author | Christian Urban <christian dot urban at kcl dot ac dot uk> |
Thu, 15 Oct 2015 12:51:46 +0100 (2015-10-15) | |
changeset 411 | 542116a239cf |
parent 409 | 0c04ec017892 |
child 415 | 56bc53ba7c5b |
permissions | -rw-r--r-- |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
\usepackage{../langs} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
4 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
5 |
\begin{document} |
366
34a8f73b2c94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
360
diff
changeset
|
6 |
\fnote{\copyright{} Christian Urban, 2014} |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
8 |
\section*{Handout 5 (Protocols)} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
9 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
10 |
Protocols are the computer science equivalent to fractals and |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
11 |
the Mandelbrot set in mathematics. With the latter two you |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
12 |
have a simple formula, which you just iterate and then you |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
13 |
test whether a point is inside or outside a region\ldots{}it |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
14 |
does not look exciting, but voila something magically |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
15 |
happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal}, |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
16 |
\url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
17 |
are similar: they are simple exchanges of messages, but in the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
18 |
end something ``magical'' can happen---for example a secret |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
19 |
channel has been established or two entities have |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
20 |
authenticated themselves to each other. This can happen even |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
21 |
in face of strong adversaries who have complete control over |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
22 |
the network involved in the message exchange. The problem with |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
23 |
magic is of course it is poorly understood and even experts |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
24 |
often got, and get, it wrong with protocols. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
25 |
|
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
26 |
To have an idea what kind of protocols we are interested in, let |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
27 |
us look at a few examples. One example are (wireless) key |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
28 |
fobs, which operate the central locking system and the |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
29 |
ignition in a car. |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
30 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
31 |
\begin{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
32 |
\includegraphics[scale=0.075]{../pics/keyfob.jpg} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
33 |
\quad |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
34 |
\includegraphics[scale=0.2025]{../pics/startstop.jpg} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
35 |
\end{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
36 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
37 |
\noindent The point of these key fobs is that everything is |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
38 |
done over the ``air''---there is no physical connection |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
39 |
between the key, doors and engine, as was the case with the |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
40 |
old solid metal keys. With the key fobs we must achieve |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
41 |
security by exchanging certain messages between the key fob on |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
42 |
one side and the doors and engine on the other. Clearly what |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
43 |
we like to accomplish is that I can get into my car and start |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
44 |
it, but that thieves are kept out. The problem is that |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
45 |
everybody can ``overhear'' or skim the exchange of messages |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
46 |
between the key fob and car. In this scenario the simplest |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
47 |
attack you need to defend against is a person-in-the-middle |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
48 |
attack. For this imagine you park your car in front of a |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
49 |
supermarket. One thief follows you with a strong transmitter. |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
50 |
A second thief ``listens'' to the signals from the car and |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
51 |
wirelessly transmits them to the ``colleague'' who followed |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
52 |
you. This thief silently enquires what the key fob answers. |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
53 |
This answer is then send back to the thief at the car. If done |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
54 |
properly, the car will dutifully open and possibly start. No |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
55 |
need to steal your keys anymore. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
56 |
That this is an attack one needs to reckon with is |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
57 |
demonstrated by the fact that dodgy |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
58 |
websites\footnote{\url{http://autokeydevices.com/product/wave/} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
59 |
\ldots{} funnily this webpage says ``not intended for illegal |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
60 |
use'', but I have a hard time finding any legal purpose for |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
61 |
such a device.} sell the necessary equipment for top Ruble. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
62 |
This webpage is notable for the very helpful picture |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
63 |
of a person-in-the-middle attack (see Figure~\ref{rsa}). |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
64 |
|
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
65 |
\begin{figure}[t] |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
66 |
\begin{center} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
67 |
\includegraphics[scale=0.15]{../pics/rsa_attack_eng.jpg} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
68 |
\end{center} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
69 |
\caption{From a dodgy webpage about modern car theft. Note the |
327
03da67991ff0
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
293
diff
changeset
|
70 |
stylish attackers.\label{rsa}} |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
71 |
\end{figure} |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
72 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
73 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
74 |
But there are many more such protocols we like to study. |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
75 |
Another example is Wifi---you might sit at a Starbucks and |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
76 |
talk wirelessly to the free access point there and from there |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
77 |
talk to your bank (see The Guardian article cited at the very |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
78 |
end of this handout). Moreover, even if you have to touch in |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
79 |
and out your Oyster card at the reader each time you enter or |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
80 |
exit the Tube, it actually operates wirelessly and with |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
81 |
appropriate equipment over some quite large distance (several |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
82 |
meters). But there are many, many more examples for protocols |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
83 |
(Bitcoins, Tor, mobile phones,\ldots). |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
84 |
|
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
85 |
The common characteristics of the protocols we are interested |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
86 |
in is that an adversary or attacker is assumed to be in |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
87 |
complete control over the network or channel over which we |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
88 |
exchanging messages. An attacker can install a packet sniffer |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
89 |
on a network, inject packets, intercept packets, modify |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
90 |
packets, replay old messages, or fake pretty much everything |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
91 |
else. In this hostile environment, the purpose of a protocol |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
92 |
(that is exchange of messages) is to achieve some security |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
93 |
goal. For example only allow the owner of the car in, but |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
94 |
everybody else should be kept out. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
95 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
96 |
The protocols we are interested here are generic descriptions |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
97 |
of how to exchange messages in order to achieve a goal. Unlike |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
98 |
the distant past where, for example, we had to meet a person in |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
99 |
order to authenticate him or her (via a passport for example), |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
100 |
the problem we are facing on the Internet is that we cannot |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
101 |
easily be sure who we are ``talking'' to. The obvious reason |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
102 |
is that only some electrons arrive at our computer; we do not |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
103 |
see the person, or computer, behind the incoming electrons |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
104 |
(messages). |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
105 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
106 |
To start, let us look at one of the simplest protocols that |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
107 |
are part of the TCP protocol (which underlies the Internet). |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
108 |
This protocol does not do anything security relevant, it just |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
109 |
establishes a ``hello'' from a client to a server which the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
110 |
server answers with ``I heard you'' and the client answers |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
111 |
in turn with something like ``thanks''. This protocol |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
112 |
is often called a \emph{three-way handshake}. Graphically it |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
113 |
can be illustrated as follows |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
114 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
115 |
\begin{center} |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
116 |
\includegraphics[scale=0.45]{../pics/handshake.png} |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
117 |
\end{center} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
118 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
119 |
\noindent On the left-hand side is a client, say Alice, on the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
120 |
right-hand side is a server, say. Time is running from top to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
121 |
bottom. Alice initial SYN message needs some time to travel to |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
122 |
the server. The server answers with SYN-ACK, which will |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
123 |
require some time to arrive at Alice. Her answer ACK will |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
124 |
again take some time to arrive at the server. After the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
125 |
messages are exchanged, Alice and the server simply have |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
126 |
established a channel to communicate over. Alice does not know |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
127 |
whether she is really talking to the server (somebody else on |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
128 |
the network might have intercepted her message and replied in |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
129 |
place of the server). Similarly, the server has no idea who it |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
130 |
is talking to. Whether they can authenticate themselves |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
131 |
depends on what is exchanged next and is the point of the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
132 |
protocols we want to study in more detail. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
133 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
134 |
Before we start in earnest, we need to fix a more convenient |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
135 |
notation for protocols. Drawing pictures like the one above |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
136 |
would be awkward in the long-run. The notation we will adopt |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
137 |
abstracts away from a few details we are not interested in: |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
138 |
for example the time the messages need to travel between |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
139 |
endpoints. What we are interested in is in which order the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
140 |
messages are sent. For the SYN-ACK protocol we will therefore |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
141 |
use the notation |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
142 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
143 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
144 |
\begin{equation} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
145 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
146 |
A \to S: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
147 |
S \to A: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
148 |
A \to S: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
149 |
\end{array}\label{SYNACK} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
150 |
\end{equation} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
151 |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
152 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
153 |
\noindent The left-hand side of each clause specifies who is |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
154 |
the sender and who is the receiver of the message. On the |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
155 |
right of the colon is the message that is send. The order from |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
156 |
top to down specifies in which order the messages are sent. We |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
157 |
also have the convention that messages, like $SYN$ above, are |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
158 |
send in clear-text over the network. If we want that a message |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
159 |
is encrypted, then we use the notation |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
160 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
161 |
\[ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
162 |
\{msg\}_{K_{AB}} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
163 |
\] |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
164 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
165 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
166 |
\noindent for messages. The curly braces indicate a kind of |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
167 |
envelope which can only be opened if you know the key $K_{AB}$ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
168 |
with which the message has been encrypted. We always assume |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
169 |
that an attacker, say Eve, cannot get to the content of the |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
170 |
message, unless she is also in the possession of the key. We |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
171 |
explicitly exclude in our study that the encryption can be |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
172 |
broken.\footnote{\ldots{}which of course is what a good |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
173 |
protocol designer needs to ensure and more often than not |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
174 |
protocols are broken because of a weak encryption method. For |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
175 |
example Oyster cards contain a very weak encryption mechanism |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
176 |
which has been attacked and broken.} It is also |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
177 |
possible that an encrypted message contains several parts. In |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
178 |
this case we would write something like |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
179 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
180 |
\[ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
181 |
\{msg_1, msg_2\}_{K_{AB}} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
182 |
\] |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
183 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
184 |
\noindent But again Eve would not be able to know |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
185 |
this unless she also has the key. We also allow the |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
186 |
possibility that a message is encrypted twice under |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
187 |
different keys. In this case we write |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
188 |
|
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
189 |
\[ |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
190 |
\{\{msg\}_{K_{AB}}\}_{K_{BC}} |
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
191 |
\] |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
192 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
193 |
\noindent The idea is that even if attacker Eve has the |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
194 |
key $K_{BC}$ she could decrypt the outer envelop, but |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
195 |
still does not get to the message, because it is still |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
196 |
encrypted with the key $K_{AB}$. Note, however, |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
197 |
while an attacker cannot obtain the content of the message |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
198 |
without the key, encrypted messages can be observed |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
199 |
and be recorded and then replayed at another time, or |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
200 |
send to another person! |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
201 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
202 |
Another very important point is that our notation for |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
203 |
protocols such as shown in \eqref{SYNACK} is a |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
204 |
\underline{schema} how the protocol should proceed. |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
205 |
It could be instantiated by an actual protocol run |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
206 |
between Alice, say, and the server Calcium at King's. In this |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
207 |
case the specific instance would look like |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
208 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
209 |
\[ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
210 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
211 |
\text{Alice} \to \text{Calcium}: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
212 |
\text{Calcium} \to \text{Alice}: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
213 |
\text{Alice} \to \text{Calcium}: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
214 |
\end{array} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
215 |
\] |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
216 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
217 |
\noindent But a server like Calcium of course needs to |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
218 |
serve many clients. So there could be the same protocol |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
219 |
also running with Bob, say |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
220 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
221 |
\[ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
222 |
\begin{array}{l@{\hspace{2mm}}l} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
223 |
\text{Bob} \to \text{Calcium}: & SYN\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
224 |
\text{Calcium} \to \text{Bob}: & SYN\_ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
225 |
\text{Bob} \to \text{Calcium}: & ACK\\ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
226 |
\end{array} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
227 |
\] |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
228 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
229 |
\noindent And these two instances of the protocol could be |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
230 |
running in parallel or be at different stages. So the protocol |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
231 |
schema shown in \eqref{SYNACK} can be thought of how two |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
232 |
programs need to run on the side of $A$ and $S$ in order to |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
233 |
successfully complete the protocol. But it is really just a |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
234 |
blueprint for how the communication is supposed to proceed. |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
235 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
236 |
This is actually already a way how such protocols can fail. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
237 |
Although very simple, the $SYN\_ACK$ protocol can cause |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
238 |
headaches for system administrators where an attacker starts |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
239 |
the protocol, but then does not complete it. This looks |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
240 |
graphically like |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
241 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
242 |
\begin{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
243 |
\includegraphics[scale=0.4]{../pics/synflood.png} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
244 |
\end{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
245 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
246 |
\noindent The attacker sends lots of $SYN$ requests which the |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
247 |
server dutifully answers. But in doing so the server needs to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
248 |
keep track of such protocol exchanges. As a result every time |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
249 |
the protocol is initiated a little bit of memory will be eaten |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
250 |
away on the server side until all memory is exhausted. When |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
251 |
poor Alice then tries to contact the server, it is overwhelmed |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
252 |
and does not respond anymore. This kind of attack is called |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
253 |
\emph{SYN |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
254 |
floods}.\footnote{\url{http://en.wikipedia.org/wiki/SYN_flood}} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
255 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
256 |
After reading four pages, you might be wondering where the |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
257 |
magic is with protocols. For this let us take a closer look at |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
258 |
authentication protocols. |
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
259 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
260 |
\subsubsection*{Authentication Protocols} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
261 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
262 |
The simplest authentication protocol between principals |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
263 |
$A$ and $B$, say is |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
264 |
|
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
265 |
\begin{center} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
266 |
$A \to B: K_{AB}$ |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
267 |
\end{center} |
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
268 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
269 |
\noindent It can be thought of as $A$ sends a common secret to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
270 |
$B$, for example a password. The idea is that if only $A$ and |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
271 |
$B$ know the key $K_{AB}$ then this should be sufficient for |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
272 |
$B$ to infer it is talking to $A$. But this is of course too |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
273 |
naive in the context where the message can be observed by |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
274 |
everybody else on the network. Eve, for example, could just |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
275 |
record this message $A$ just sent, and next time sends the same |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
276 |
message to $B$. $B$ has no other choice than believing it |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
277 |
talks to $A$. But actually it talks to Eve, who now clears |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
278 |
out $A$'s bank account assuming $B$ had been a bank. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
279 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
280 |
A more sophisticated protocol which tries to avoid the |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
281 |
replay attack is as follows |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
282 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
283 |
\begin{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
284 |
\begin{tabular}{l@{\hspace{2mm}}l} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
285 |
$A \to B:$ & $HELLO$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
286 |
$B \to A:$ & $N$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
287 |
$A \to B:$ & $\{N\}_{K_{AB}}$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
288 |
\end{tabular} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
289 |
\end{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
290 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
291 |
\noindent With this protocol the idea is that $A$ first sends |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
292 |
a message to $B$ saying ``I want to talk to you''. $B$ sends |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
293 |
then a challenge in form of a random number $N$. In protocols |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
294 |
such random numbers are often called \emph{nonce}. What is the |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
295 |
purpose of this nonce? Well, if an attacker records $A$'s |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
296 |
answer, it will not make sense to replay this message, because |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
297 |
next time this protocol is run, the nonce $B$ sends out will |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
298 |
be different. So if we run this protocol, what can $B$ infer? |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
299 |
It has send out an (unpredictable) nonce to $A$ and received |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
300 |
this challenge back, but encoded under the key $K_{AB}$. If |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
301 |
$B$ assumes only $A$ and $B$ know the key $K_{AB}$ and the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
302 |
nonce is unpredictable, then $B$ is able to infer it must be |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
303 |
talking to $A$. Of course the implicit assumption on this |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
304 |
inference is that nobody else knows about the key $K_{AB}$ |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
305 |
and nobody else can decrypt the message. $B$ of course can |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
306 |
decrypt the answer from $A$ and check whether the answer |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
307 |
corresponds to the challenge (nonce) $B$ has sent earlier. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
308 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
309 |
But what about $A$? Can $A$ make any inferences about whom it |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
310 |
talks to? It dutifully answered the challenge and hopes its |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
311 |
bank, say, will be the only one to understand her answer. But |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
312 |
is this the case? No! Let us consider again an attacker Eve |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
313 |
who has control over the network. She could have intercepted |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
314 |
the message $HELLO$ and just replied herself to $A$ using a |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
315 |
random number\ldots{}for example one which she observed in a |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
316 |
previous run of this protocol. Remember that if a message is |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
317 |
sent without curly braces it is sent in clear text. $A$ would |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
318 |
encrypt the nonce with the key $K_{AB}$ and send it back to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
319 |
Eve. She just throws away the answer. $A$ would hope that she |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
320 |
talked to $B$ because she followed the protocol, but |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
321 |
unfortunately she cannot be sure who she is talking to---it |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
322 |
might be Eve. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
323 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
324 |
The solution is to follow a \emph{mutual challenge-response} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
325 |
protocol. There $A$ already starts off with a challenge (nonce) |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
326 |
on her own. |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
327 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
328 |
\begin{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
329 |
\begin{tabular}{l@{\hspace{2mm}}l} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
330 |
$A \to B:$ & $N_A$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
331 |
$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
332 |
$A \to B:$ & $N_B$\\ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
333 |
\end{tabular} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
334 |
\end{center} |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
335 |
|
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
336 |
\noindent As seen, $B$ receives this nonce, $N_A$, adds his |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
337 |
own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$ |
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
338 |
receives this message, is able to decrypt it since we assume |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
339 |
she has the key $K_{AB}$ too, and sends back the nonce of $B$. |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
340 |
Let us analyse which inferences $A$ and $B$ can make after the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
341 |
protocol has run. $B$ received a challenge and answered |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
342 |
correctly to $A$ (inside the encrypted message). An attacker |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
343 |
would not be able to answer this challenge correctly because |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
344 |
the attacker is assumed to not be in the possession of the key |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
345 |
$K_{AB}$; so is not able to generate this message. It could |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
346 |
also not have been that it is an old message replayed, because |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
347 |
$A$ would send out each time a fresh nonce. So with this |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
348 |
protocol you can ensure also for $A$ that it talks to $B$. I |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
349 |
leave you to argue that $B$ can be sure to talk to $A$. Of |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
350 |
course these arguments will depend on the assumptions that |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
351 |
only $A$ and $B$ know the key $K_{AB}$ and that nobody can |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
352 |
break the encryption unless they have this key and that the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
353 |
nonces are fresh each time the protocol is run. |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
354 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
355 |
The purpose of the nonces, the random numbers that are sent |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
356 |
around, might be a bit opaque. Because they are unpredictable |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
357 |
they fulfil an important role in protocols. Suppose |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
358 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
359 |
\begin{enumerate} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
360 |
\item I generate a nonce and send it to you encrypted with a |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
361 |
key we share |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
362 |
\item you increase it by one, encrypt it under a key I know |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
363 |
and send it back to me |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
364 |
\end{enumerate} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
365 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
366 |
\noindent In our notation this would correspond to the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
367 |
protocol |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
368 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
369 |
\begin{center} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
370 |
\begin{tabular}{l@{\hspace{2mm}}l} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
371 |
$I \to Y:$ & $\{N\}_{K_{IY}}$\\ |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
372 |
$Y \to I:$ & $\{N + 1\}_{K_{IY}}$\\ |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
373 |
\end{tabular} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
374 |
\end{center} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
375 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
376 |
\noindent What can I infer from this simple exchange: |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
377 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
378 |
\begin{itemize} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
379 |
\item you must have received my message (it could not just be |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
380 |
deflected by somebody on the network, because the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
381 |
response required some calculation; doing the |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
382 |
calculation and sending the answer requires the key |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
383 |
$K_{IY}$) |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
384 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
385 |
\item you could only have generated your answer after I have |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
386 |
sent you my initial message (since my $N$ is always new, |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
387 |
it could not have been a message that was generated |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
388 |
before I myself knew what $N$ is) |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
389 |
|
274
1e1008403f17
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
273
diff
changeset
|
390 |
\item if only you and me know the key $K_{IY}$, the message |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
391 |
must have come from you |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
392 |
\end{itemize} |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
393 |
|
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
394 |
\noindent Even if this does not seem much information I can |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
395 |
glean from such an exchange, it is in fact the basic building |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
396 |
block in protocols for establishing some secret or for |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
397 |
achieving some security goal (like authentication). |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
398 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
399 |
While the mutual challenge-response protocol solves the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
400 |
authentication problem, there are some limitations. One is of |
266
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
401 |
course that it requires a pre-shared secret key. That is |
e711cfd1ec70
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
265
diff
changeset
|
402 |
something that needs to be established beforehand. Not all |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
403 |
situations allow such an assumption. For example if I am a |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
404 |
whistleblower (say Snowden) and want to talk to a journalist |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
405 |
(say Greenwald) then I might not have a secret pre-shared key. |
265
2ce6b7c94763
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
264
diff
changeset
|
406 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
407 |
Another limitation is that such mutual challenge-response |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
408 |
systems often work in the same system in the ``challenge |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
409 |
mode'' but also in the ``response mode''. For example if two |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
410 |
servers want to talk to each other---they would need the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
411 |
protocol in response mode, but also if they want to talk to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
412 |
other servers in challenge mode. Similarly if you are in an |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
413 |
military aircraft you have to challenge everybody you see, in |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
414 |
case there is a friend amongst the targets you like to shoot, |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
415 |
but you also have to respond to any of your own anti-aircraft |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
416 |
guns on the ground, lest they shoot you. In these situations |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
417 |
you have to be careful to not decode, or answer, your own |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
418 |
challenge. Recall the protocol is |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
419 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
420 |
\begin{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
421 |
\begin{tabular}{l@{\hspace{2mm}}l} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
422 |
$A \rightarrow B$: & $N_A$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
423 |
$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
424 |
$A \rightarrow B$: & $N_B$\\ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
425 |
\end{tabular} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
426 |
\end{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
427 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
428 |
\noindent but it does not specify who is $A$ and who is $B$. |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
429 |
If the protocol works in response and in challenge mode, then |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
430 |
$A$ will be $A$ in one instance, but $B$ in the other. I hope |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
431 |
this makes sense. Let us look at the details and let us assume |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
432 |
our adversary is $E$ who just deflects our messages back to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
433 |
us. |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
434 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
435 |
\begin{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
436 |
\begin{tabular}{lllll} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
437 |
& \multicolumn{2}{l}{challenge mode:} & |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
438 |
\multicolumn{2}{l}{response mode:}\smallskip\\ |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
439 |
1. & $A \rightarrow E$: & $N_A$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
440 |
2. & & & $E \rightarrow A$: & $N_A$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
441 |
3. & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
442 |
4. & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
443 |
5. & $A \rightarrow E$: & $N_A'$\\ |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
444 |
\end{tabular} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
445 |
\end{center} |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
446 |
|
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
447 |
\noindent In the first step we challenge $E$ with a nonce we |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
448 |
created. Since we also run the protocol in ``response mode'', |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
449 |
$E$ can now feed us the same challenge in step 2. We do not |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
450 |
know where it came from (it's over the air), but if we are in |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
451 |
a fighter aircraft we better quickly answer it, otherwise we |
267
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
452 |
risk to be shot. So we add our own challenge $N'_A$ and |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
453 |
encrypt it under the secret key $K_{AB}$ (step 3). Now $E$ |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
454 |
does not need to know this key in order to form the correct |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
455 |
answer for the first protocol. It will just replays this |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
456 |
message back to us in the challenge mode (step 4). I happily |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
457 |
accept this message---after all it is encrypted under the |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
458 |
secret key $K_{AB}$ and it contains the correct challenge from |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
459 |
me, namely $N_A$. So I accept that $E$ is a friend and send |
37821a377c4a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
266
diff
changeset
|
460 |
even back the challenge $N'_A$. The problem is that $E$ now |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
461 |
starts firing at me and I have no clue what is going on. I |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
462 |
might suspect, erroneously, that an idiot must have leaked the |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
463 |
secret key. Because I followed in both cases the protocol to |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
464 |
the letter, but somehow $E$, unknowingly to me with my help, |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
465 |
managed to disguise as a friend. As a pilot, I would be a bit |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
466 |
peeved at that moment and would have preferred the designer of |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
467 |
this challenge-response protocol had been a tad smarter. For |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
468 |
one thing they violated the best practice in protocol design |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
469 |
of using the same key, $K_{AB}$, for two different |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
470 |
purposes---namely challenging and responding. They better had |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
471 |
used two different keys. This would have averted this attack |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
472 |
and would have saved me a lot of inconvenience. |
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
473 |
|
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
474 |
\subsubsection*{Trusted Third Parties} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
475 |
|
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
476 |
One limitation the protocols we discussed so far have is that |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
477 |
they pre-suppose a secret shared key. As already mentioned, |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
478 |
this is a convenience we cannot always assume. How to |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
479 |
establish a secret key then? Well, if both parties, say $A$ |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
480 |
and $B$, mutually trust a third party, say $S$, then they can |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
481 |
use the following protocol: |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
482 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
483 |
\begin{center} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
484 |
\begin{tabular}{l@{\hspace{2mm}}l} |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
485 |
$A \to S :$ & $A, B$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
486 |
$S \to A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
487 |
$A \to B :$ & $\{K_{AB}\}_{K_{BS}}$\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
488 |
$A \to B :$ & $\{m\}_{K_{AB}}$\\ |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
489 |
\end{tabular} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
490 |
\end{center} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
491 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
492 |
\noindent The assumption in this protocol is that $A$ and $S$ |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
493 |
share a secret key, and also $B$ and $S$ ($S$ being the |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
494 |
trusted third party). The goal is that $A$ can send $B$ a |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
495 |
message $m$ under a shared secret key $K_{AB}$, which at the |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
496 |
beginning of the protocol does not exist yet. How does this |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
497 |
protocol work? In the first step $A$ contacts $S$ and says |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
498 |
that it wants to talk to $B$. In turn $S$ invents a new key |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
499 |
$K_{AB}$ and sends two messages back to $A$: one message is |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
500 |
$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
501 |
$S$ share, and also the message |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
502 |
$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$ which is encrypted with |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
503 |
$K_{AS}$ but also a second time with $K_{BS}$. The point of |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
504 |
the second message is that it is a message intended for $B$. |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
505 |
So $A$ receives both messages and can decrypt them---in the |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
506 |
first case it obtains the key $K_{AB}$ which $S$ suggested to |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
507 |
use. In the second case it obtains a message it can forward to |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
508 |
$B$. $B$ receives this message and since it knows the key it |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
509 |
shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
510 |
start to exchange messages with the shared secret key |
285
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
511 |
$K_{AB}$. What is the advantage of $S$ sending $A$ two |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
512 |
messages instead of contacting $B$ instead? Well, there can be |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
513 |
a time-delay between the second and third step in the |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
514 |
protocol. At some point in the past $A$ and $S$ need to have |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
515 |
come together to share a key, similarly $B$ and $S$. After |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
516 |
that $B$ does not need to be ``online'' anymore until $A$ |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
517 |
actually starts sending messages to $B$. $A$ and $S$ can |
2492b771122e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
518 |
completely on their own negotiate a new key. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
519 |
|
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
520 |
The major limitation of this protocol however is that I need |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
521 |
to trust a third party. And in this case completely, because |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
522 |
$S$ can of course also read easily all messages $A$ sends to |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
523 |
$B$. The problem is that I cannot really think of any |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
524 |
institution who could serve as such a trusted third party. One |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
525 |
would hope the government would be such a trusted party, but |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
526 |
in the Snowden-era we know that this is wishful thinking in |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
527 |
the West, and if I lived in Iran or North Korea, for example, |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
528 |
I would not even start to hope for this. |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
529 |
|
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
530 |
The cryptographic ``magic'' of public-private keys |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
531 |
seems to offer an elegant solution for this, but as we shall |
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
532 |
see in the next section, this requires some very clever |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
533 |
protocol design and does not solve the authentication |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
534 |
problem completely. |
268
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
535 |
|
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
536 |
\subsubsection*{Averting Person-in-the-Middle Attacks} |
43629c8c88c6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
267
diff
changeset
|
537 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
538 |
The idea of public-private key encryption is that one can |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
539 |
publish the key $K^{pub}$ which people can use to encrypt |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
540 |
messages for me and I can use my private key $K^{priv}$ to be |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
541 |
the only one that can decrypt them. While this sounds all |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
542 |
good, it relies on the ability that people can associate me |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
543 |
with my public key. That is not as trivial as it sounds. For |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
544 |
example, if I would be the government, say Cameron, and try to |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
545 |
find out who are the trouble makers in the country, I would |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
546 |
publish an innocent looking webpage and say I am The Guardian |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
547 |
newspaper (or alternatively The Sun for all the juicy |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
548 |
stories), publish a public key on it, and then just wait for |
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
549 |
incoming messages. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
550 |
|
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
551 |
This problem is supposed to be solved by using certificates. |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
552 |
The purpose of certification organisations is that they verify |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
553 |
that a public key, say $K^{pub}_{Bob}$, really belongs to Bob. |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
554 |
This is also the mechanism underlying the HTTPS protocol. The |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
555 |
problem is that this system is essentially completely |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
556 |
broken\ldots{}but this is a story for another time. Suffice |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
557 |
to say for now that one of the main certification |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
558 |
organisations, VeriSign, has limited its liability to \$100 in |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
559 |
case it issues a false certificate. This is really a joke and |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
560 |
really the wrong incentive for the certification organisations |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
561 |
to clean up their mess. |
269
c4fa7e8a2ffa
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
268
diff
changeset
|
562 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
563 |
The problem we want to study closer here is that protocols |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
564 |
based on public-private key encryption are susceptible to |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
565 |
simple person-in-the-middle attacks. Consider the following |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
566 |
protocol where $A$ and $B$ attempt to exchange secret messages |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
567 |
using public-private keys. |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
568 |
|
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
569 |
\begin{itemize} |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
570 |
\item $A$ sends public key to $B$ |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
571 |
\item $B$ sends public key to $A$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
572 |
\item $A$ sends a message encrypted with $B$'s public |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
573 |
key,\\ $B$ decrypts it with its private key |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
574 |
\item $B$ sends a message encrypted with $A$'s public |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
575 |
key,\\ $A$ decrypts it with its private key |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
576 |
\end{itemize} |
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
577 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
578 |
\noindent In our formal notation for protocols, this would |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
579 |
look as follows: |
270
8f2749152f1e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
269
diff
changeset
|
580 |
|
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
581 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
582 |
\begin{tabular}{l@{\hspace{2mm}}l} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
583 |
$A \to B :$ & $K^{pub}_A$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
584 |
$B \to A :$ & $K^{pub}_B$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
585 |
$A \to B :$ & $\{A,m\}_{K^{pub}_B}$\smallskip\\ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
586 |
$B \to A :$ & $\{B,m'\}_{K^{pub}_A}$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
587 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
588 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
589 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
590 |
\noindent Since we assume an attacker, say $E$, has complete |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
591 |
control over the network, $E$ can intercept the first two |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
592 |
messages and substitutes her own public key. The protocol |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
593 |
run would therefore be |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
594 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
595 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
596 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
597 |
1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
598 |
2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
599 |
3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
600 |
4. & $E \to A :$ & $K^{pub}_E$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
601 |
5. & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
602 |
6. & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
603 |
7. & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
604 |
8. & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
605 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
606 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
607 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
608 |
\noindent where in steps 6 and 8, $E$ can modify the messages |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
609 |
by including the $E$ in the message. Both messages are |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
610 |
received encrypted with $E$'s public key; therefore it can |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
611 |
decrypt them and repackage them with new content. $A$ and $B$ |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
612 |
have no idea that they talking to an attacker. To them all |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
613 |
messages look legit. Because $E$ can modify messages, it seems |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
614 |
very difficult to defend against this attack. |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
615 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
616 |
But there is a clever trick\ldots{}dare I say some magic which |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
617 |
makes this attack very difficult to perform on people who know |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
618 |
each other---but not necessarily have a shared key. Modify the |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
619 |
protocol above so that $A$ and $B$ send their messages in two |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
620 |
halves, like |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
621 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
622 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
623 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
624 |
1. & $A \to B :$ & $K^{pub}_A$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
625 |
2. & $B \to A :$ & $K^{pub}_B$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
626 |
3. & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
627 |
& & $\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$\\ |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
628 |
4. & $A \to B :$ & $H_1$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
629 |
5. & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
630 |
6. & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
631 |
7. & $B \to A :$ & $M_2$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
632 |
\end{tabular} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
633 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
634 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
635 |
\noindent The idea is that in step 3, $A$ encrypts the |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
636 |
message (with $B$'s public key) and then splits the encrypted |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
637 |
message into two halves. Say the encrypted message is |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
638 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
639 |
\begin{center} |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
640 |
$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G+H70mMjAM8piY0sI}}}_{\{A,m\}_{K^{pub}_B}}$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
641 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
642 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
643 |
\noindent then $A$ splits it up into two halves |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
644 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
645 |
\begin{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
646 |
$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G}}}_{H_1}$\qquad |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
647 |
$\underbrace{\texttt{\Grid{+H70mMjAM8piY0sI}}}_{H_2}$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
648 |
\end{center} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
649 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
650 |
\noindent Similarly $B$ splits its message into two halves |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
651 |
$M_1$ and $M_2$. However, $A$ initially only sends the first |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
652 |
half $H_1$ to $B$. Which $B$ answers with the message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
653 |
consisting of the received $H_1$ and its own first half $M_1$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
654 |
encrypted with $A$'s public key. The message in step 5. $A$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
655 |
receives this message, decrypts it and only when the $H_1$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
656 |
matches with its first half it send out earlier, $A$ |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
657 |
will send out the second half; see step 6. For this, $A$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
658 |
adds the received $M_1$ and encrypts both parts with $B$'s |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
659 |
public key. Finally $B$ checks whether the received $M_1$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
660 |
matches with its first half, and if yes sends $A$ its |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
661 |
second half $M_2$. Now $A$ and $B$ are in the possession |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
662 |
of $H_1$ and $H_2$, respectively $M_1$ and $M_2$, and can |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
663 |
decrypt the corresponding messages. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
664 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
665 |
Now the big question is, why on earth does this splitting |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
666 |
of messages in half and additional message exchange help |
274
1e1008403f17
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
273
diff
changeset
|
667 |
with defending against person-in-the-middle attacks? Well, |
287
0b9a16ddd625
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
286
diff
changeset
|
668 |
let's try to be an attacker. As before we intercept |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
669 |
the messages where public keys are exchanged and inject |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
670 |
our own. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
671 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
672 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
673 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
674 |
1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
675 |
2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
676 |
3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
677 |
4. & $E \to A :$ & $K^{pub}_E$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
678 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
679 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
680 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
681 |
\noindent |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
682 |
Now $A$ and $B$ build the message halves: |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
683 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
684 |
\[ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
685 |
\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
686 |
\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2 |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
687 |
\] |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
688 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
689 |
\noindent and $A$ sends $E$ its first half of the message. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
690 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
691 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
692 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
693 |
5. & $A \to E :$ & $H_1$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
694 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
695 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
696 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
697 |
\noindent Neither $E$ nor $B$ can do much with this message. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
698 |
Remember it is only half of some ``garbled'' text that cannot |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
699 |
be decrypted. $E$ could try to forward the message to $B$ and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
700 |
see what its reply is. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
701 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
702 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
703 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
704 |
6. & $E \to B :$ & $H_1$\\ |
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
705 |
7. & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
706 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
707 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
708 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
709 |
\noindent Although $E$ can decrypt the message with its |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
710 |
private key, but it only gets the halves $H_1$ and $M_1$ which |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
711 |
are of no use yet. In order to get more information it |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
712 |
can send the message to $A$ with $A$'s public key. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
713 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
714 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
715 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
716 |
8. & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
717 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
718 |
\end{center} |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
719 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
720 |
\noindent $A$ would receive this message, decrypt it and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
721 |
find out it matches with its expectation. It therefore |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
722 |
sends out the message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
723 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
724 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
725 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
726 |
9. & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
727 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
728 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
729 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
730 |
\noindent Now $E$ is in the possession of $H_1$ and $H_2$, |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
731 |
which it can join together in order to obtain |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
732 |
$\{A,m\}_{K^{pub}_E}$ which it can decrypt. It seems |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
733 |
like from now on all is lost, but let's see: in order to |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
734 |
stay undetected it must send a message to $B$. It now has two |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
735 |
options: one is to use the newly obtained knowledge and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
736 |
modify $A$'s message to be |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
737 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
738 |
\[ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
739 |
\{E,m\}_{K^{pub}_B} \;\mapsto\; H'_1,H'_2 |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
740 |
\] |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
741 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
742 |
\noindent But notice since $E$ changed the message, |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
743 |
it will now receive two different halves. Let us call |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
744 |
them $H'_1$ and $H'_2$. If $E$ now sends $B$ the $H'_2$, |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
745 |
$B$ will be in the possession of $H_1$ and $H'_2$. But |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
746 |
after joining both halves it will not be able to |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
747 |
decrypt the resulting message---the two halves simply |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
748 |
do not fit. It can send out the original $H_2$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
749 |
as follows: |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
750 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
751 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
752 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
753 |
10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
754 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
755 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
756 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
757 |
\noindent |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
758 |
In this case $B$ can make sense out of the message and |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
759 |
as a result sends $E$ back its second half $M_2$. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
760 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
761 |
\begin{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
762 |
\begin{tabular}{ll@{\hspace{2mm}}l} |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
763 |
11. & $B \to E :$ & $M_2$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
764 |
\end{tabular} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
765 |
\end{center} |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
766 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
767 |
\noindent $E$ might be ecstatic by now, because it has now |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
768 |
also received $M_1$ and $M_2$ which it can join to |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
769 |
get $\{B, m'\}_{K^{pub}_E}$. It can decrypt this message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
770 |
but still is not finished completely, because it has to send |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
771 |
$A$ a message. It could try to build the message |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
772 |
$\{E, m'\}_{K^{pub}_A}$, but like above $A$ would not be able |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
773 |
to make sense out of the two halves (which again do not fit |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
774 |
together). So one option is to send $M_2$. |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
775 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
776 |
With this the protocol has ended. $E$ was able to decrypt all |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
777 |
messages, but what messages did $A$ and $B$ receive and from |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
778 |
whom? Do you notice that $A$ and $B$ will find out that |
287
0b9a16ddd625
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
286
diff
changeset
|
779 |
something strange is going on and probably not talk on this |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
780 |
channel anymore? I leave you to think about it. |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
781 |
\footnote{\rotatebox{180}{ |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
782 |
\begin{minipage}{10cm} |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
783 |
Consider the case where $A$ sends |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
784 |
the message ``How is your grandmother?'' to $B$, and $B$ |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
785 |
send the message ``How is the weather in London today'' to $A$. |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
786 |
\end{minipage}}} |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
787 |
|
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
788 |
Recall from the beginning that a person-in-the middle |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
789 |
attack can easily be mounted at the key fob and car |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
790 |
protocol unless we are careful. If you look at actual |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
791 |
key fob protocols, they use a variant of the protocol |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
792 |
described above. Suppose $C$ is the car and $T$ is the key fob |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
793 |
(transponder). The HiTag2 protocol used in cars of |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
794 |
VW \& friends is as follows: |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
795 |
|
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
796 |
\begin{enumerate} |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
797 |
\item $C$ generates a random number $N$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
798 |
\item $C$ calculates $\{N\}_K \mapsto F,G$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
799 |
\item $C \to T$: $N, F$ |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
800 |
\item $T$ calculates $\{N\}_K \mapsto F',G'$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
801 |
\item $T$ checks that $F = F'$ |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
802 |
\item $T \to C$: $N, G'$ |
271
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
803 |
\item $C$ checks that $G = G'$ |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
804 |
\end{enumerate} |
4796f424cf12
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
270
diff
changeset
|
805 |
|
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
806 |
\noindent The assumption is that the key $K$ is only known to |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
807 |
the car and the transponder. The claim is that $C$ and $T$ can |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
808 |
authenticate to each other. Again, I leave it to you to find |
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
809 |
out if this protocol is immune from |
272
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
810 |
person-in-the-middle attacks. |
4f4612d5f670
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
271
diff
changeset
|
811 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
812 |
|
264
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
813 |
\subsubsection*{Further Reading} |
0079db1a1c9d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
263
diff
changeset
|
814 |
|
360
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
815 |
A blogpost that describes the first few milliseconds of an HTTPS connection |
409
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
816 |
is at |
360
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
817 |
|
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
818 |
\begin{center} |
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
819 |
\url{http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html} |
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
820 |
\end{center} |
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
821 |
|
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
822 |
\noindent |
409
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
823 |
It disentangles every message sent between a client and a server. |
360
eb2004430215
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
340
diff
changeset
|
824 |
|
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
825 |
If you want to know more about how cars can be hijacked, |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
826 |
the paper |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
827 |
|
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
828 |
\begin{center} |
274
1e1008403f17
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
273
diff
changeset
|
829 |
\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf} |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
830 |
\end{center} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
831 |
|
293
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
832 |
\noindent is quite amusing to read. Obviously an even more |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
833 |
amusing paper would be ``Dismantling Megamos Crypto: |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
834 |
Wirelessly Lockpicking a Vehicle Immobilizer'' by the same |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
835 |
authors, but because of the court injunction by VW, |
4e2eb1039ba5
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
287
diff
changeset
|
836 |
we are denied this entertainment. |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
837 |
|
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
838 |
Person-in-the-middle-attacks from the ``wild'' are described |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
839 |
with real data in the blog post |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
840 |
|
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
841 |
\begin{center} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
842 |
\url{http://www.renesys.com/2013/11/mitm-internet-hijacking} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
843 |
\end{center} |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
844 |
|
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
845 |
\noindent The conclusion in this post is that person-in-the-middle-attacks |
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
846 |
can be launched from any place on Earth---it is not required |
275
06a04b3b2dda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
274
diff
changeset
|
847 |
that you sit in the ``middle'' of the communication of two people. |
273
03321ef4349a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
272
diff
changeset
|
848 |
You just have to route their traffic through a node you own. |
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
849 |
|
340
54ec490a3042
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
327
diff
changeset
|
850 |
An article in The Guardian from 2013 reveals how GCHQ and the NSA at a |
279
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
851 |
G20 Summit in 2009 sniffed emails from Internet cafes, monitored phone |
283
40511897fcc4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
279
diff
changeset
|
852 |
calls from delegates and attempted to listen on phone calls which were made |
286
47e06cb75837
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
285
diff
changeset
|
853 |
by Russians and which were transmitted via satellite links: |
279
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
854 |
|
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
855 |
\begin{center} |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
856 |
\url{http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits} |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
857 |
\end{center} |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
858 |
|
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
859 |
\noindent |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
860 |
\ldots all in the name of having a better position for |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
861 |
negotiations. Hmmm\ldots |
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
862 |
|
409
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
863 |
A paper how the NSA can decrypt so much of the encrypted |
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
864 |
Internet traffic: |
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
865 |
|
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
866 |
\begin{center} |
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
867 |
\url{https://weakdh.org/imperfect-forward-secrecy.pdf} |
0c04ec017892
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
366
diff
changeset
|
868 |
\end{center} |
279
5616e664c020
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
275
diff
changeset
|
869 |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
870 |
\end{document} |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
871 |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
872 |
%%% Local Variables: |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
873 |
%%% mode: latex |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
874 |
%%% TeX-master: t |
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
875 |
%%% End: |