
1. & $A \to B :$ & $K^{pub}_A$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
643 |
2. & $B \to A :$ & $K^{pub}_B$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
644 |
3. & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
645 |
& & $\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$\\ |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
646 |
4. & $A \to B :$ & $H_1$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
647 |
5. & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
648 |
6. & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
649 |
7. & $B \to A :$ & $M_2$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
650 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
651 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
652 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
653 |
\noindent The idea is that in step 3, $A$ encrypts the |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
654 |
message (with $B$'s public key) and then splits the encrypted |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
655 |
message into two halves. Say the encrypted message is |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
656 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
657 |
\begin{center} |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
658 |
$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G+H70mMjAM8piY0sI}}}_{\{A,m\}_{K^{pub}_B}}$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
659 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
660 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
661 |
\noindent then $A$ splits it up into two halves |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
662 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
663 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
664 |
$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G}}}_{H_1}$\qquad |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
665 |
$\underbrace{\texttt{\Grid{+H70mMjAM8piY0sI}}}_{H_2}$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
666 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
667 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
668 |
\noindent Similarly $B$ splits its message into two halves |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
669 |
$M_1$ and $M_2$. However, $A$ initially only sends the first |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
670 |
half $H_1$ to $B$. Which $B$ answers with the message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
671 |
consisting of the received $H_1$ and its own first half $M_1$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
672 |
encrypted with $A$'s public key. The message in step 5. $A$ |
494 | 673 |
receives this message, decrypts it and \textbf{only} when the $H_1$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
674 |
matches with its first half it send out earlier, $A$ |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
675 |
will send out the second half; see step 6. For this, $A$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
676 |
adds the received $M_1$ and encrypts both parts with $B$'s |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
677 |
public key. Finally $B$ checks whether the received $M_1$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
678 |
matches with its first half, and if yes sends $A$ its |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
679 |
second half $M_2$. Now $A$ and $B$ are in the possession |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
680 |
of $H_1$ and $H_2$, respectively $M_1$ and $M_2$, and can |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
681 |
decrypt the corresponding messages. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
682 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
683 |
Now the big question is, why on earth does this splitting |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
684 |
of messages in half and additional message exchange help |
274
1e1008403f17
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
273
diff
changeset
|
685 |
with defending against person-in-the-middle attacks? Well, |
287
0b9a16ddd625
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
286
diff
changeset
|
686 |
let's try to be an attacker. As before we intercept |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
687 |
the messages where public keys are exchanged and inject |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
688 |
our own. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
689 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
690 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
691 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
692 |
1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
693 |
2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
694 |
3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
695 |
4. & $E \to A :$ & $K^{pub}_E$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
696 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
697 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
698 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
699 |
\noindent |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
700 |
Now $A$ and $B$ build the message halves: |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
701 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
702 |
\[ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
703 |
\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
704 |
\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2 |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
705 |
\] |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
706 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
707 |
\noindent and $A$ sends $E$ its first half of the message. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
708 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
709 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
710 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
711 |
5. & $A \to E :$ & $H_1$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
712 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
713 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
714 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
715 |
\noindent Neither $E$ nor $B$ can do much with this message. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
716 |
Remember it is only half of some ``garbled'' text that cannot |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
717 |
be decrypted. $E$ could try to forward the message to $B$ and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
718 |
see what its reply is. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
719 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
720 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
721 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
722 |
6. & $E \to B :$ & $H_1$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
723 |
7. & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
724 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
725 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
726 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
727 |
\noindent Although $E$ can decrypt the message with its |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
728 |
private key, but it only gets the halves $H_1$ and $M_1$ which |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
729 |
are of no use yet. In order to get more information it |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
730 |
can send the message to $A$ with $A$'s public key. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
731 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
732 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
733 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
734 |
8. & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
735 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
736 |
\end{center} |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
737 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
738 |
\noindent $A$ would receive this message, decrypt it and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
739 |
find out it matches with its expectation. It therefore |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
740 |
sends out the message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
741 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
742 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
743 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
744 |
9. & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
745 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
746 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
747 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
748 |
\noindent Now $E$ is in the possession of $H_1$ and $H_2$, |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
749 |
which it can join together in order to obtain |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
750 |
$\{A,m\}_{K^{pub}_E}$ which it can decrypt. It seems |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
751 |
like from now on all is lost, but let's see: in order to |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
752 |
stay undetected it must send a message to $B$. It now has two |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
753 |
options: one is to use the newly obtained knowledge and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
754 |
modify $A$'s message to be |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
755 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
756 |
\[ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
757 |
\{E,m\}_{K^{pub}_B} \;\mapsto\; H'_1,H'_2 |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
758 |
\] |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
759 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
760 |
\noindent But notice since $E$ changed the message, |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
761 |
it will now receive two different halves. Let us call |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
762 |
them $H'_1$ and $H'_2$. If $E$ now sends $B$ the $H'_2$, |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
763 |
$B$ will be in the possession of $H_1$ and $H'_2$. But |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
764 |
after joining both halves it will not be able to |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
765 |
decrypt the resulting message---the two halves simply |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
766 |
do not fit. It can send out the original $H_2$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
767 |
as follows: |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
768 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
769 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
770 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
771 |
10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
772 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
773 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
774 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
775 |
\noindent |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
776 |
In this case $B$ can make sense out of the message and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
777 |
as a result sends $E$ back its second half $M_2$. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
778 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
779 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
780 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
781 |
11. & $B \to E :$ & $M_2$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
782 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
783 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
784 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
785 |
\noindent $E$ might be ecstatic by now, because it has now |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
786 |
also received $M_1$ and $M_2$ which it can join to |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
787 |
get $\{B, m'\}_{K^{pub}_E}$. It can decrypt this message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
788 |
but still is not finished completely, because it has to send |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
789 |
$A$ a message. It could try to build the message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
790 |
$\{E, m'\}_{K^{pub}_A}$, but like above $A$ would not be able |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
791 |
to make sense out of the two halves (which again do not fit |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
792 |
together). So one option is to send $M_2$. |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
793 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
794 |
With this the protocol has ended. $E$ was able to decrypt all |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
795 |
messages, but what messages did $A$ and $B$ receive and from |
494 | 796 |
whom? Was $E$ able to modify the messages? If yes, were |
797 |
$A$ and $B$ able to find out that |
|
287
0b9a16ddd625
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
286
diff
changeset
|
798 |
something strange is going on and probably not talk on this |
494 | 799 |
channel anymore? I leave you to think about it.\footnote{\rotatebox{180}{ |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
800 |
\begin{minipage}{10cm} |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
801 |
Consider the case where $A$ sends |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
802 |
the message ``How is your grandmother?'' to $B$, and $B$ |
494 | 803 |
send the message ``How is the weather in London today'' to $A$. Another |
804 |
possibility: what if $A$ and $B$ include a voice message in there |
|
805 |
messages. |
|
806 |
\end{minipage}}}\bigskip |
|
807 |
||
808 |
\noindent |
|
495 | 809 |
I hope you have thought about all these questions. $E$ cannot modify |
810 |
the received messages---$A$ and $B$ woudl find this out. To stay |
|
811 |
undetected, $E$ can only forward the messages (unmodified) and this is |
|
812 |
all what $A$ and $B$ need in order to establish a shared secret. For |
|
813 |
example they can use the Hellman-Diffie key exchange protocol (see |
|
814 |
further reading) which works, even if $E$ can decrypt all messages. |
|
494 | 815 |
|
495 | 816 |
All good? Unfortunately, there is a way to defeat this lockstep |
817 |
protocol---the name of this protocol that halves the messages. The |
|
818 |
problem is $E$ can create completely fake messages. Let us look at |
|
819 |
this possibility: $E$ intercepts again the keys from $A$ and $B$, and |
|
820 |
substitutes its own keys. |
|
494 | 821 |
|
822 |
\begin{center} |
|
823 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
824 |
1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ |
|
825 |
2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ |
|
826 |
3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ |
|
827 |
4. & $E \to A :$ & $K^{pub}_E$ |
|
828 |
\end{tabular} |
|
829 |
\end{center} |
|
830 |
||
831 |
\noindent |
|
832 |
Now $A$ and $B$ build again their message halves: |
|
833 |
||
834 |
\[ |
|
835 |
\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad |
|
836 |
\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2 |
|
837 |
\] |
|
838 |
||
839 |
\noindent |
|
840 |
$A$ sends its first half $H_1$. |
|
841 |
||
842 |
\begin{center} |
|
843 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
844 |
5. & $A \to E :$ & $H_1$ |
|
845 |
\end{tabular} |
|
846 |
\end{center} |
|
847 |
||
848 |
\noindent At this stage of the protocol, |
|
849 |
also $E$ creates two messages and halves them, say |
|
850 |
||
851 |
\[ |
|
852 |
\{E,m_E\}_{K^{pub}_E} \;\mapsto\; C_1,C_2\qquad |
|
853 |
\{E,m'_E\}_{K^{pub}_E} \;\mapsto\; D_1,D_2 |
|
854 |
\] |
|
855 |
||
856 |
\noindent |
|
857 |
But notice that $E$ has to make up these messages out of |
|
858 |
thin air. No information from $A$ and $B$ is usable yet---remember |
|
859 |
the half $H_1$ on its own cannot be decrypted. $E$ can then send |
|
860 |
$C_1$ to $B$, which dutifully responds |
|
861 |
||
862 |
\begin{center} |
|
863 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
864 |
6. & $E \to B :$ & $C_1$\\ |
|
865 |
7. & $B \to E :$ & $\{C_1, M_1\}_{K^{pub}_E}$ |
|
866 |
\end{tabular} |
|
867 |
\end{center} |
|
868 |
||
869 |
\noindent |
|
870 |
Next $E$ has to send a message to $A$---it can use the made up $D_1$ and |
|
871 |
the $H_1$ received earlier. |
|
872 |
||
873 |
\begin{center} |
|
874 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
875 |
8. & $E \to A :$ & $\{H_1, D_1\}_{K^{pub}_A}$ |
|
876 |
\end{tabular} |
|
877 |
\end{center} |
|
878 |
||
879 |
\noindent |
|
880 |
$A$ can verify it received $H_1$ and thus sends out |
|
881 |
||
882 |
\begin{center} |
|
883 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
884 |
9. & $A \to E :$ & $\{H_2, D_1\}_{K^{pub}_E}$ |
|
885 |
\end{tabular} |
|
886 |
\end{center} |
|
887 |
||
888 |
\noindent |
|
889 |
With this $E$ is in the possesion of both halves from $A$. |
|
890 |
In order to get the reply from $B$, $E$ can send the message |
|
891 |
||
892 |
\begin{center} |
|
893 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
894 |
10. & $E \to B :$ & $\{C_2, M_1\}_{K^{pub}_E}$ |
|
895 |
\end{tabular} |
|
896 |
\end{center} |
|
897 |
||
898 |
\noindent |
|
899 |
and $B$ can verify that it received $M_1$. So it answer |
|
900 |
with |
|
901 |
||
902 |
\begin{center} |
|
903 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
904 |
11. & $B \to E :$ & $M_2$ |
|
905 |
\end{tabular} |
|
906 |
\end{center} |
|
907 |
||
908 |
\noindent Finally $E$ can complete the protocol with sending $D_2$ to $A$: |
|
909 |
||
910 |
\begin{center} |
|
911 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
|
912 |
12. & $E \to A :$ & $D_2$ |
|
913 |
\end{tabular} |
|
914 |
\end{center} |
|
915 |
||
916 |
\noindent |
|
917 |
$A$ and $B$ receive expected messages and were able to verify |
|
918 |
their first halves. That means they do not suspect anything dodgy |
|
919 |
going on: $E$ has sucessfully managed a man-in-the middle attack. |
|
920 |
In case $A$ and $B$ are computers, there is not much that can |
|
921 |
prevent this attack. In case they are humans, there are a few |
|
922 |
things they can do. For example $A$ and $B$ can craft their |
|
923 |
messages such that they include a specific question only $A$ and |
|
924 |
$B$ are likely to be able to answer, or include a voice message |
|
925 |
which identifies $A$ and $B$ by their voice. The point is $E$ should |
|
926 |
not be able to create legit looking messages. Humans can do this |
|
927 |
if they have some minimal knowledge of the protocol partner (for example |
|
928 |
know their voice from TV); but computers cannot. The conclusion is |
|
929 |
that there is no protocol that can establish a trusted connection |
|
930 |
without any preshared information. The solution that has evolved |
|
931 |
over the years is to use certificates which have been created by an |
|
932 |
authority we (or better the browser) already trust. |
|
933 |
||
934 |
\section*{Key Fob Protocol} |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
935 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
936 |
Recall from the beginning that a person-in-the middle |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
937 |
attack can easily be mounted at the key fob and car |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
938 |
protocol unless we are careful. If you look at actual |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
939 |
key fob protocols, they use a variant of the protocol |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
940 |
described above. Suppose $C$ is the car and $T$ is the key fob |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
941 |
(transponder). The HiTag2 protocol used in cars of |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
942 |
VW \& friends is as follows: |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
943 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
944 |
\begin{enumerate} |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
945 |
\item $C$ generates a random number $N$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
946 |
\item $C$ calculates $\{N\}_K \mapsto F,G$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
947 |
\item $C \to T$: $N, F$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
948 |
\item $T$ calculates $\{N\}_K \mapsto F',G'$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
949 |
\item $T$ checks that $F = F'$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
950 |
\item $T \to C$: $N, G'$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
951 |
\item $C$ checks that $G = G'$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
952 |
\end{enumerate} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
953 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
954 |
\noindent The assumption is that the key $K$ is only known to |
494 | 955 |
the car and the transponder. |
956 |
The claim is that $C$ and $T$ can |
|
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
957 |
authenticate to each other. Again, I leave it to you to find |
494 | 958 |
out, if this protocol is immune from |
959 |
person-in-the-middle attacks. (Hint: Does it establish a |
|
960 |
trusted connection from ``zero''?) |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
961 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
962 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
963 |
\subsubsection*{Further Reading} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
964 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
965 |
\begin{itemize} |
494 | 966 |
\item A nice video explaining the Hellman-Diffie key exchange technique |
491
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
967 |
is here |
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
968 |
|
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
969 |
\begin{center} |
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
970 |
\url{https://www.youtube.com/watch?v=YEBfamv-_do} |
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
971 |
\end{center} |
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
972 |
|
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
973 |
The main point of this technique is that no sensitive information |
494 | 974 |
is sent over the network---both parties create the key together, but |
975 |
on their computer, not over the network. |
|
491
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
976 |
While the technique is cryptographic magic, it can be attacked |
494 | 977 |
when messages can be manipulated during transit. Remember that |
978 |
the lockstep protocol can only be attacked by either passively |
|
979 |
forwarding the messages (without being able to modify them) or |
|
980 |
by creating complete fake messages. |
|
491
d2e522c2bfdf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
486
diff
changeset
|
981 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
982 |
\item A blogpost that describes the first few milliseconds of |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
983 |
an HTTPS connection is at |
360
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
984 |
|
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
985 |
\begin{center} |
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
986 |
\url{http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html} |
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
987 |
\end{center} |
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
988 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
989 |
It disentangles every message sent between a client and a |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
990 |
server. |
360
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
991 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
992 |
\item If you want to know more about how cars can be hijacked, |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
993 |
the paper |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
994 |
|
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
995 |
\begin{center} |
274
1e1008403f17
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
273
diff
changeset
|
996 |
\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf} |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
997 |
\end{center} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
998 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
999 |
is quite amusing to read. Obviously an even more amusing paper |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1000 |
would ``Dismantling Megamos Crypto: Wirelessly Lockpicking a |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1001 |
Vehicle Immobilizer'' by the same authors, but because of the |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1002 |
court injunction by VW, we are denied this entertainment. |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1003 |
UPDATE: This paper is now in the public domain. |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
1004 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1005 |
\item Man-in-the-middle-attacks from the ``wild'' are |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1006 |
described with real data in the blog post |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
1007 |
|
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
1008 |
\begin{center} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
1009 |
\url{http://www.renesys.com/2013/11/mitm-internet-hijacking} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
1010 |
\end{center} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
1011 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1012 |
The conclusion in this post is that man-in-the-middle-attacks |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1013 |
can be launched from any place on Earth---it is not required |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1014 |
that you sit in the ``middle'' of the communication of two |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1015 |
people. You just have to route their traffic through a node |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1016 |
you own. |
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
1017 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1018 |
\item An article in The Guardian from 2013 reveals how GCHQ |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1019 |
and the NSA at a G20 Summit in 2009 sniffed emails from |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1020 |
Internet cafes, monitored phone calls from delegates and |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1021 |
attempted to listen on phone calls which were made by |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1022 |
Russians and which were transmitted via satellite links: |
279
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1023 |
|
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1024 |
\begin{center} |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1025 |
\url{http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits} |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1026 |
\end{center} |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1027 |
|
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1028 |
\ldots all in the name of having a better position for |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1029 |
negotiations. Hmmm\ldots |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1030 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1031 |
\item A paper guessing how the NSA can decrypt so much of the |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1032 |
encrypted Internet traffic: |
409
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
1033 |
|
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
1034 |
\begin{center} |
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
1035 |
\url{https://weakdh.org/imperfect-forward-secrecy.pdf} |
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
1036 |
\end{center} |
279
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
1037 |
|
415
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1038 |
\end{itemize} |
56bc53ba7c5b
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
409
diff
changeset
|
1039 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1040 |
\end{document} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1041 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1042 |
%%% Local Variables: |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1043 |
%%% mode: latex |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1044 |
%%% TeX-master: t |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1045 |
%%% End: |