Mercurial Mercurial > hg > sen-material / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho05.tex
changeset 265 2ce6b7c94763
parent 264 0079db1a1c9d
child 266 e711cfd1ec70
equal deleted inserted replaced
264:0079db1a1c9d 265:2ce6b7c94763 
   239 
   239 
   240 \begin{center}
 
   240 \begin{center}
 
   241 $A \to B: K_{AB}$ 
   241 $A \to B: K_{AB}$ 
   242 \end{center}
 
   242 \end{center}
 
   243 
   243 
       
   244 \noindent It can be sought of as $A$ sends a common secret to
 
       
   245 $B$ like a password. The idea is that if only $A$ and $B$ know
 
       
   246 the key $K_{AB}$ then this should be sufficient for $B$ to
 
       
   247 infer it is talking to $A$. But this is of course too naive,
 
       
   248 if the message can be observed by everybody else on the
 
       
   249 network. Eve could just record this message $A$ just send, and
 
       
   250 next time send the same message to $B$ and $B$ would believe
 
       
   251 it talked to $A$. But actually it talked to Eve which now
 
       
   252 clears out $A$s back account if $B$ had been a bank.
 
       
   253 
       
   254 A more sophisticated protocol which tries to avoid the
 
       
   255 replay attack is as follows
 
       
   256 
       
   257 \begin{center}
 
       
   258 \begin{tabular}{l@{\hspace{2mm}}l}
 
       
   259 $A \to B:$ & $HELLO$\\
 
       
   260 $B \to A:$ & $N$\\
 
       
   261 $A \to B:$ & $\{N\}_{K_{AB}}$\\
 
       
   262 \end{tabular}
 
       
   263 \end{center} 
       
   264 
       
   265 \noindent With this protocol the idea is that $A$ first sends 
       
   266 a message to $B$ saying ``I want to talk to you''. $B$ sends 
       
   267 then a challenge in form of a random number $N$. In protocols 
       
   268 such random numbers are often called \emph{nonce}. What is the
 
       
   269 purpose of this nonce? Well, if an attacker records $A$ 
       
   270 answer, it will not make sense to replay this message, because
 
       
   271 next time this protocol is run the nonce $B$ sends will be
 
       
   272 different. So if we run this protocol, what can $B$ infer:
 
       
   273 it has send out an (unpredictable) nonce to $A$ and
 
       
   274 received this challenge back, but encoded under the key 
       
   275 $K_{AB}$. If $B$ assumes only $A$ and $B$ know the key $K_{AB}$
 
       
   276 and the nonce is unpredictable, then $B$ is able to
 
       
   277 infer it must be talking to $A$. Of course the implicit 
       
   278 assumption on this inference are that nobody else knows
 
       
   279 about the key $K_{AB}$ and nobody else can decrypt the
 
       
   280 message. $B$ of course can decrypt the answer from $A$
 
       
   281 and check whether the answer corresponds to the challenge
 
       
   282 (nonce) $B$ has send earlier.
 
       
   283 
       
   284 But what about $A$? Can $A$ make any assumptions about who it
 
       
   285 talks to? It dutifully answered the challenge and hopes its
 
       
   286 bank, say, will be the only one to understand her answer. But
 
       
   287 is this the case? No! Lets consider an attacker Eve who has
 
       
   288 control over the network. She could have intercepted the
 
       
   289 message $HELLO$ and just replied herself to $A$ using a random
 
       
   290 number\ldots{} for example one which she observed in a
 
       
   291 previous run of this protocol. Remember that if a message is
 
       
   292 send without curly braces it is sent in clear text. Then
 
       
   293 $A$ would encrypt the nonce with the key $K_{AB}$ and send
 
       
   294 it back to Eve. She just throws the answer away. $A$ would
 
       
   295 hope that she talked to $B$ because she followed the protocol,
 
       
   296 but unfortunately she cannot be sure who she is talking to. 
       
   297 
       
   298 The solution is to follow a \emph{mutual challenge-response}
 
       
   299 protocol. There $A$ already starts off with a challenge (nonce)
 
       
   300 on her own.
 
       
   301 
       
   302 \begin{center}
 
       
   303 \begin{tabular}{l@{\hspace{2mm}}l}
 
       
   304 $A \to B:$ & $N_A$\\
 
       
   305 $B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\
 
       
   306 $A \to B:$ & $N_B$\\
 
       
   307 \end{tabular} 
       
   308 \end{center}
 
       
   309 
       
   310 \noindent As seen, $B$ receives this nonce, $N_A$, adds his
 
       
   311 own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$
 
       
   312 receives this message, is able to decrypt it since we assume
 
       
   313 she has the key $K_{AB}$, and sends back the nonce of $B$.
 
       
   314 Let us analyse which assumptions $A$ and $B$ can make after 
       
   315 the protocol has run. $B$ received a challenge and answered 
       
   316 correctly to $A$ (in the encrypted message). An attacker
 
       
   317 would just not be able to answer this challenge correctly 
       
   318 because the attacker is assumed to not be in the possession of
 
       
   319 the key $K_{AB}$; so could not have formed this message.
 
       
   320 It could also not have just replayed an old message, because
 
       
   321 $A$ would send out each time a fresh nonce. So with this
 
       
   322 protocol you can ensure also for $A$ that it talks to $B$.
 
       
   323 I leave you to argue that $B$ can be sure to talk to $A$.
 
       
   324 Of course these arguments will depend on the assumptions that
 
       
   325 only $A$ and $B$ know the key $K_{AB}$ and that nobody can
 
       
   326 break the encryption unless they have this key.
 
       
   327 
   244 
   328 
   245 
   329 
   246 \bigskip\bigskip
 
   330 \bigskip\bigskip
 
   247 Keyfobs - protocol
 
   331 Keyfobs - protocol
 
   248 
   332
sen-material