author | Christian Urban <christian dot urban at kcl dot ac dot uk> |
Wed, 29 Oct 2014 21:58:08 +0000 | |
changeset 271 | 4796f424cf12 |
parent 270 | 8f2749152f1e |
child 272 | 4f4612d5f670 |
permissions | -rw-r--r-- |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
\usepackage{../langs} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
4 |
\usetikzlibrary{patterns,decorations.pathreplacing} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
5 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
6 |
\begin{document} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
8 |
\section*{Handout 5 (Protocols)} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
9 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
10 |
Protocols are the computer science equivalent to fractals and |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
11 |
the Mandelbrot set in mathematics. With the latter you have a |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
12 |
simple formula which you just iterate and then you test |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
13 |
whether a point is inside or outside a region, and voila |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
14 |
something magically |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
15 |
happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal}, |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
16 |
\url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
17 |
are similar: they are simple exchanges of messages, but in the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
18 |
end something ``magical'' can happen---for example a secret |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
19 |
channel has been established or two entities have |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
20 |
authenticated themselves to each other. The problem with magic |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
21 |
is of course it is poorly understood and even experts often |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
22 |
got, and get, it wrong with protocols. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
23 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
24 |
To have an idea what kind of protocols we are interested, let |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
25 |
us look at a few examples. One example are (wireless) key |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
26 |
fobs which operate the central locking system and the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
27 |
ignition in a car. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
28 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
29 |
\begin{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
30 |
\includegraphics[scale=0.075]{../pics/keyfob.jpg} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
31 |
\quad |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
32 |
\includegraphics[scale=0.2025]{../pics/startstop.jpg} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
33 |
\end{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
34 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
35 |
\noindent The point of these key fobs is that everything is |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
36 |
done over the ``air''---there is no physical connection |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
37 |
between the key, doors and engine. So we must achieve security |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
38 |
by exchanging certain messages between the key fob on one side |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
39 |
and doors and engine on the other. Clearly what we like to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
40 |
achieve is that I can get into my car and start it, but that |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
41 |
thieves are kept out. The problem is that everybody can |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
42 |
``overhear'' or skim the exchange of messages between the key |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
43 |
fob and car. In this scenario the simplest attack you need to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
44 |
defend against is a person-in-the-middle attack. Imagine you |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
45 |
park your car in front of a supermarket. One thief follows you |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
46 |
with a strong transmitter. A second thief ``listens'' to the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
47 |
signal from the car and wirelessly transmits it to the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
48 |
``colleague'' who followed you and who silently enquires about |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
49 |
the answer from the key fob. The answer is then send back to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
50 |
the thief at the car, which then dutifully opens and possibly |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
51 |
starts. No need to steal your key anymore. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
52 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
53 |
But there are many more such protocols we like to consider. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
54 |
Other examples are wifi---you might sit at a Starbucks and |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
55 |
talk wirelessly to the free access point there and from there |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
56 |
talk with your bank, for example. Also even if your have to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
57 |
touch your Oyster card at the reader each time you enter and |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
58 |
exit the Tube, it actually operates wirelessly and with |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
59 |
appropriate equipment over some quite large distance. But |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
60 |
there are many many more examples (Bitcoins, mobile |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
61 |
phones,\ldots). The common characteristics of the protocols we |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
62 |
are interested in here is that an adversary or attacker is |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
63 |
assumed to be in complete control over the network or channel |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
64 |
over which you exchanging messages. An attacker can install a |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
65 |
packet sniffer on a network, inject packets, modify packets, |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
66 |
replay old messages, or fake pretty much everything. In this |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
67 |
hostile environment, the purpose of protocols (that is |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
68 |
exchange of messages) is to achieve some security goal, for |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
69 |
example only allow the owner of the car in but everybody else |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
70 |
should be kept out. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
71 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
72 |
The protocols we are interested here are generic descriptions |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
73 |
of how to exchange messages in order to achieve a goal, be it |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
74 |
establishing a mutual secure connection or being able to |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
75 |
authenticate to a system. Unlike the distant past where for |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
76 |
example we had to meet a person in order to authenticate him |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
77 |
or her (via a passport for example), the problem we are facing |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
78 |
on the Internet is that we cannot easily be sure who we are |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
79 |
``talking'' to. The obvious reason is that only some electrons |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
80 |
arrive at our computer; we do not see the person, or computer, |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
81 |
behind the incoming electrons (messages). |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
82 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
83 |
To start, let us look at one of the simplest protocols that |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
84 |
are part of the TCP protocol (which underlies the Internet). |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
85 |
This protocol does not do anything security relevant, it just |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
86 |
establishes a ``hello'' from a client to a server which the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
87 |
server answers with ``I heard you'' and the client answers |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
88 |
in turn with something like ``thanks''. This protocol |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
89 |
is often called a \emph{three-way handshake}. Graphically it |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
90 |
can be illustrated as follows |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
91 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
92 |
\begin{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
93 |
\includegraphics[scale=0.5]{../pics/handshake.png} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
94 |
\end{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
95 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
96 |
\noindent On the left-hand side is a client, say Alice, on the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
97 |
right-hand side is a server, say. Time is running from top to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
98 |
bottom. Alice initial SYN message needs some time to travel to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
99 |
the server. The server answers with SYN-ACK, which will |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
100 |
require some time to arrive at Alice. Her answer ACK will |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
101 |
again take some time to arrive at the server. After the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
102 |
messages are exchanged Alice and the server simply have |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
103 |
established a channel to communicate over. Alice does |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
104 |
not know whether she is really talking to the server (somebody |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
105 |
else on the network might have intercepted her message |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
106 |
and replied in place of the server). Similarly, the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
107 |
server has no idea who it is talking to. That this can be |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
108 |
established depends on what is exchanged next and is the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
109 |
point of the protocols we want to study in more detail. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
110 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
111 |
Before we start in earnest, we need to fix a more |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
112 |
convenient notation for protocols. Drawing pictures like |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
113 |
the one above would be awkward in the long-run. The |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
114 |
notation already abstracts away from a few details we are |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
115 |
not interested in: for example the time the messages |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
116 |
need to travel between endpoints. What we are interested |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
117 |
in is in which order the messages are sent. For the SYN-ACK |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
118 |
protocol we will therefore use the notation |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
119 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
120 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
121 |
\begin{equation} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
122 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
123 |
A \to S: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
124 |
S \to A: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
125 |
A \to S: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
126 |
\end{array}\label{SYNACK} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
127 |
\end{equation} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
128 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
129 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
130 |
\noindent The left-hand side specifies who is the sender and |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
131 |
who is the receiver of the message. On the right of the colon |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
132 |
is the message that is send. The order from top to down |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
133 |
specifies in which order the messages are sent. We also |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
134 |
have the convention that messages like above $SYN$ are send |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
135 |
in clear-text over the network. If we want that a message is |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
136 |
encrypted, then we use the notation |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
137 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
138 |
\[ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
139 |
\{msg\}_{K_{AB}} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
140 |
\] |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
141 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
142 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
143 |
\noindent for messages. The curly braces indicate a kind of |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
144 |
envelope which can only be opened if you know the key $K_{AB}$ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
145 |
with which the message has been encrypted. We always assume |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
146 |
that an attacker, say Eve, cannot get the content of the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
147 |
message, unless she is also in the possession of the key. We |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
148 |
explicitly exclude in our study that the encryption can be |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
149 |
broken.\footnote{\ldots{}which of course is what a good |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
150 |
protocol designer needs to ensure and more often than not |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
151 |
protocols are broken. For example Oyster cards contain a very |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
152 |
weak encryption mechanism which has been attacked.} It is also |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
153 |
possible that an encrypted message contains several parts. In |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
154 |
this case we would write something like |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
155 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
156 |
\[ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
157 |
\{msg_1, msg_2\}_{K_{AB}} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
158 |
\] |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
159 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
160 |
\noindent But again Eve would not be able to know |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
161 |
this unless she also has the key. We also allow the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
162 |
possibility that a message is encrypted twice under |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
163 |
different keys. In this case we write |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
164 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
165 |
\[ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
166 |
\{\{msg\}_{K_{AB}}\}_{K_{BC}} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
167 |
\] |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
168 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
169 |
\noindent The idea is that even if attacker Eve has the |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
170 |
key $K_{BC}$ she could decrypt the outer envelop, but |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
171 |
still do not get to the message, because it is still |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
172 |
encrypted with the key $K_{AB}$. Note, however, |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
173 |
while an attacker cannot obtain the content of the message |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
174 |
without the key, encrypted messages can be observed |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
175 |
and be recorded and then replayed at another time, or |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
176 |
send to another person! |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
177 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
178 |
Another very important point is that the notation for |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
179 |
protocols such as shown in \eqref{SYNACK} is a |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
180 |
\underline{schema} how the protocol should proceed. |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
181 |
It could be instantiated by an actual protocol run |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
182 |
between Alice, say, and the server Calcium at King's. In this |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
183 |
case the specific instance would look like |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
184 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
185 |
\[ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
186 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
187 |
\text{Alice} \to \text{Calcium}: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
188 |
\text{Calcium} \to \text{Alice}: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
189 |
\text{Alice} \to \text{Calcium}: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
190 |
\end{array} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
191 |
\] |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
192 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
193 |
\noindent But a server like Calcium of course needs to |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
194 |
serve many clients. So there could be the same protocol |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
195 |
also running with Bob, say |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
196 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
197 |
\[ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
198 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
199 |
\text{Bob} \to \text{Calcium}: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
200 |
\text{Calcium} \to \text{Bob}: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
201 |
\text{Bob} \to \text{Calcium}: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
202 |
\end{array} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
203 |
\] |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
204 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
205 |
\noindent And these two instances of the protocol could be |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
206 |
running in parallel or be at different stages. So the protocol |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
207 |
schema shown in \eqref{SYNACK} can be thought of how two |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
208 |
programs need to run on the side of $A$ and $S$ in order to |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
209 |
successfully complete the protocol. But it is really just a |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
210 |
blue print how the communication is supposed to proceed. |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
211 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
212 |
This is actually already a way how such protocols can fail. |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
213 |
Although very simple the $SYN\_ACK$ protocol can cause |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
214 |
headaches for system administrators where an attacker |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
215 |
starts the protocol, but does not complete it. This looks |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
216 |
graphically like |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
217 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
218 |
\begin{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
219 |
\includegraphics[scale=0.4]{../pics/synflood.png} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
220 |
\end{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
221 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
222 |
\noindent The attacker sends lots of $SYN$ requests which the |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
223 |
server dutifully answers, but needs to keep track of such |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
224 |
protocol exchanges. So every time a little bit of memory |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
225 |
resource will be eaten away on the server side until all |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
226 |
resources are exhausted and when Alice tries to contact the |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
227 |
server then the server is overwhelmed and does not respond |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
228 |
anymore. This kind of attack are called \emph{SYN |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
229 |
floods}.\footnote{\url{http://en.wikipedia.org/wiki/SYN_flood}} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
230 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
231 |
After reading four pages, you might be wondering where the |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
232 |
magic is. For this let us take a closer look at authentication |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
233 |
protocols. |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
234 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
235 |
\subsubsection*{Authentication Protocols} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
236 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
237 |
The simplest authentication protocol between principals |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
238 |
$A$ and $B$, say is |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
239 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
240 |
\begin{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
241 |
$A \to B: K_{AB}$ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
242 |
\end{center} |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
243 |
|
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
244 |
\noindent It can be sought of as $A$ sends a common secret to |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
245 |
$B$ like a password. The idea is that if only $A$ and $B$ know |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
246 |
the key $K_{AB}$ then this should be sufficient for $B$ to |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
247 |
infer it is talking to $A$. But this is of course too naive, |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
248 |
if the message can be observed by everybody else on the |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
249 |
network. Eve could just record this message $A$ just send, and |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
250 |
next time send the same message to $B$ and $B$ would believe |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
251 |
it talked to $A$. But actually it talked to Eve which now |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
252 |
clears out $A$s back account if $B$ had been a bank. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
253 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
254 |
A more sophisticated protocol which tries to avoid the |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
255 |
replay attack is as follows |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
256 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
257 |
\begin{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
258 |
\begin{tabular}{l@{\hspace{2mm}}l} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
259 |
$A \to B:$ & $HELLO$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
260 |
$B \to A:$ & $N$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
261 |
$A \to B:$ & $\{N\}_{K_{AB}}$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
262 |
\end{tabular} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
263 |
\end{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
264 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
265 |
\noindent With this protocol the idea is that $A$ first sends |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
266 |
a message to $B$ saying ``I want to talk to you''. $B$ sends |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
267 |
then a challenge in form of a random number $N$. In protocols |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
268 |
such random numbers are often called \emph{nonce}. What is the |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
269 |
purpose of this nonce? Well, if an attacker records $A$ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
270 |
answer, it will not make sense to replay this message, because |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
271 |
next time this protocol is run the nonce $B$ sends will be |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
272 |
different. So if we run this protocol, what can $B$ infer: |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
273 |
it has send out an (unpredictable) nonce to $A$ and |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
274 |
received this challenge back, but encoded under the key |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
275 |
$K_{AB}$. If $B$ assumes only $A$ and $B$ know the key $K_{AB}$ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
276 |
and the nonce is unpredictable, then $B$ is able to |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
277 |
infer it must be talking to $A$. Of course the implicit |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
278 |
assumption on this inference are that nobody else knows |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
279 |
about the key $K_{AB}$ and nobody else can decrypt the |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
280 |
message. $B$ of course can decrypt the answer from $A$ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
281 |
and check whether the answer corresponds to the challenge |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
282 |
(nonce) $B$ has send earlier. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
283 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
284 |
But what about $A$? Can $A$ make any assumptions about who it |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
285 |
talks to? It dutifully answered the challenge and hopes its |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
286 |
bank, say, will be the only one to understand her answer. But |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
287 |
is this the case? No! Lets consider an attacker Eve who has |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
288 |
control over the network. She could have intercepted the |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
289 |
message $HELLO$ and just replied herself to $A$ using a random |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
290 |
number\ldots{} for example one which she observed in a |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
291 |
previous run of this protocol. Remember that if a message is |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
292 |
send without curly braces it is sent in clear text. Then |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
293 |
$A$ would encrypt the nonce with the key $K_{AB}$ and send |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
294 |
it back to Eve. She just throws the answer away. $A$ would |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
295 |
hope that she talked to $B$ because she followed the protocol, |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
296 |
but unfortunately she cannot be sure who she is talking to. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
297 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
298 |
The solution is to follow a \emph{mutual challenge-response} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
299 |
protocol. There $A$ already starts off with a challenge (nonce) |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
300 |
on her own. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
301 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
302 |
\begin{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
303 |
\begin{tabular}{l@{\hspace{2mm}}l} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
304 |
$A \to B:$ & $N_A$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
305 |
$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
306 |
$A \to B:$ & $N_B$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
307 |
\end{tabular} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
308 |
\end{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
309 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
310 |
\noindent As seen, $B$ receives this nonce, $N_A$, adds his |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
311 |
own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
312 |
receives this message, is able to decrypt it since we assume |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
313 |
she has the key $K_{AB}$, and sends back the nonce of $B$. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
314 |
Let us analyse which assumptions $A$ and $B$ can make after |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
315 |
the protocol has run. $B$ received a challenge and answered |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
316 |
correctly to $A$ (in the encrypted message). An attacker |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
317 |
would just not be able to answer this challenge correctly |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
318 |
because the attacker is assumed to not be in the possession of |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
319 |
the key $K_{AB}$; so could not have formed this message. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
320 |
It could also not have just replayed an old message, because |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
321 |
$A$ would send out each time a fresh nonce. So with this |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
322 |
protocol you can ensure also for $A$ that it talks to $B$. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
323 |
I leave you to argue that $B$ can be sure to talk to $A$. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
324 |
Of course these arguments will depend on the assumptions that |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
325 |
only $A$ and $B$ know the key $K_{AB}$ and that nobody can |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
326 |
break the encryption unless they have this key and that the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
327 |
nonces are fresh each time the protocol is run. |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
328 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
329 |
There might be something mysterious about the nonces, the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
330 |
random numbers, that are sent around. They need to be |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
331 |
unpredictable and in this way fulfil an important role in |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
332 |
protocols. Suppose |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
333 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
334 |
\begin{enumerate} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
335 |
\item I generate a nonce and send it to you encrypted with a |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
336 |
key we share |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
337 |
\item you increase it by one, encrypt it under a key I know |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
338 |
and send it back to me |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
339 |
\end{enumerate} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
340 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
341 |
\noindent In our notation this would correspond to the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
342 |
protocol |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
343 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
344 |
\begin{center} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
345 |
\begin{tabular}{l@{\hspace{2mm}}l} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
346 |
$I \to Y:$ & $\{N\}_{K_{IY}}$\\ |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
347 |
$Y \to I:$ & $\{N + 1\}_{K_{IY}}$\\ |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
348 |
\end{tabular} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
349 |
\end{center} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
350 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
351 |
\noindent What can I infer from this simple exchange: |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
352 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
353 |
\begin{itemize} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
354 |
\item you must have received my message (it could not just be |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
355 |
deflected by somebody on the network, because the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
356 |
response required some calculation; doing the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
357 |
calculation and sending the answer requires the key |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
358 |
$K_{IY}$) |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
359 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
360 |
\item you could only have generated your answer after I send |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
361 |
you my initial message (since my $N$ is always new, it |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
362 |
could not have been a message that was generated before |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
363 |
I myself knew what $N$ is) |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
364 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
365 |
\item if only you and me know the key $K_{IY$, the message |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
366 |
must have come from you |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
367 |
\end{itemize} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
368 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
369 |
\noindent Even if this does not seem much information I can |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
370 |
glean from such an exchange, it is in fact the basic building |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
371 |
blocks for establishing some secret or achieving some |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
372 |
security goal (like authentication). |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
373 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
374 |
While the mutual challenge-response protocol solves already |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
375 |
the authentication problem, there are some problems. One is of |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
376 |
course that it requires a pre-shared secret key. That is |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
377 |
something that needs to be established beforehand. Not all |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
378 |
situations allow such an assumption. For example if I am a |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
379 |
whistle blower (say Snowden) and want to talk to a journalist |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
380 |
(say Greenwald) then I might not have a secret pre-shared key. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
381 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
382 |
|
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
383 |
Another problem is that such mutual challenge-response systems |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
384 |
often work in the same system in the ``challenge mode'' but |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
385 |
also in the ``response mode''. For example if two servers want |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
386 |
to talk to each other---they would need the protocol in |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
387 |
response mode, but also if they want to talk to other servers |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
388 |
in challenge mode. Similarly if you in an military aircraft |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
389 |
you have to challenge everybody you see, in case there is a |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
390 |
friend amongst the targets you like to shoot, but you also |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
391 |
have to respond to any of your own anti-aircraft guns on the |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
392 |
ground lest they shoot you. In these situations you have to be |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
393 |
careful to not decode, or answer, your own challenge. Recall |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
394 |
the protocol is |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
395 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
396 |
\begin{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
397 |
\begin{tabular}{l@{\hspace{2mm}}l} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
398 |
$A \rightarrow B$: & $N_A$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
399 |
$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
400 |
$A \rightarrow B$: & $N_B$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
401 |
\end{tabular} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
402 |
\end{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
403 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
404 |
\noindent but it does not specify who is $A$ and who is $B$. |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
405 |
If, as supposed, the protocol works in response and in |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
406 |
challenge mode, then $A$ will be $A$ in one instance, but $B$ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
407 |
in the other. I hope this makes sense. Let us look at the |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
408 |
details and lets assume our adversary is $E$ who just deflects |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
409 |
our messages back to us. |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
410 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
411 |
\begin{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
412 |
\begin{tabular}{lllll} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
413 |
& \multicolumn{2}{l}{challenge mode:} & |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
414 |
\multicolumn{2}{l}{response mode:}\smallskip\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
415 |
1) & $A \rightarrow E$: & $N_A$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
416 |
2) & & & $E \rightarrow A$: & $N_A$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
417 |
3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
418 |
4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
419 |
5) & $A \rightarrow E$: & $N_A'$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
420 |
\end{tabular} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
421 |
\end{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
422 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
423 |
\noindent In the first step we challenge $E$ with a nonce we |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
424 |
created. Since we also run the protocol in ``response mode'', |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
425 |
$E$ can now feed us the same challenge in step 2. We do not |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
426 |
know where it came from (it's over the air), but if we are in |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
427 |
an aircraft we should better quickly answer it, otherwise we |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
428 |
risk to be shot. So we add our own challenge $N'_A$ and |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
429 |
encrypt it under the secret key $K_{AB}$ (step 3). Now $E$ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
430 |
does not need to know this key in order to form the correct |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
431 |
answer for the first protocol. It will just replays this |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
432 |
message back to us in the challenge mode (step 4). I happily |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
433 |
accept this message---after all it is encrypted under the |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
434 |
secret key $K_{AB}$ and it contains the correct challenge from |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
435 |
me, namely $N_A$. So I accept that $E$ is a friend and send |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
436 |
even back the challenge $N'_A$. The problem is that $E$ now |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
437 |
starts firing at me and I have no clue what is going on. I |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
438 |
might suspect, erroneously, that an idiot must have leaked the |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
439 |
secret key. Because I followed in both cases the protocol to |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
440 |
the letter, but somehow $E$, unknowingly to me with my help, |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
441 |
managed to disguise as a friend. As a pilot, I would be a bit |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
442 |
peeved at that moment and would have preferred the designer of |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
443 |
this challenge-response protocol had been a tad smarter. For |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
444 |
one thing they violated the best practice in protocol design |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
445 |
of using the same key, $K_{AB}$, for two different |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
446 |
purposes---challenging and responding. They better had used |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
447 |
two different keys. This would have averted this attack and |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
448 |
would have saved me a lot of trouble. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
449 |
|
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
450 |
\subsubsection*{Trusted Third Parties} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
451 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
452 |
One limitation the protocols we discussed so far is |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
453 |
that they pre-suppose a secret shared key. As already |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
454 |
mentioned, this is a convenience we cannot always assume. |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
455 |
How to establish a secret key then? Well, if both parties, |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
456 |
say $A$ and $B$, mutually trust a third party, say $S$, |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
457 |
then they can use the following protocol: |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
458 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
459 |
\begin{center} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
460 |
\begin{tabular}{l@{\hspace{2mm}}l} |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
461 |
$A \to S :$ & $A, B$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
462 |
$S \to A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
463 |
$A \to B :$ & $\{K_{AB}\}_{K_{BS}}$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
464 |
$A \to B :$ & $\{m\}_{K_{AB}}$\\ |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
465 |
\end{tabular} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
466 |
\end{center} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
467 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
468 |
\noindent The assumption in this protocol is that $A$ and $S$ |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
469 |
share a secret key, and also $B$ and $S$ ($S$ being the |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
470 |
trusted third party). The goal is that $A$ can send $B$ a |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
471 |
message $m$ under a shared secret key $K_{AB}$, which at the |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
472 |
beginning of the protocol does not exist yet. How does this |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
473 |
protocol work? In the first step $A$ contacts $S$ and says |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
474 |
that it wants to talk to $B$. In turn $S$ invents a new key |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
475 |
$K_{AB}$ and sends two messages back to $A$: one message is |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
476 |
$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
477 |
$S$ share, and also the message |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
478 |
$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$. which is encrypted with |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
479 |
$K_{AB}$ but also a second time with $K_{BS}$. The point of |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
480 |
the second message is that it is a message intended for $B$. |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
481 |
So a receives both messages and can decrypt them---in the |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
482 |
first case it obtains the key $K_{AB}$ which $S$ suggested to |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
483 |
use. In the second case it obtains a message it can forward to |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
484 |
$B$. $B$ receives this message and since it knows the key it |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
485 |
shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
486 |
start to exchange messages with the shared secret key |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
487 |
$K_{AB}$. What is the advantage of $S$ sending $A$ two |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
488 |
messages instead of contacting $B$ instead? Well, for one |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
489 |
there can now be a time-delay between the second and |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
490 |
third step in the protocol. At some point in the past |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
491 |
$A$ and $S$ need to have come together to share |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
492 |
a key, similarly $B$ and $S$. After that $B$ does not need to |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
493 |
be ``online'' anymore until $A$ actually starts sending messages |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
494 |
to $B$. $A$ and $S$ can completely on their own negotiate a |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
495 |
new key. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
496 |
|
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
497 |
The major limitation of this protocol however is that I need |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
498 |
to trust a third party. And in this case completely, because |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
499 |
$S$ can of course also read easily all messages $A$ sends to |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
500 |
$B$. The problem is that I cannot really think of any |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
501 |
institution who could serve as such a trusted third party. One |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
502 |
would hope the government would be such a trusted party, but |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
503 |
in the Snowden-era we know that this is wishful thinking in |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
504 |
the West, and if I lived in Iran or North Korea, for example, |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
505 |
I would not even start to hope for this. |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
506 |
|
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
507 |
The cryptographic ``magic'' of public-private keys |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
508 |
seems to offer an elegant solution for this, but as we shall |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
509 |
see in the next section, this requires some very clever |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
510 |
protocol design. |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
511 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
512 |
\subsubsection*{Averting Person-in-the-Middle Attacks} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
513 |
|
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
514 |
The idea of public-private key encryption is that one can make |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
515 |
public the key $K^{pub}$ which people can use to encrypt |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
516 |
messages for me. and I can use my key $K^{priv}$ to be the |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
517 |
only one that can decrypt them. While this sounds all good, it |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
518 |
relies that people can associate me, for example, with my |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
519 |
public key. That i snot so trivial as it sounds. For example, |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
520 |
if I would be the government, say Cameron, and try to find out |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
521 |
who are the trouble makers in the country, I would publish an |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
522 |
innocent looking webpage and say I am The Guardian newspaper |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
523 |
(or alternatively The Sun for all the juicy stories), publish |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
524 |
a public key on it, and then just wait for incoming messages. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
525 |
|
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
526 |
This problem is supposed to be solved by using certificates. |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
527 |
The purpose of certification organisations is that they verify |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
528 |
that a public key, say $K^{pub}_{Bob}$, really belongs to Bob. |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
529 |
This is also the mechanism underlying the HTTPS protocol. The |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
530 |
problem is that this system is essentially completely |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
531 |
broken\ldots{}but this is a story for another time. Suffice |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
532 |
to say for now that one of the main certification |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
533 |
organisations, VeriSign, has limited its liability to \$100 in |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
534 |
case it issues a false certificate. This is really a joke and |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
535 |
really the wrong incentive for the certification organisations |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
536 |
to clean up their mess. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
537 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
538 |
The problem we want to study closer here is that protocols |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
539 |
based on public-private key encryption are susceptible to |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
540 |
person-in-the-middle attack. Consider the following protocol |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
541 |
where $A$ and $B$ attempt to exchange secret messages using |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
542 |
public-private keys. |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
543 |
|
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
544 |
\begin{itemize} |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
545 |
\item $A$ sends public key to $B$ |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
546 |
\item $B$ sends public key to $A$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
547 |
\item $A$ sends a message encrypted with $B$'s public |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
548 |
key,\\ $B$ decrypts it with its private key |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
549 |
\item $B$ sends a message encrypted with $A$'s public |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
550 |
key,\\ $A$ decrypts it with its private key |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
551 |
\end{itemize} |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
552 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
553 |
\noindent In our formal notation for protocols, this would |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
554 |
look as follows: |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
555 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
556 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
557 |
\begin{tabular}{l@{\hspace{2mm}}l} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
558 |
$A \to B :$ & $K^{pub}_A$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
559 |
$B \to A :$ & $K^{pub}_B$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
560 |
$A \to B :$ & $\{A,m\}_{K^{pub}_B}$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
561 |
$B \to A :$ & $\{B,m'\}_{K^{pub}_A}$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
562 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
563 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
564 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
565 |
\noindent Since we assume an attacker, say $E$, has complete |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
566 |
control over the network, $E$ can intercept the first two |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
567 |
messages and substitutes her own public key. The protocol |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
568 |
run would therefore be |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
569 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
570 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
571 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
572 |
1) & $A \to E :$ & $K^{pub}_A$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
573 |
2) & $E \to B :$ & $K^{pub}_E$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
574 |
3) & $B \to E :$ & $K^{pub}_B$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
575 |
4) & $E \to A :$ & $K^{pub}_E$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
576 |
5) & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
577 |
6) & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
578 |
7) & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
579 |
8) & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
580 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
581 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
582 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
583 |
\noindent where in steps 6 and 8, $E$ can modify the |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
584 |
messages by including the $E$ in the message. Both messages |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
585 |
are received encrypted with $E$'s public key; therefore it |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
586 |
can decrypt it and repackage it with new content. $A$ and $B$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
587 |
have no idea that they talking to an attacker. Because $E$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
588 |
can modify messages, it seems very difficult to defend |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
589 |
against this attack. |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
590 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
591 |
But there is a clever trick\ldots{}dare I say some magic. |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
592 |
Modify the protocol above so that $A$ and $B$ send their |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
593 |
messages in two halves. |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
594 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
595 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
596 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
597 |
1) & $A \to B :$ & $K^{pub}_A$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
598 |
2) & $B \to A :$ & $K^{pub}_B$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
599 |
3) & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
600 |
4) & $A \to B :$ & $H_1$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
601 |
5) & $B \to A :$ & $\{H_1\}_{K^{pub}_A}$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
602 |
6) & $A \to B :$ & $H_2$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
603 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
604 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
605 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
606 |
\noindent The idea is that in step 3, $A$ encrypts the |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
607 |
message (with $B$'s public key) and then splits the encrypted |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
608 |
message into two halves. Say the encrypted message is |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
609 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
610 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
611 |
\texttt{\Grid{0X1peUVTGJK0XI7G+H70mMjAM8piY0sI}} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
612 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
613 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
614 |
\noindent then $A$ splits it up into two halves |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
615 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
616 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
617 |
$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G}}}_{H_1}$\qquad |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
618 |
$\underbrace{\texttt{\Grid{+H70mMjAM8piY0sI}}}_{H_2}$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
619 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
620 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
621 |
\noindent sends the first half $H_1$ to $b$. $B$ (and also any |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
622 |
potential attacker) cannot do much with this half. What $B$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
623 |
does, it encrypts it with $A$'s public key and sends it back |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
624 |
to $A$. Now $A$ can decrypt it and if it matches with what it |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
625 |
had send, it will send $B$ the second half $H_2$. Only after |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
626 |
$B$ received this second part, it will be able to decrypt the |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
627 |
entire message $\{A,m\}_{K^{pub}_B}$ and see what $A$ had |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
628 |
written. |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
629 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
630 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
631 |
\begin{enumerate} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
632 |
\item $C$ generates a random number $r$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
633 |
\item $C$ calculates $(F,G) = \{r\}_K$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
634 |
\item $C \to T$: $r, F$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
635 |
\item $T$ calculates $(F',G') = \{r\}_K$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
636 |
\item $T$ checks that $F = F'$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
637 |
\item $T \to C$: $r, G'$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
638 |
\item $C$ checks that $G = G'$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
639 |
\end{enumerate} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
640 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
641 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
642 |
\subsubsection*{Further Reading} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
643 |
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
644 |
{\small |
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
645 |
\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}} |
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
646 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
647 |
\end{document} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
648 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
649 |
%%% Local Variables: |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
650 |
%%% mode: latex |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
651 |
%%% TeX-master: t |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
652 |
%%% End: |