handouts/ho05.tex
author Christian Urban <christian dot urban at kcl dot ac dot uk>
Wed, 29 Oct 2014 17:35:41 +0000
changeset 268 43629c8c88c6
parent 267 37821a377c4a
child 269 c4fa7e8a2ffa
permissions -rw-r--r--
updated
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     1
\documentclass{article}
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     2
\usepackage{../style}
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     3
\usepackage{../langs}
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     4
\usetikzlibrary{patterns,decorations.pathreplacing}
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     5
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     6
\begin{document}
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     7
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     8
\section*{Handout 5 (Protocols)}
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
     9
263
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    10
Protocols are the computer science equivalent to fractals and
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    11
the Mandelbrot set in mathematics. With the latter you have a
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    12
simple formula which you just iterate and then you test
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    13
whether a point is inside or outside a region, and voila
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    14
something magically
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    15
happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal},
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    16
\url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    17
are similar: they are simple exchanges of messages, but in the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    18
end something ``magical'' can happen---for example a secret
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    19
channel has been established or two entities have
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    20
authenticated themselves to each other. The problem with magic
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    21
is of course it is poorly understood and even experts often
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    22
got, and get, it wrong with protocols. 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    23
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    24
To have an idea what kind of protocols we are interested, let
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    25
us look at a few examples. One example are (wireless) key 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    26
fobs which operate the central locking system and the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    27
ignition in a car.
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    28
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    29
\begin{center}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    30
\includegraphics[scale=0.075]{../pics/keyfob.jpg}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    31
\quad
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    32
\includegraphics[scale=0.2025]{../pics/startstop.jpg}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    33
\end{center}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    34
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    35
\noindent The point of these key fobs is that everything is
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    36
done over the ``air''---there is no physical connection
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    37
between the key, doors and engine. So we must achieve security
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    38
by exchanging certain messages between the key fob on one side
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    39
and doors and engine on the other. Clearly what we like to
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    40
achieve is that I can get into my car and start it, but that
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    41
thieves are kept out. The problem is that everybody can
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    42
``overhear'' or skim the exchange of messages between the key
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    43
fob and car. In this scenario the simplest attack you need to
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    44
defend against is a person-in-the-middle attack. Imagine you
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    45
park your car in front of a supermarket. One thief follows you
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    46
with a strong transmitter. A second thief ``listens'' to the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    47
signal from the car and wirelessly transmits it to the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    48
``colleague'' who followed you and who silently enquires about
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    49
the answer from the key fob. The answer is then send back to
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    50
the thief at the car, which then dutifully opens and possibly
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    51
starts. No need to steal your key anymore.
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    52
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    53
But there are many more such protocols we like to consider.
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    54
Other examples are wifi---you might sit at a Starbucks and
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    55
talk wirelessly to the free access point there and from there
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    56
talk with your bank, for example. Also even if your have to
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    57
touch your Oyster card at the reader each time you enter and
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    58
exit the Tube, it actually operates wirelessly and with
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    59
appropriate equipment over some quite large distance. But
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    60
there are many many more examples (Bitcoins, mobile
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    61
phones,\ldots). The common characteristics of the protocols we
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    62
are interested in here is that an adversary or attacker is
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    63
assumed to be in complete control over the network or channel
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    64
over which you exchanging messages. An attacker can install a
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    65
packet sniffer on a network, inject packets, modify packets,
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    66
replay old messages, or fake pretty much everything. In this
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    67
hostile environment, the purpose of protocols (that is
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    68
exchange of messages) is to achieve some security goal, for
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    69
example only allow the owner of the car in but everybody else
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    70
should be kept out.
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    71
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
    72
The protocols we are interested here are generic descriptions
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
    73
of how to exchange messages in order to achieve a goal, be it
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
    74
establishing a mutual secure connection or being able to
263
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    75
authenticate to a system. Unlike the distant past where for
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    76
example we had to meet a person in order to authenticate him
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    77
or her (via a passport for example), the problem we are facing
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    78
on the Internet is that we cannot easily be sure who we are
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    79
``talking'' to. The obvious reason is that only some electrons
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    80
arrive at our computer; we do not see the person, or computer,
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    81
behind the incoming electrons (messages). 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    82
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    83
To start, let us look at one of the simplest protocols that
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    84
are part of the TCP protocol (which underlies the Internet).
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    85
This protocol does not do anything security relevant, it just
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    86
establishes a ``hello'' from a client to a server which the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    87
server answers with ``I heard you'' and the client answers 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    88
in turn with something like ``thanks''. This protocol
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    89
is often called a \emph{three-way handshake}. Graphically it
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    90
can be illustrated as follows
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    91
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    92
\begin{center}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    93
\includegraphics[scale=0.5]{../pics/handshake.png}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    94
\end{center}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    95
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    96
\noindent On the left-hand side is a client, say Alice, on the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    97
right-hand side is a server, say. Time is running from top to
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    98
bottom. Alice initial SYN message needs some time to travel to
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
    99
the server. The server answers with SYN-ACK, which will
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   100
require some time to arrive at Alice. Her answer ACK will
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   101
again take some time to arrive at the server. After the 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   102
messages are exchanged Alice and the server simply have 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   103
established a channel to communicate over. Alice does
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   104
not know whether she is really talking to the server (somebody 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   105
else on the network might have intercepted her message
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   106
and replied in place of the server). Similarly, the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   107
server has no idea who it is talking to. That this can be 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   108
established depends on what is exchanged next and is the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   109
point of the protocols we want to study in more detail.
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   110
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   111
Before we start in earnest, we need to fix a more
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   112
convenient notation for protocols. Drawing pictures like
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   113
the one above would be awkward in the long-run. The
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   114
notation already abstracts away from a few details we are
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   115
not interested in: for example the time the messages
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   116
need to travel between endpoints. What we are interested
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   117
in is in which order the messages are sent. For the SYN-ACK
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   118
protocol we will therefore use the notation 
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   119
264
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   120
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   121
\begin{equation}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   122
\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   123
A \to S: & SYN\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   124
S \to A: & SYN\_ACK\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   125
A \to S: & ACK\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   126
\end{array}\label{SYNACK}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   127
\end{equation}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   128
263
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   129
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   130
\noindent The left-hand side specifies who is the sender and
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   131
who is the receiver of the message. On the right of the colon
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   132
is the message that is send. The order from top to down
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   133
specifies in which order the messages are sent. We also
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   134
have the convention that messages like above $SYN$ are send
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   135
in clear-text over the network. If we want that a message is 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   136
encrypted, then we use the notation
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   137
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   138
\[
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   139
\{msg\}_{K_{AB}}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   140
\]  
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   141
  
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   142
  
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   143
\noindent for messages. The curly braces indicate a kind of
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   144
envelope which can only be opened if you know the key $K_{AB}$
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   145
with which the message has been encrypted. We always assume
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   146
that an attacker, say Eve, cannot get the content of the
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   147
message, unless she is also in the possession of the key. We
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   148
explicitly exclude in our study that the encryption can be
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   149
broken.\footnote{\ldots{}which of course is what a good
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   150
protocol designer needs to ensure and more often than not
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   151
protocols are broken. For example Oyster cards contain a very
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   152
weak encryption mechanism which has been attacked.} It is also
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   153
possible that an encrypted message contains several parts. In
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   154
this case we would write something like
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   155
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   156
\[
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   157
\{msg_1, msg_2\}_{K_{AB}}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   158
\] 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   159
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   160
\noindent But again Eve would not be able to know 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   161
this unless she also has the key. We also allow the 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   162
possibility that a message is encrypted twice under 
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   163
different keys. In this case we write
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   164
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   165
\[
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   166
\{\{msg\}_{K_{AB}}\}_{K_{BC}}
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   167
\] 
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   168
264
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   169
\noindent The idea is that even if attacker Eve has the
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   170
key $K_{BC}$ she could decrypt the outer envelop, but
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   171
still do not get to the message, because it is still
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   172
encrypted with the key $K_{AB}$. Note, however,
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   173
while an attacker cannot obtain the content of the message
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   174
without the key, encrypted messages can be observed
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   175
and be recorded and then replayed at another time, or
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   176
send to another person!
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   177
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   178
Another very important point is that the notation for
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   179
protocols such as shown in \eqref{SYNACK} is a
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   180
\underline{schema} how the protocol should proceed.
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   181
It could be instantiated by an actual protocol run
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   182
between Alice, say, and the server Calcium at King's. In this 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   183
case the specific instance would look like
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   184
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   185
\[
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   186
\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   187
\text{Alice} \to \text{Calcium}: & SYN\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   188
\text{Calcium} \to \text{Alice}: & SYN\_ACK\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   189
\text{Alice} \to \text{Calcium}: & ACK\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   190
\end{array}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   191
\]
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   192
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   193
\noindent But a server like Calcium of course needs to
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   194
serve many clients. So there could be the same protocol
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   195
also running with Bob, say
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   196
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   197
\[
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   198
\begin{array}{l@{\hspace{2mm}}l}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   199
\text{Bob} \to \text{Calcium}: & SYN\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   200
\text{Calcium} \to \text{Bob}: & SYN\_ACK\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   201
\text{Bob} \to \text{Calcium}: & ACK\\
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   202
\end{array}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   203
\]
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   204
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   205
\noindent And these two instances of the protocol could be
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   206
running in parallel or be at different stages. So the protocol
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   207
schema shown in \eqref{SYNACK} can be thought of how two 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   208
programs need to run on the side of $A$ and $S$ in order to 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   209
successfully complete the protocol. But it is really just a 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   210
blue print how the communication is supposed to proceed. 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   211
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   212
This is actually already a way how such protocols can fail. 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   213
Although very simple the $SYN\_ACK$ protocol can cause 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   214
headaches for system administrators where an attacker
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   215
starts the protocol, but does not complete it. This looks 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   216
graphically like
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   217
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   218
\begin{center}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   219
\includegraphics[scale=0.4]{../pics/synflood.png}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   220
\end{center}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   221
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   222
\noindent The attacker sends lots of $SYN$ requests which the
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   223
server dutifully answers, but needs to keep track of such
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   224
protocol exchanges. So every time a little bit of memory
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   225
resource will be eaten away on the server side until all
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   226
resources are exhausted and when Alice tries to contact the
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   227
server then the server is overwhelmed and does not respond
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   228
anymore. This kind of attack are called \emph{SYN
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   229
floods}.\footnote{\url{http://en.wikipedia.org/wiki/SYN_flood}}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   230
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   231
After reading four pages, you might be wondering where the
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   232
magic is. For this let us take a closer look at authentication 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   233
protocols.
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   234
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   235
\subsubsection*{Authentication Protocols}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   236
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   237
The simplest authentication protocol between principals
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   238
$A$ and $B$, say is
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   239
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   240
\begin{center}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   241
$A \to B: K_{AB}$ 
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   242
\end{center}
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   243
265
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   244
\noindent It can be sought of as $A$ sends a common secret to
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   245
$B$ like a password. The idea is that if only $A$ and $B$ know
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   246
the key $K_{AB}$ then this should be sufficient for $B$ to
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   247
infer it is talking to $A$. But this is of course too naive,
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   248
if the message can be observed by everybody else on the
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   249
network. Eve could just record this message $A$ just send, and
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   250
next time send the same message to $B$ and $B$ would believe
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   251
it talked to $A$. But actually it talked to Eve which now
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   252
clears out $A$s back account if $B$ had been a bank.
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   253
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   254
A more sophisticated protocol which tries to avoid the
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   255
replay attack is as follows
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   256
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   257
\begin{center}
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   258
\begin{tabular}{l@{\hspace{2mm}}l}
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   259
$A \to B:$ & $HELLO$\\
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   260
$B \to A:$ & $N$\\
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   261
$A \to B:$ & $\{N\}_{K_{AB}}$\\
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   262
\end{tabular}
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   263
\end{center} 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   264
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   265
\noindent With this protocol the idea is that $A$ first sends 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   266
a message to $B$ saying ``I want to talk to you''. $B$ sends 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   267
then a challenge in form of a random number $N$. In protocols 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   268
such random numbers are often called \emph{nonce}. What is the
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   269
purpose of this nonce? Well, if an attacker records $A$ 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   270
answer, it will not make sense to replay this message, because
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   271
next time this protocol is run the nonce $B$ sends will be
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   272
different. So if we run this protocol, what can $B$ infer:
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   273
it has send out an (unpredictable) nonce to $A$ and
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   274
received this challenge back, but encoded under the key 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   275
$K_{AB}$. If $B$ assumes only $A$ and $B$ know the key $K_{AB}$
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   276
and the nonce is unpredictable, then $B$ is able to
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   277
infer it must be talking to $A$. Of course the implicit 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   278
assumption on this inference are that nobody else knows
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   279
about the key $K_{AB}$ and nobody else can decrypt the
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   280
message. $B$ of course can decrypt the answer from $A$
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   281
and check whether the answer corresponds to the challenge
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   282
(nonce) $B$ has send earlier.
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   283
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   284
But what about $A$? Can $A$ make any assumptions about who it
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   285
talks to? It dutifully answered the challenge and hopes its
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   286
bank, say, will be the only one to understand her answer. But
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   287
is this the case? No! Lets consider an attacker Eve who has
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   288
control over the network. She could have intercepted the
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   289
message $HELLO$ and just replied herself to $A$ using a random
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   290
number\ldots{} for example one which she observed in a
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   291
previous run of this protocol. Remember that if a message is
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   292
send without curly braces it is sent in clear text. Then
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   293
$A$ would encrypt the nonce with the key $K_{AB}$ and send
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   294
it back to Eve. She just throws the answer away. $A$ would
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   295
hope that she talked to $B$ because she followed the protocol,
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   296
but unfortunately she cannot be sure who she is talking to. 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   297
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   298
The solution is to follow a \emph{mutual challenge-response}
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   299
protocol. There $A$ already starts off with a challenge (nonce)
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   300
on her own.
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   301
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   302
\begin{center}
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   303
\begin{tabular}{l@{\hspace{2mm}}l}
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   304
$A \to B:$ & $N_A$\\
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   305
$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   306
$A \to B:$ & $N_B$\\
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   307
\end{tabular} 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   308
\end{center}
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   309
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   310
\noindent As seen, $B$ receives this nonce, $N_A$, adds his
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   311
own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   312
receives this message, is able to decrypt it since we assume
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   313
she has the key $K_{AB}$, and sends back the nonce of $B$.
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   314
Let us analyse which assumptions $A$ and $B$ can make after 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   315
the protocol has run. $B$ received a challenge and answered 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   316
correctly to $A$ (in the encrypted message). An attacker
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   317
would just not be able to answer this challenge correctly 
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   318
because the attacker is assumed to not be in the possession of
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   319
the key $K_{AB}$; so could not have formed this message.
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   320
It could also not have just replayed an old message, because
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   321
$A$ would send out each time a fresh nonce. So with this
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   322
protocol you can ensure also for $A$ that it talks to $B$.
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   323
I leave you to argue that $B$ can be sure to talk to $A$.
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   324
Of course these arguments will depend on the assumptions that
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   325
only $A$ and $B$ know the key $K_{AB}$ and that nobody can
266
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   326
break the encryption unless they have this key and that the
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   327
nonces are fresh each time the protocol is run.
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   328
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   329
There might be something mysterious about the nonces, the
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   330
random numbers, that are sent around. They need to be
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   331
unpredictable and in this way fulfil an important role in
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   332
protocols. Suppose
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   333
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   334
\begin{enumerate}
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   335
\item I generate a nonce and send it to you encrypted with a
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   336
      key we share
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   337
\item you increase it by one, encrypt it under a key I know
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   338
      and send it back to me 
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   339
\end{enumerate}
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   340
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   341
\noindent In our notation this would correspond to the 
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   342
protocol
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   343
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   344
\begin{center}
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   345
\begin{tabular}{l@{\hspace{2mm}}l}
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   346
$I \to Y:$ & $\{N\}_{K_{IY}}$\\
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   347
$Y \to I:$ & $\{N + 1\}_{K_{IY}}$\\
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   348
\end{tabular} 
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   349
\end{center}
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   350
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   351
\noindent What can I infer from this simple exchange:
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   352
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   353
\begin{itemize}
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   354
\item you must have received my message (it could not just be
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   355
      deflected by somebody on the network, because the
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   356
      response required some calculation; doing the
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   357
      calculation and sending the answer requires the key
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   358
      $K_{IY}$)
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   359
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   360
\item you could only have generated your answer after I send
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   361
      you my initial message (since my $N$ is always new, it
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   362
      could not have been a message that was generated before
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   363
      I myself knew what $N$ is)
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   364
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   365
\item if only you and me know the key $K_{IY$, the message
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   366
      must have come from you
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   367
\end{itemize}
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   368
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   369
\noindent Even if this does not seem much information I can
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   370
glean from such an exchange, it is in fact the basic building 
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   371
blocks for establishing some secret or achieving some 
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   372
security goal (like authentication).
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   373
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   374
While the mutual challenge-response protocol solves already
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   375
the authentication problem, there are some problems. One is of
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   376
course that it requires a pre-shared secret key. That is
e711cfd1ec70 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 265
diff changeset
   377
something that needs to be established beforehand. Not all
267
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   378
situations allow such an assumption. For example if I am a
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   379
whistle blower (say Snowden) and want to talk to a journalist
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   380
(say Greenwald) then I might not have a secret pre-shared key.
265
2ce6b7c94763 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 264
diff changeset
   381
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   382
267
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   383
Another problem is that such mutual challenge-response systems
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   384
often work in the same system in the ``challenge mode'' but
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   385
also in the ``response mode''. For example if two servers want
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   386
to talk to each other---they would need the protocol in
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   387
response mode, but also if they want to talk to other servers
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   388
in challenge mode. Similarly if you in an military aircraft
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   389
you have to challenge everybody you see, in case there is a
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   390
friend amongst the targets you like to shoot, but you also
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   391
have to respond to any of your own anti-aircraft guns on the
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   392
ground lest they shoot you. In these situations you have to be
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   393
careful to not decode, or answer, your own challenge. Recall 
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   394
the protocol is
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   395
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   396
\begin{center}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   397
\begin{tabular}{l@{\hspace{2mm}}l}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   398
$A \rightarrow B$: & $N_A$\\  
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   399
$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   400
$A \rightarrow B$: & $N_B$\\
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   401
\end{tabular}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   402
\end{center}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   403
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   404
\noindent but it does not specify who is $A$ and who is $B$.
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   405
If, as supposed, the protocol works in response and in 
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   406
challenge mode, then $A$ will be $A$ in one instance, but $B$
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   407
in the other. I hope this makes sense. Let us look at the 
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   408
details and lets assume our adversary is $E$ who just deflects
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   409
our messages back to us. 
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   410
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   411
\begin{center}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   412
\begin{tabular}{lllll}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   413
& \multicolumn{2}{l}{challenge mode:} & 
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   414
\multicolumn{2}{l}{response mode:}\smallskip\\
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   415
1) & $A \rightarrow E$: & $N_A$\\ 
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   416
2) & & & $E \rightarrow A$: & $N_A$\\ 
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   417
3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   418
4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   419
5) & $A \rightarrow E$: & $N_A'$\\
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   420
\end{tabular}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   421
\end{center}
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   422
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   423
\noindent In the first step we challenge $E$ with a nonce we
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   424
created. Since we also run the protocol in ``response mode'',
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   425
$E$ can now feed us the same challenge in step 2. We do not
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   426
know where it came from (it's over the air), but if we are in
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   427
an aircraft we should better quickly answer it, otherwise we
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   428
risk to be shot. So we add our own challenge $N'_A$ and
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   429
encrypt it under the secret key $K_{AB}$ (step 3). Now $E$
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   430
does not need to know this key in order to form the correct
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   431
answer for the first protocol. It will just replays this
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   432
message back to us in the challenge mode (step 4). I happily
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   433
accept this message---after all it is encrypted under the
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   434
secret key $K_{AB}$ and it contains the correct challenge from
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   435
me, namely $N_A$. So I accept that $E$ is a friend and send
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   436
even back the challenge $N'_A$. The problem is that $E$ now
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   437
starts firing at me and I have no clue what is going on and
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   438
suspect, erroneously, that an idiot must have leaked the
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   439
secret key. I followed in both cases the protocol to the
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   440
letter, but somehow $E$, with my help, managed to disguise as
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   441
a friend. As a pilot, I would rather prefer the designer of
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   442
this challenge-response protocol were a tad smarter. For one
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   443
thing they violated the best practice in protocol design of
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   444
using the same key, $K_{AB}$, for two different
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   445
purposes---challenging and responding. They better had used
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   446
two different keys. This would have averted this attack and
37821a377c4a updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 266
diff changeset
   447
would have saved me a lot of trouble.
263
8a42736cce27 updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 249
diff changeset
   448
268
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   449
\subsubsection*{Trusted Third Parties}
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   450
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   451
One limitation the protocols we discussed so far is
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   452
that they pre-suppose a secret shared key. As already 
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   453
mentioned, this is a convenience we cannot always assume.
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   454
How to establish a secret key then? Well, if both parties,
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   455
say $A$ and $B$, mutually trust a third party, say $S$, 
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   456
then they can use the following protocol:
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   457
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   458
\begin{center}
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   459
\begin{tabular}{l@{\hspace{2mm}}l}
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   460
$A \rightarrow S :$ & $A, B$\\
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   461
$S \rightarrow A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   462
$A \rightarrow B :$ & $\{K_{AB}\}_{K_{BS}}$\\
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   463
$A \rightarrow B :$ & $\{m\}_{K_{AB}}$\\
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   464
\end{tabular}
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   465
\end{center}
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   466
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   467
\noindent The assumption in this protocol is that $A$ and $S$
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   468
share a secret key, and also $B$ and $S$ ($S$ being the
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   469
trusted third party). The goal is that $A$ can send $B$ a
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   470
message $m$ under a shared secret key $K_{AB}$, which at the
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   471
beginning of the protocol does not exist yet. How does this
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   472
protocol work? In the first step $A$ contacts $S$ and says
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   473
that it wants to talk to $B$. In turn $S$ invents a new key
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   474
$K_{AB}$ and sends two messages back to $A$: one message is
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   475
$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   476
$S$ share, and also the message
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   477
$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$. which is encrypted with
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   478
$K_{AB}$ but also a second time with $K_{BS}$. The point of
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   479
the second message is that it is a message intended for $B$.
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   480
So a receives both messages and can decrypt them---in the
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   481
first case it obtains the key $K_{AB}$ which $S$ suggested to
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   482
use. In the second case it obtains a message it can forward to
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   483
$B$. $B$ receives this message and since it knows the key it
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   484
shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   485
start to exchange messages with the shared secret key
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   486
$K_{AB}$. What is the advantage of $S$ sending $A$ two 
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   487
messages instead of contacting $B$ instead? Well, for one
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   488
there can now be a time-delay between the second and
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   489
third step in the protocol. At some point in the past
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   490
$A$ and $S$ need to have come together to share
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   491
a key, similarly $B$ and $S$. After that $B$ does not need to
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   492
be ``online'' anymore until $A$ actually starts sending messages
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   493
to $B$. $A$ and $S$ can completely on their own negotiate a
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   494
new key. 
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   495
 
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   496
\subsubsection*{Averting Person-in-the-Middle Attacks}
43629c8c88c6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 267
diff changeset
   497
264
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   498
\bigskip\bigskip
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   499
Keyfobs - protocol
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   500
264
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   501
\subsubsection*{Further Reading}
0079db1a1c9d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 263
diff changeset
   502
249
31a749eba8c1 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 245
diff changeset
   503
{\small
31a749eba8c1 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 245
diff changeset
   504
\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}}
31a749eba8c1 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 245
diff changeset
   505
245
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   506
\end{document}
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   507
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   508
%%% Local Variables: 
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   509
%%% mode: latex
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   510
%%% TeX-master: t
630a3dd1efda updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff changeset
   511
%%% End: