sen-material: handouts/ho05.tex@40511897fcc4 (annotated)

245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	\documentclass{article}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	\usepackage{../style}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3	\usepackage{../langs}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	4
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	5	\begin{document}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	6
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7	\section*{Handout 5 (Protocols)}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	9	Protocols are the computer science equivalent to fractals and
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	10	the Mandelbrot set in mathematics. With the latter two you
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	11	have a simple formula, which you just iterate and then you
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	12	test whether a point is inside or outside a region\ldots{}it
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	13	does not look exciting, but voila something magically
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	14	happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal},
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	15	\url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	16	are similar: they are simple exchanges of messages, but in the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	17	end something ``magical'' can happen---for example a secret
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	18	channel has been established or two entities have
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	19	authenticated themselves to each other. Even in face of strong
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	20	adversaries where we have no control over the network over
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	21	which our messages are exchanged. The problem with magic is of
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	22	course it is poorly understood and even experts often got, and
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	23	get, it wrong with protocols.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	24
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	25	To have an idea what kind of protocols we are interested in, let
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	26	us look at a few examples. One example are (wireless) key
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	27	fobs, which operate the central locking system and the
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	28	ignition in a car.
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	29
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	30	\begin{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	31	\includegraphics[scale=0.075]{../pics/keyfob.jpg}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	32	\quad
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	33	\includegraphics[scale=0.2025]{../pics/startstop.jpg}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	34	\end{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	35
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	36	\noindent The point of these key fobs is that everything is
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	37	done over the ``air''---there is no physical connection
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	38	between the key, doors and engine, as was the case with the
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	39	old solid metal keys. With the key fobs we must achieve
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	40	security by exchanging certain messages between the key fob on
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	41	one side and the doors and engine on the other. Clearly what
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	42	we like to accomplish is that I can get into my car and start
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	43	it, but that thieves are kept out. The problem is that
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	44	everybody can ``overhear'' or skim the exchange of messages
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	45	between the key fob and car. In this scenario the simplest
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	46	attack you need to defend against is a person-in-the-middle
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	47	attack. For this imagine you park your car in front of a
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	48	supermarket. One thief follows you with a strong transmitter.
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	49	A second thief ``listens'' to the signals from the car and
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	50	wirelessly transmits them to the ``colleague'' who followed
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	51	you. This thief silently enquires what the key fob answers.
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	52	This answer is then send back to the thief at the car. If done
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	53	properly the car will dutifully open and possibly start. No
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	54	need to steal your keys anymore.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	55
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	56	But there are many more such protocols we like to treat.
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	57	Another example is Wifi---you might sit at a Starbucks and
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	58	talk wirelessly to the free access point there and from there
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	59	talk to your bank. Moreover, even if your have to touch your
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	60	Oyster card at the reader each time you enter or exit the
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	61	Tube, it actually operates wirelessly and with appropriate
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	62	equipment over some quite large distance (several meters). But
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	63	there are many, many more examples (Bitcoins, mobile
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	64	phones,\ldots). The common characteristics of the protocols we
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	65	are interested in is that an adversary or attacker is assumed
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	66	to be in complete control over the network or channel over
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	67	which we exchanging messages. An attacker can install a packet
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	68	sniffer on a network, inject packets, modify packets, replay
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	69	old messages, or fake pretty much everything else. In this
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	70	hostile environment, the purpose of a protocol (that is
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	71	exchange of messages) is to achieve some security goal. For
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	72	example only allow the owner of the car in, but everybody else
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	73	should stay out.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	74
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	75	The protocols we are interested here are generic descriptions
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	76	of how to exchange messages in order to achieve a goal. Unlike
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	77	the distant past where, for example, we had to meet a person in
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	78	order to authenticate him or her (via a passport for example),
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	79	the problem we are facing on the Internet is that we cannot
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	80	easily be sure who we are ``talking'' to. The obvious reason
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	81	is that only some electrons arrive at our computer; we do not
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	82	see the person, or computer, behind the incoming electrons
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	83	(messages).
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	84
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	85	To start, let us look at one of the simplest protocols that
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	86	are part of the TCP protocol (which underlies the Internet).
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	87	This protocol does not do anything security relevant, it just
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	88	establishes a ``hello'' from a client to a server which the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	89	server answers with ``I heard you'' and the client answers
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	90	in turn with something like ``thanks''. This protocol
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	91	is often called a \emph{three-way handshake}. Graphically it
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	92	can be illustrated as follows
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	93
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	94	\begin{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	95	\includegraphics[scale=0.5]{../pics/handshake.png}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	96	\end{center}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	97
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	98	\noindent On the left-hand side is a client, say Alice, on the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	99	right-hand side is a server, say. Time is running from top to
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	100	bottom. Alice initial SYN message needs some time to travel to
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	101	the server. The server answers with SYN-ACK, which will
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	102	require some time to arrive at Alice. Her answer ACK will
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	103	again take some time to arrive at the server. After the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	104	messages are exchanged Alice and the server simply have
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	105	established a channel to communicate over. Alice does
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	106	not know whether she is really talking to the server (somebody
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	107	else on the network might have intercepted her message
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	108	and replied in place of the server). Similarly, the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	109	server has no idea who it is talking to. That this can be
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	110	established depends on what is exchanged next and is the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	111	point of the protocols we want to study in more detail.
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	112
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	113	Before we start in earnest, we need to fix a more
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	114	convenient notation for protocols. Drawing pictures like
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	115	the one above would be awkward in the long-run. The
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	116	notation already abstracts away from a few details we are
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	117	not interested in: for example the time the messages
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	118	need to travel between endpoints. What we are interested
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	119	in is in which order the messages are sent. For the SYN-ACK
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	120	protocol we will therefore use the notation
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	121
264 0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	122
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	123	\begin{equation}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	124	\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	125	A \to S: & SYN\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	126	S \to A: & SYN\_ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	127	A \to S: & ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	128	\end{array}\label{SYNACK}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	129	\end{equation}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	130
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	131
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	132	\noindent The left-hand side specifies who is the sender and
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	133	who is the receiver of the message. On the right of the colon
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	134	is the message that is send. The order from top to down
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	135	specifies in which order the messages are sent. We also
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	136	have the convention that messages like above $SYN$ are send
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	137	in clear-text over the network. If we want that a message is
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	138	encrypted, then we use the notation
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	139
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	140	\[
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	141	\{msg\}_{K_{AB}}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	142	\]
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	143
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	144
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	145	\noindent for messages. The curly braces indicate a kind of
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	146	envelope which can only be opened if you know the key $K_{AB}$
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	147	with which the message has been encrypted. We always assume
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	148	that an attacker, say Eve, cannot get the content of the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	149	message, unless she is also in the possession of the key. We
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	150	explicitly exclude in our study that the encryption can be
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	151	broken.\footnote{\ldots{}which of course is what a good
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	152	protocol designer needs to ensure and more often than not
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	153	protocols are broken. For example Oyster cards contain a very
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	154	weak encryption mechanism which has been attacked.} It is also
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	155	possible that an encrypted message contains several parts. In
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	156	this case we would write something like
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	157
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	158	\[
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	159	\{msg_1, msg_2\}_{K_{AB}}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	160	\]
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	161
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	162	\noindent But again Eve would not be able to know
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	163	this unless she also has the key. We also allow the
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	164	possibility that a message is encrypted twice under
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	165	different keys. In this case we write
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	166
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	167	\[
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	168	\{\{msg\}_{K_{AB}}\}_{K_{BC}}
8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	169	\]
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	170
264 0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	171	\noindent The idea is that even if attacker Eve has the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	172	key $K_{BC}$ she could decrypt the outer envelop, but
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	173	still do not get to the message, because it is still
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	174	encrypted with the key $K_{AB}$. Note, however,
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	175	while an attacker cannot obtain the content of the message
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	176	without the key, encrypted messages can be observed
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	177	and be recorded and then replayed at another time, or
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	178	send to another person!
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	179
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	180	Another very important point is that the notation for
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	181	protocols such as shown in \eqref{SYNACK} is a
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	182	\underline{schema} how the protocol should proceed.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	183	It could be instantiated by an actual protocol run
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	184	between Alice, say, and the server Calcium at King's. In this
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	185	case the specific instance would look like
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	186
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	187	\[
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	188	\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	189	\text{Alice} \to \text{Calcium}: & SYN\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	190	\text{Calcium} \to \text{Alice}: & SYN\_ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	191	\text{Alice} \to \text{Calcium}: & ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	192	\end{array}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	193	\]
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	194
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	195	\noindent But a server like Calcium of course needs to
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	196	serve many clients. So there could be the same protocol
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	197	also running with Bob, say
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	198
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	199	\[
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	200	\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	201	\text{Bob} \to \text{Calcium}: & SYN\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	202	\text{Calcium} \to \text{Bob}: & SYN\_ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	203	\text{Bob} \to \text{Calcium}: & ACK\\
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	204	\end{array}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	205	\]
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	206
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	207	\noindent And these two instances of the protocol could be
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	208	running in parallel or be at different stages. So the protocol
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	209	schema shown in \eqref{SYNACK} can be thought of how two
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	210	programs need to run on the side of $A$ and $S$ in order to
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	211	successfully complete the protocol. But it is really just a
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	212	blue print how the communication is supposed to proceed.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	213
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	214	This is actually already a way how such protocols can fail.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	215	Although very simple the $SYN\_ACK$ protocol can cause
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	216	headaches for system administrators where an attacker
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	217	starts the protocol, but does not complete it. This looks
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	218	graphically like
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	219
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	220	\begin{center}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	221	\includegraphics[scale=0.4]{../pics/synflood.png}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	222	\end{center}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	223
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	224	\noindent The attacker sends lots of $SYN$ requests which the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	225	server dutifully answers, but needs to keep track of such
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	226	protocol exchanges. So every time a little bit of memory
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	227	resource will be eaten away on the server side until all
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	228	resources are exhausted and when Alice tries to contact the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	229	server then the server is overwhelmed and does not respond
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	230	anymore. This kind of attack are called \emph{SYN
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	231	floods}.\footnote{\url{http://en.wikipedia.org/wiki/SYN_flood}}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	232
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	233	After reading four pages, you might be wondering where the
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	234	magic is. For this let us take a closer look at authentication
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	235	protocols.
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	236
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	237	\subsubsection*{Authentication Protocols}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	238
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	239	The simplest authentication protocol between principals
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	240	$A$ and $B$, say is
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	241
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	242	\begin{center}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	243	$A \to B: K_{AB}$
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	244	\end{center}
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	245
265 2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	246	\noindent It can be sought of as $A$ sends a common secret to
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	247	$B$ like a password. The idea is that if only $A$ and $B$ know
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	248	the key $K_{AB}$ then this should be sufficient for $B$ to
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	249	infer it is talking to $A$. But this is of course too naive,
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	250	if the message can be observed by everybody else on the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	251	network. Eve could just record this message $A$ just send, and
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	252	next time send the same message to $B$ and $B$ would believe
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	253	it talked to $A$. But actually it talked to Eve which now
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	254	clears out $A$s back account if $B$ had been a bank.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	255
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	256	A more sophisticated protocol which tries to avoid the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	257	replay attack is as follows
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	258
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	259	\begin{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	260	\begin{tabular}{l@{\hspace{2mm}}l}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	261	$A \to B:$ & $HELLO$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	262	$B \to A:$ & $N$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	263	$A \to B:$ & $\{N\}_{K_{AB}}$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	264	\end{tabular}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	265	\end{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	266
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	267	\noindent With this protocol the idea is that $A$ first sends
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	268	a message to $B$ saying ``I want to talk to you''. $B$ sends
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	269	then a challenge in form of a random number $N$. In protocols
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	270	such random numbers are often called \emph{nonce}. What is the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	271	purpose of this nonce? Well, if an attacker records $A$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	272	answer, it will not make sense to replay this message, because
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	273	next time this protocol is run the nonce $B$ sends will be
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	274	different. So if we run this protocol, what can $B$ infer:
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	275	it has send out an (unpredictable) nonce to $A$ and
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	276	received this challenge back, but encoded under the key
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	277	$K_{AB}$. If $B$ assumes only $A$ and $B$ know the key $K_{AB}$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	278	and the nonce is unpredictable, then $B$ is able to
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	279	infer it must be talking to $A$. Of course the implicit
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	280	assumption on this inference are that nobody else knows
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	281	about the key $K_{AB}$ and nobody else can decrypt the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	282	message. $B$ of course can decrypt the answer from $A$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	283	and check whether the answer corresponds to the challenge
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	284	(nonce) $B$ has send earlier.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	285
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	286	But what about $A$? Can $A$ make any assumptions about who it
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	287	talks to? It dutifully answered the challenge and hopes its
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	288	bank, say, will be the only one to understand her answer. But
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	289	is this the case? No! Lets consider an attacker Eve who has
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	290	control over the network. She could have intercepted the
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	291	message $HELLO$ and just replied herself to $A$ using a random
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	292	number\ldots{} for example one which she observed in a
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	293	previous run of this protocol. Remember that if a message is
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	294	send without curly braces it is sent in clear text. Then
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	295	$A$ would encrypt the nonce with the key $K_{AB}$ and send
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	296	it back to Eve. She just throws the answer away. $A$ would
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	297	hope that she talked to $B$ because she followed the protocol,
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	298	but unfortunately she cannot be sure who she is talking to.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	299
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	300	The solution is to follow a \emph{mutual challenge-response}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	301	protocol. There $A$ already starts off with a challenge (nonce)
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	302	on her own.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	303
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	304	\begin{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	305	\begin{tabular}{l@{\hspace{2mm}}l}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	306	$A \to B:$ & $N_A$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	307	$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	308	$A \to B:$ & $N_B$\\
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	309	\end{tabular}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	310	\end{center}
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	311
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	312	\noindent As seen, $B$ receives this nonce, $N_A$, adds his
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	313	own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	314	receives this message, is able to decrypt it since we assume
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	315	she has the key $K_{AB}$, and sends back the nonce of $B$.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	316	Let us analyse which assumptions $A$ and $B$ can make after
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	317	the protocol has run. $B$ received a challenge and answered
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	318	correctly to $A$ (in the encrypted message). An attacker
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	319	would just not be able to answer this challenge correctly
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	320	because the attacker is assumed to not be in the possession of
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	321	the key $K_{AB}$; so could not have formed this message.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	322	It could also not have just replayed an old message, because
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	323	$A$ would send out each time a fresh nonce. So with this
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	324	protocol you can ensure also for $A$ that it talks to $B$.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	325	I leave you to argue that $B$ can be sure to talk to $A$.
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	326	Of course these arguments will depend on the assumptions that
2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	327	only $A$ and $B$ know the key $K_{AB}$ and that nobody can
266 e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	328	break the encryption unless they have this key and that the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	329	nonces are fresh each time the protocol is run.
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	330
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	331	There might be something mysterious about the nonces, the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	332	random numbers, that are sent around. They need to be
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	333	unpredictable and in this way fulfil an important role in
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	334	protocols. Suppose
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	335
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	336	\begin{enumerate}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	337	\item I generate a nonce and send it to you encrypted with a
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	338	key we share
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	339	\item you increase it by one, encrypt it under a key I know
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	340	and send it back to me
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	341	\end{enumerate}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	342
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	343	\noindent In our notation this would correspond to the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	344	protocol
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	345
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	346	\begin{center}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	347	\begin{tabular}{l@{\hspace{2mm}}l}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	348	$I \to Y:$ & $\{N\}_{K_{IY}}$\\
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	349	$Y \to I:$ & $\{N + 1\}_{K_{IY}}$\\
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	350	\end{tabular}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	351	\end{center}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	352
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	353	\noindent What can I infer from this simple exchange:
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	354
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	355	\begin{itemize}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	356	\item you must have received my message (it could not just be
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	357	deflected by somebody on the network, because the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	358	response required some calculation; doing the
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	359	calculation and sending the answer requires the key
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	360	$K_{IY}$)
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	361
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	362	\item you could only have generated your answer after I send
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	363	you my initial message (since my $N$ is always new, it
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	364	could not have been a message that was generated before
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	365	I myself knew what $N$ is)
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	366
274 1e1008403f17 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 273 diff changeset	367	\item if only you and me know the key $K_{IY}$, the message
266 e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	368	must have come from you
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	369	\end{itemize}
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	370
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	371	\noindent Even if this does not seem much information I can
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	372	glean from such an exchange, it is in fact the basic building
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	373	blocks for establishing some secret or achieving some
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	374	security goal (like authentication).
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	375
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	376	While the mutual challenge-response protocol solves already
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	377	the authentication problem, there are some problems. One is of
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	378	course that it requires a pre-shared secret key. That is
e711cfd1ec70 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 265 diff changeset	379	something that needs to be established beforehand. Not all
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	380	situations allow such an assumption. For example if I am a
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	381	whistle blower (say Snowden) and want to talk to a journalist
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	382	(say Greenwald) then I might not have a secret pre-shared key.
265 2ce6b7c94763 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 264 diff changeset	383
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	384
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	385	Another problem is that such mutual challenge-response systems
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	386	often work in the same system in the ``challenge mode'' but
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	387	also in the ``response mode''. For example if two servers want
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	388	to talk to each other---they would need the protocol in
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	389	response mode, but also if they want to talk to other servers
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	390	in challenge mode. Similarly if you in an military aircraft
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	391	you have to challenge everybody you see, in case there is a
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	392	friend amongst the targets you like to shoot, but you also
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	393	have to respond to any of your own anti-aircraft guns on the
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	394	ground lest they shoot you. In these situations you have to be
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	395	careful to not decode, or answer, your own challenge. Recall
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	396	the protocol is
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	397
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	398	\begin{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	399	\begin{tabular}{l@{\hspace{2mm}}l}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	400	$A \rightarrow B$: & $N_A$\\
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	401	$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	402	$A \rightarrow B$: & $N_B$\\
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	403	\end{tabular}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	404	\end{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	405
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	406	\noindent but it does not specify who is $A$ and who is $B$.
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	407	If, as supposed, the protocol works in response and in
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	408	challenge mode, then $A$ will be $A$ in one instance, but $B$
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	409	in the other. I hope this makes sense. Let us look at the
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	410	details and lets assume our adversary is $E$ who just deflects
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	411	our messages back to us.
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	412
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	413	\begin{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	414	\begin{tabular}{lllll}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	415	& \multicolumn{2}{l}{challenge mode:} &
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	416	\multicolumn{2}{l}{response mode:}\smallskip\\
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	417	1. & $A \rightarrow E$: & $N_A$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	418	2. & & & $E \rightarrow A$: & $N_A$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	419	3. & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	420	4. & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	421	5. & $A \rightarrow E$: & $N_A'$\\
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	422	\end{tabular}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	423	\end{center}
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	424
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	425	\noindent In the first step we challenge $E$ with a nonce we
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	426	created. Since we also run the protocol in ``response mode'',
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	427	$E$ can now feed us the same challenge in step 2. We do not
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	428	know where it came from (it's over the air), but if we are in
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	429	an aircraft we should better quickly answer it, otherwise we
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	430	risk to be shot. So we add our own challenge $N'_A$ and
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	431	encrypt it under the secret key $K_{AB}$ (step 3). Now $E$
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	432	does not need to know this key in order to form the correct
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	433	answer for the first protocol. It will just replays this
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	434	message back to us in the challenge mode (step 4). I happily
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	435	accept this message---after all it is encrypted under the
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	436	secret key $K_{AB}$ and it contains the correct challenge from
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	437	me, namely $N_A$. So I accept that $E$ is a friend and send
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	438	even back the challenge $N'_A$. The problem is that $E$ now
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	439	starts firing at me and I have no clue what is going on. I
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	440	might suspect, erroneously, that an idiot must have leaked the
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	441	secret key. Because I followed in both cases the protocol to
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	442	the letter, but somehow $E$, unknowingly to me with my help,
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	443	managed to disguise as a friend. As a pilot, I would be a bit
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	444	peeved at that moment and would have preferred the designer of
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	445	this challenge-response protocol had been a tad smarter. For
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	446	one thing they violated the best practice in protocol design
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	447	of using the same key, $K_{AB}$, for two different
267 37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	448	purposes---challenging and responding. They better had used
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	449	two different keys. This would have averted this attack and
37821a377c4a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 266 diff changeset	450	would have saved me a lot of trouble.
263 8a42736cce27 updated 5th handout Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 249 diff changeset	451
268 43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	452	\subsubsection*{Trusted Third Parties}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	453
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	454	One limitation the protocols we discussed so far is
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	455	that they pre-suppose a secret shared key. As already
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	456	mentioned, this is a convenience we cannot always assume.
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	457	How to establish a secret key then? Well, if both parties,
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	458	say $A$ and $B$, mutually trust a third party, say $S$,
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	459	then they can use the following protocol:
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	460
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	461	\begin{center}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	462	\begin{tabular}{l@{\hspace{2mm}}l}
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	463	$A \to S :$ & $A, B$\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	464	$S \to A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	465	$A \to B :$ & $\{K_{AB}\}_{K_{BS}}$\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	466	$A \to B :$ & $\{m\}_{K_{AB}}$\\
268 43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	467	\end{tabular}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	468	\end{center}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	469
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	470	\noindent The assumption in this protocol is that $A$ and $S$
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	471	share a secret key, and also $B$ and $S$ ($S$ being the
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	472	trusted third party). The goal is that $A$ can send $B$ a
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	473	message $m$ under a shared secret key $K_{AB}$, which at the
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	474	beginning of the protocol does not exist yet. How does this
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	475	protocol work? In the first step $A$ contacts $S$ and says
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	476	that it wants to talk to $B$. In turn $S$ invents a new key
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	477	$K_{AB}$ and sends two messages back to $A$: one message is
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	478	$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	479	$S$ share, and also the message
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	480	$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$. which is encrypted with
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	481	$K_{AB}$ but also a second time with $K_{BS}$. The point of
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	482	the second message is that it is a message intended for $B$.
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	483	So a receives both messages and can decrypt them---in the
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	484	first case it obtains the key $K_{AB}$ which $S$ suggested to
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	485	use. In the second case it obtains a message it can forward to
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	486	$B$. $B$ receives this message and since it knows the key it
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	487	shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	488	start to exchange messages with the shared secret key
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	489	$K_{AB}$. What is the advantage of $S$ sending $A$ two
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	490	messages instead of contacting $B$ instead? Well, for one
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	491	there can now be a time-delay between the second and
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	492	third step in the protocol. At some point in the past
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	493	$A$ and $S$ need to have come together to share
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	494	a key, similarly $B$ and $S$. After that $B$ does not need to
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	495	be ``online'' anymore until $A$ actually starts sending messages
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	496	to $B$. $A$ and $S$ can completely on their own negotiate a
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	497	new key.
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	498
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	499	The major limitation of this protocol however is that I need
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	500	to trust a third party. And in this case completely, because
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	501	$S$ can of course also read easily all messages $A$ sends to
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	502	$B$. The problem is that I cannot really think of any
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	503	institution who could serve as such a trusted third party. One
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	504	would hope the government would be such a trusted party, but
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	505	in the Snowden-era we know that this is wishful thinking in
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	506	the West, and if I lived in Iran or North Korea, for example,
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	507	I would not even start to hope for this.
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	508
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	509	The cryptographic ``magic'' of public-private keys
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	510	seems to offer an elegant solution for this, but as we shall
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	511	see in the next section, this requires some very clever
c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	512	protocol design.
268 43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	513
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	514	\subsubsection*{Averting Person-in-the-Middle Attacks}
43629c8c88c6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 267 diff changeset	515
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	516	The idea of public-private key encryption is that one can make
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	517	public the key $K^{pub}$ which people can use to encrypt
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	518	messages for me. and I can use my key $K^{priv}$ to be the
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	519	only one that can decrypt them. While this sounds all good, it
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	520	relies that people can associate me, for example, with my
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	521	public key. That i snot so trivial as it sounds. For example,
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	522	if I would be the government, say Cameron, and try to find out
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	523	who are the trouble makers in the country, I would publish an
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	524	innocent looking webpage and say I am The Guardian newspaper
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	525	(or alternatively The Sun for all the juicy stories), publish
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	526	a public key on it, and then just wait for incoming messages.
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	527
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	528	This problem is supposed to be solved by using certificates.
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	529	The purpose of certification organisations is that they verify
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	530	that a public key, say $K^{pub}_{Bob}$, really belongs to Bob.
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	531	This is also the mechanism underlying the HTTPS protocol. The
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	532	problem is that this system is essentially completely
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	533	broken\ldots{}but this is a story for another time. Suffice
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	534	to say for now that one of the main certification
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	535	organisations, VeriSign, has limited its liability to \$100 in
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	536	case it issues a false certificate. This is really a joke and
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	537	really the wrong incentive for the certification organisations
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	538	to clean up their mess.
269 c4fa7e8a2ffa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 268 diff changeset	539
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	540	The problem we want to study closer here is that protocols
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	541	based on public-private key encryption are susceptible to
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	542	person-in-the-middle attack. Consider the following protocol
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	543	where $A$ and $B$ attempt to exchange secret messages using
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	544	public-private keys.
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	545
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	546	\begin{itemize}
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	547	\item $A$ sends public key to $B$
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	548	\item $B$ sends public key to $A$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	549	\item $A$ sends a message encrypted with $B$'s public
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	550	key,\\ $B$ decrypts it with its private key
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	551	\item $B$ sends a message encrypted with $A$'s public
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	552	key,\\ $A$ decrypts it with its private key
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	553	\end{itemize}
8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	554
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	555	\noindent In our formal notation for protocols, this would
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	556	look as follows:
270 8f2749152f1e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 269 diff changeset	557
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	558	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	559	\begin{tabular}{l@{\hspace{2mm}}l}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	560	$A \to B :$ & $K^{pub}_A$\smallskip\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	561	$B \to A :$ & $K^{pub}_B$\smallskip\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	562	$A \to B :$ & $\{A,m\}_{K^{pub}_B}$\smallskip\\
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	563	$B \to A :$ & $\{B,m'\}_{K^{pub}_A}$
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	564	\end{tabular}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	565	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	566
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	567	\noindent Since we assume an attacker, say $E$, has complete
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	568	control over the network, $E$ can intercept the first two
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	569	messages and substitutes her own public key. The protocol
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	570	run would therefore be
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	571
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	572	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	573	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	574	1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	575	2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	576	3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	577	4. & $E \to A :$ & $K^{pub}_E$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	578	5. & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	579	6. & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	580	7. & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	581	8. & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	582	\end{tabular}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	583	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	584
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	585	\noindent where in steps 6 and 8, $E$ can modify the messages
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	586	by including the $E$ in the message. Both messages are
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	587	received encrypted with $E$'s public key; therefore it can
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	588	decrypt it and repackage it with new content. $A$ and $B$ have
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	589	no idea that they talking to an attacker. To them all messages
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	590	look legit. Because $E$ can modify messages, it seems very
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	591	difficult to defend against this attack.
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	592
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	593	But there is a clever trick\ldots{}dare I say some magic.
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	594	Modify the protocol above so that $A$ and $B$ send their
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	595	messages in two halves, like
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	596
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	597	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	598	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	599	1. & $A \to B :$ & $K^{pub}_A$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	600	2. & $B \to A :$ & $K^{pub}_B$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	601	3. & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	602	& & $\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$\\
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	603	4. & $A \to B :$ & $H_1$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	604	5. & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	605	6. & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	606	7. & $B \to A :$ & $M_2$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	607	\end{tabular}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	608	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	609
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	610	\noindent The idea is that in step 3, $A$ encrypts the
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	611	message (with $B$'s public key) and then splits the encrypted
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	612	message into two halves. Say the encrypted message is
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	613
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	614	\begin{center}
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	615	$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G+H70mMjAM8piY0sI}}}_{\{A,m\}_{K^{pub}_B}}$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	616	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	617
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	618	\noindent then $A$ splits it up into two halves
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	619
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	620	\begin{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	621	$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G}}}_{H_1}$\qquad
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	622	$\underbrace{\texttt{\Grid{+H70mMjAM8piY0sI}}}_{H_2}$
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	623	\end{center}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	624
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	625	\noindent Similarly $B$ splits its message into two halves
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	626	$M_1$ and $M_2$. However, $A$ initially only sends the first
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	627	half $H_1$ to $B$. Which $B$ answers with the message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	628	consisting of the received $H_1$ and its own first half $M_1$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	629	encrypted with $A$'s public key. The message in step 5. $A$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	630	receives this message, decrypts it and only when the $H_1$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	631	matches with its first half it send out earlier, $A$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	632	will send out the second half. See step 6. For this $A$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	633	adds the received $M_1$ and encrypts both parts with $B$'s
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	634	public key. Finally $B$ checks whether the received $M_1$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	635	matches with its first half, and if yes sends $A$ its
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	636	second half $M_2$. Now $A$ and $B$ are in the possession
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	637	of $H_1$ and $H_2$, respectively $M_1$ and $M_2$ and can
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	638	decrypt the corresponding messages.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	639
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	640	Now the big question is, why on earth does this splitting
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	641	of messages in half and additional message exchange help
274 1e1008403f17 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 273 diff changeset	642	with defending against person-in-the-middle attacks? Well,
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	643	lets try to be such an attacker. As before we intercept
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	644	the messages where public keys are exchanged and inject
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	645	our own.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	646
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	647	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	648	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	649	1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	650	2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	651	3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	652	4. & $E \to A :$ & $K^{pub}_E$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	653	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	654	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	655
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	656	\noindent
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	657	Now $A$ and $B$ build the message halves:
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	658
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	659	\[
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	660	\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	661	\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	662	\]
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	663
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	664	\noindent and $A$ sends $E$ its first half of the message.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	665
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	666	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	667	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	668	5. & $A \to E :$ & $H_1$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	669	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	670	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	671
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	672	\noindent Neither $E$ nor $B$ can do much with this message.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	673	Remember it is only half of some ``garbled'' text that cannot
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	674	be decrypted. $E$ could try to forward the message to $B$ and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	675	see what its reply is.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	676
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	677	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	678	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	679	6. & $E \to B :$ & $H_1$\\
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	680	7. & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	681	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	682	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	683
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	684	\noindent Although $E$ can decrypt the message with its
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	685	private key, but it only gets the halves $H_1$ and $M_1$ which
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	686	are of no use yet. In order to get more information it
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	687	can send the message to $A$ with $A$'s public key.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	688
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	689	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	690	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	691	8. & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	692	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	693	\end{center}
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	694
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	695	\noindent $A$ would receive this message, decrypt it and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	696	find out it matches with its expectation. It therefore
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	697	sends out the message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	698
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	699	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	700	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	701	9. & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	702	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	703	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	704
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	705	\noindent Now $E$ is in the possession of $H_1$ and $H_2$,
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	706	which it can join together in order to obtain
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	707	$\{A,m\}_{K^{pub}_E}$ which it can decrypt. It seems
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	708	like from now on all is lost, but lets see: in order to
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	709	stay undetected it must send a message to $B$. It now has two
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	710	options: one is to use the newly obtained knowledge and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	711	modify $A$'s message to be
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	712
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	713	\[
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	714	\{E,m\}_{K^{pub}_B} \;\mapsto\; H'_1,H'_2
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	715	\]
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	716
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	717	\noindent But notice since $E$ changed the message,
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	718	it will now receive two different halves. Let us call
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	719	them $H'_1$ and $H'_2$. If $E$ now sends $B$ the $H'_2$,
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	720	$B$ will be in the possession of $H_1$ and $H'_2$. But
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	721	after joining both halves it will not be able to
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	722	decrypt the resulting message---the two halves simply
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	723	do not fit. So it can only send out the original $H_2$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	724	as follows:
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	725
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	726	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	727	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	728	10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	729	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	730	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	731
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	732	\noindent
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	733	In this case $B$ can make sense out of the message and
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	734	as a result sends $E$ back its second half $M_2$.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	735
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	736	\begin{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	737	\begin{tabular}{ll@{\hspace{2mm}}l}
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	738	11. & $B \to E :$ & $M_2$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	739	\end{tabular}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	740	\end{center}
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	741
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	742	\noindent $E$ might be ecstatic by now, because it has now
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	743	also received $M_1$ and $M_2$ which it can join to
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	744	get $\{B, m'\}_{K^{pub}_E}$. It can decrypt this message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	745	but still is not finished completely, because it has to send
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	746	$A$ a message. It could try to build the message
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	747	$\{E, m'\}_{K^{pub}_A}$, but like above $A$ would not be able
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	748	to make sense out of the two halves (which again do not fit
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	749	together). So the only option is to send $M_2$.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	750
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	751	With this the protocol has ended. $E$ was able to decrypt all
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	752	messages, but what messages did $A$ and $B$ receive and from
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	753	whom? Do you notice that they will find out that something
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	754	strange has happened and probably not talk on this channel
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	755	anymore? I leave you to think about it.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	756
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	757	Recall from the beginning that a person-in-the middle
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	758	attack can easily be mounted at the key fob and car
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	759	protocol unless we are careful. If you look at actual
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	760	key fob protocols, they use a variant of the protocol
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	761	described above. Suppose $C$ is the car and $T$ is the key fob
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	762	(transponder). The HiTag2 protocol used in cars of
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	763	VW \& friends is as follows:
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	764
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	765	\begin{enumerate}
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	766	\item $C$ generates a random number $N$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	767	\item $C$ calculates $\{N\}_K \mapsto F,G$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	768	\item $C \to T$: $N, F$
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	769	\item $T$ calculates $\{N\}_K \mapsto F',G'$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	770	\item $T$ checks that $F = F'$
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	771	\item $T \to C$: $N, G'$
271 4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	772	\item $C$ checks that $G = G'$
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	773	\end{enumerate}
4796f424cf12 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 270 diff changeset	774
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	775	\noindent The assumption is that the key $K$ is only known to
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	776	the car and the transponder. The claim is that $C$ and $T$ can
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	777	authenticate to each other. Again, I leave it to you to find
272 4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	778	out the magic why this protocol is immune from
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	779	person-in-the-middle attacks.
4f4612d5f670 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 271 diff changeset	780
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	781
264 0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	782	\subsubsection*{Further Reading}
0079db1a1c9d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 263 diff changeset	783
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	784	If you want to know more about how cars can be hijacked,
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	785	the paper
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	786
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	787	\begin{center}
274 1e1008403f17 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 273 diff changeset	788	\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	789	\end{center}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	790
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	791	\noindent is quite amusing to read. Obviously an even more amusing
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	792	paper would be ``Dismantling Megamos Crypto: Wirelessly Lockpicking a
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	793	Vehicle Immobilizer'' by the same authors, but because of the court
06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	794	injuction by VW in this case, we are denied this entertainment.
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	795
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	796	Person-in-the-middle-attacks from the ``wild'' are described
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	797	with real data in the blog post
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	798
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	799	\begin{center}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	800	\url{http://www.renesys.com/2013/11/mitm-internet-hijacking}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	801	\end{center}
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	802
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	803	\noindent The conclusion in this post is that person-in-the-middle-attacks
03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	804	can be launched from any place on Earth---it is not required
275 06a04b3b2dda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 274 diff changeset	805	that you sit in the ``middle'' of the communication of two people.
273 03321ef4349a updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 272 diff changeset	806	You just have to route their traffic through a node you own.
249 31a749eba8c1 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 245 diff changeset	807
279 5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	808	An article in The Guardien from 2013 reveals how GCHG and the NSA at a
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	809	G20 Summit in 2009 sniffed emails from Internet cafes, monitored phone
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 279 diff changeset	810	calls from delegates and attempted to listen on phone calls which were made
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 279 diff changeset	811	by Russions and which were transmitted via satelite links:
279 5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	812
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	813	\begin{center}
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	814	\url{http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits}
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	815	\end{center}
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	816
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	817	\noindent
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	818	\ldots all in the name of having a better position for
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	819	negotiations. Hmmm\ldots
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	820
5616e664c020 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 275 diff changeset	821
245 630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	822	\end{document}
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	823
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	824	%%% Local Variables:
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	825	%%% mode: latex
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	826	%%% TeX-master: t
630a3dd1efda updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	827	%%% End:

author	Christian Urban <christian dot urban at kcl dot ac dot uk>
	Wed, 05 Nov 2014 12:01:05 +0000
changeset 283	40511897fcc4
parent 279	5616e664c020
child 285	2492b771122e
permissions	-rw-r--r--