sen-material: comparison handouts/ho05.tex

equal deleted inserted replaced

-:1e1008403f17
+:06a04b3b2dda
 \begin{document}
 \section*{Handout 5 (Protocols)}
 Protocols are the computer science equivalent to fractals and
-the Mandelbrot set in mathematics. With the latter you have a
+the Mandelbrot set in mathematics. With the latter two you
-simple formula which you just iterate and then you test
+have a simple formula, which you just iterate and then you
-whether a point is inside or outside a region, and voila
+test whether a point is inside or outside a region\ldots{}it
-something magically
+does not look exciting, but voila something magically
 happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal},
 \url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols
 are similar: they are simple exchanges of messages, but in the
 end something ``magical'' can happen---for example a secret
 channel has been established or two entities have
-authenticated themselves to each other. The problem with magic
+authenticated themselves to each other. Even in face of strong
-is of course it is poorly understood and even experts often
+adversaries where we have no control over the network over
-got, and get, it wrong with protocols.
+which our messages are exchanged. The problem with magic is of
+course it is poorly understood and even experts often got, and
-To have an idea what kind of protocols we are interested, let
+get, it wrong with protocols.
+To have an idea what kind of protocols we are interested in, let
 us look at a few examples. One example are (wireless) key
-fobs which operate the central locking system and the
+fobs, which operate the central locking system and the
 ignition in a car.
 \begin{center}
 \includegraphics[scale=0.075]{../pics/keyfob.jpg}
 \quad
 \includegraphics[scale=0.2025]{../pics/startstop.jpg}
 \end{center}
 \noindent The point of these key fobs is that everything is
 done over the ``air''---there is no physical connection
-between the key, doors and engine. So we must achieve security
+between the key, doors and engine, as was the case with the
-by exchanging certain messages between the key fob on one side
+old solid metal keys. With the key fobs we must achieve
-and doors and engine on the other. Clearly what we like to
+security by exchanging certain messages between the key fob on
-achieve is that I can get into my car and start it, but that
+one side and the doors and engine on the other. Clearly what
-thieves are kept out. The problem is that everybody can
+we like to accomplish is that I can get into my car and start
-``overhear'' or skim the exchange of messages between the key
+it, but that thieves are kept out. The problem is that
-fob and car. In this scenario the simplest attack you need to
+everybody can ``overhear'' or skim the exchange of messages
-defend against is a person-in-the-middle attack. Imagine you
+between the key fob and car. In this scenario the simplest
-park your car in front of a supermarket. One thief follows you
+attack you need to defend against is a person-in-the-middle
-with a strong transmitter. A second thief ``listens'' to the
+attack. For this imagine you park your car in front of a
-signal from the car and wirelessly transmits it to the
+supermarket. One thief follows you with a strong transmitter.
-``colleague'' who followed you and who silently enquires about
+A second thief ``listens'' to the signals from the car and
-the answer from the key fob. The answer is then send back to
+wirelessly transmits them to the ``colleague'' who followed
-the thief at the car, which then dutifully opens and possibly
+you. This thief silently enquires what the key fob answers.
-starts. No need to steal your key anymore.
+This answer is then send back to the thief at the car. If done
+properly the car will dutifully open and possibly start. No
-But there are many more such protocols we like to consider.
+need to steal your keys anymore.
-Other examples are wifi---you might sit at a Starbucks and
+But there are many more such protocols we like to treat.
+Another example is Wifi---you might sit at a Starbucks and
 talk wirelessly to the free access point there and from there
-talk with your bank, for example. Also even if your have to
+talk to your bank. Moreover, even if your have to touch your
-touch your Oyster card at the reader each time you enter and
+Oyster card at the reader each time you enter or exit the
-exit the Tube, it actually operates wirelessly and with
+Tube, it actually operates wirelessly and with appropriate
-appropriate equipment over some quite large distance. But
+equipment over some quite large distance (several meters). But
-there are many many more examples (Bitcoins, mobile
+there are many, many more examples (Bitcoins, mobile
 phones,\ldots). The common characteristics of the protocols we
-are interested in here is that an adversary or attacker is
+are interested in is that an adversary or attacker is assumed
-assumed to be in complete control over the network or channel
+to be in complete control over the network or channel over
-over which you exchanging messages. An attacker can install a
+which we exchanging messages. An attacker can install a packet
-packet sniffer on a network, inject packets, modify packets,
+sniffer on a network, inject packets, modify packets, replay
-replay old messages, or fake pretty much everything. In this
+old messages, or fake pretty much everything else. In this
-hostile environment, the purpose of protocols (that is
+hostile environment, the purpose of a protocol (that is
-exchange of messages) is to achieve some security goal, for
+exchange of messages) is to achieve some security goal. For
-example only allow the owner of the car in but everybody else
+example only allow the owner of the car in, but everybody else
-should be kept out.
+should stay out.
 The protocols we are interested here are generic descriptions
-of how to exchange messages in order to achieve a goal, be it
+of how to exchange messages in order to achieve a goal. Unlike
-establishing a mutual secure connection or being able to
+the distant past where, for example, we had to meet a person in
-authenticate to a system. Unlike the distant past where for
+order to authenticate him or her (via a passport for example),
-example we had to meet a person in order to authenticate him
+the problem we are facing on the Internet is that we cannot
-or her (via a passport for example), the problem we are facing
+easily be sure who we are ``talking'' to. The obvious reason
-on the Internet is that we cannot easily be sure who we are
+is that only some electrons arrive at our computer; we do not
-``talking'' to. The obvious reason is that only some electrons
+see the person, or computer, behind the incoming electrons
-arrive at our computer; we do not see the person, or computer,
+(messages).
-behind the incoming electrons (messages).
 To start, let us look at one of the simplest protocols that
 are part of the TCP protocol (which underlies the Internet).
 This protocol does not do anything security relevant, it just
 establishes a ``hello'' from a client to a server which the
 \begin{center}
 \begin{tabular}{lllll}
 & \multicolumn{2}{l}{challenge mode:} &
 \multicolumn{2}{l}{response mode:}\smallskip\\
-1) & $A \rightarrow E$: & $N_A$\\
+1. & $A \rightarrow E$: & $N_A$\\
-2) & & & $E \rightarrow A$: & $N_A$\\
+2. & & & $E \rightarrow A$: & $N_A$\\
-3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
+3. & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
-4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
+4. & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
-5) & $A \rightarrow E$: & $N_A'$\\
+5. & $A \rightarrow E$: & $N_A'$\\
 \end{tabular}
 \end{center}
 \noindent In the first step we challenge $E$ with a nonce we
 created. Since we also run the protocol in ``response mode'',
 messages and substitutes her own public key. The protocol
 run would therefore be
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-1) & $A \to E :$ & $K^{pub}_A$\smallskip\\
+1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
-2) & $E \to B :$ & $K^{pub}_E$\smallskip\\
+2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
-3) & $B \to E :$ & $K^{pub}_B$\smallskip\\
+3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
-4) & $E \to A :$ & $K^{pub}_E$\smallskip\\
+4. & $E \to A :$ & $K^{pub}_E$\smallskip\\
-5) & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
+5. & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
-6) & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
+6. & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
-7) & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
+7. & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
-8) & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
+8. & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
 \end{tabular}
 \end{center}
 \noindent where in steps 6 and 8, $E$ can modify the messages
 by including the $E$ in the message. Both messages are
 Modify the protocol above so that $A$ and $B$ send their
 messages in two halves, like
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-1) & $A \to B :$ & $K^{pub}_A$\smallskip\\
+1. & $A \to B :$ & $K^{pub}_A$\smallskip\\
-2) & $B \to A :$ & $K^{pub}_B$\smallskip\\
+2. & $B \to A :$ & $K^{pub}_B$\smallskip\\
-3) & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
+3. & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
 & & $\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$\\
-4) & $A \to B :$ & $H_1$\smallskip\\
+4. & $A \to B :$ & $H_1$\smallskip\\
-5) & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\
+5. & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\
-6) & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\
+6. & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\
-7) & $B \to A :$ & $M_2$
+7. & $B \to A :$ & $M_2$
 \end{tabular}
 \end{center}
 \noindent The idea is that in step 3, $A$ encrypts the
 message (with $B$'s public key) and then splits the encrypted
 the messages where public keys are exchanged and inject
 our own.
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-1) & $A \to E :$ & $K^{pub}_A$\smallskip\\
+1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
-2) & $E \to B :$ & $K^{pub}_E$\smallskip\\
+2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
-3) & $B \to E :$ & $K^{pub}_B$\smallskip\\
+3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
-4) & $E \to A :$ & $K^{pub}_E$
+4. & $E \to A :$ & $K^{pub}_E$
 \end{tabular}
 \end{center}
 \noindent
 Now $A$ and $B$ build the message halves:
 \noindent and $A$ sends $E$ its first half of the message.
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-5) & $A \to E :$ & $H_1$
+5. & $A \to E :$ & $H_1$
 \end{tabular}
 \end{center}
 \noindent Neither $E$ nor $B$ can do much with this message.
 Remember it is only half of some ``garbled'' text that cannot
 be decrypted. $E$ could try to forward the message to $B$ and
 see what its reply is.
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-6) & $E \to B :$ & $H_1$\\
+6. & $E \to B :$ & $H_1$\\
-7) & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$
+7. & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$
 \end{tabular}
 \end{center}
 \noindent Although $E$ can decrypt the message with its
 private key, but it only gets the halves $H_1$ and $M_1$ which
 are of no use yet. In order to get more information it
 can send the message to $A$ with $A$'s public key.
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-8) & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$
+8. & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$
 \end{tabular}
 \end{center}
 \noindent $A$ would receive this message, decrypt it and
 find out it matches with its expectation. It therefore
 sends out the message
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-9) & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$
+9. & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$
 \end{tabular}
 \end{center}
 \noindent Now $E$ is in the possession of $H_1$ and $H_2$,
 which it can join together in order to obtain
 do not fit. So it can only send out the original $H_2$
 as follows:
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-10) & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$
+10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$
 \end{tabular}
 \end{center}
 \noindent
 In this case $B$ can make sense out of the message and
 as a result sends $E$ back its second half $M_2$.
 \begin{center}
 \begin{tabular}{ll@{\hspace{2mm}}l}
-11) & $B \to E :$ & $M_2$
+11. & $B \to E :$ & $M_2$
 \end{tabular}
 \end{center}
 \noindent $E$ might be ecstatic by now, because it has now
 also received $M_1$ and $M_2$ which it can join to
 \begin{center}
 \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}
 \end{center}
-\noindent is quite amusing to read. Obviously an even more
+\noindent is quite amusing to read. Obviously an even more amusing
-amusing paper would be ``Dismantling Megamos Crypto:
+paper would be ``Dismantling Megamos Crypto: Wirelessly Lockpicking a
-Wirelessly Lockpicking a Vehicle Immobilizer'' but because
+Vehicle Immobilizer'' by the same authors, but because of the court
-of the court injuction by VW we are denied this entertainment.
+injuction by VW in this case, we are denied this entertainment.
-Person-in-the-middle-attacks in the ``wild'' are described
+Person-in-the-middle-attacks from the ``wild'' are described
 with real data in the blog post
 \begin{center}
 \url{http://www.renesys.com/2013/11/mitm-internet-hijacking}
 \end{center}
 \noindent The conclusion in this post is that person-in-the-middle-attacks
 can be launched from any place on Earth---it is not required
-to sit in the ``middle'' of the communication of two people.
+that you sit in the ``middle'' of the communication of two people.
 You just have to route their traffic through a node you own.
 \end{document}
 %%% Local Variables:

changeset 275	06a04b3b2dda
parent 274	1e1008403f17
child 279	5616e664c020