373 |
373 |
374 While the mutual challenge-response protocol solves already |
374 While the mutual challenge-response protocol solves already |
375 the authentication problem, there are some problems. One is of |
375 the authentication problem, there are some problems. One is of |
376 course that it requires a pre-shared secret key. That is |
376 course that it requires a pre-shared secret key. That is |
377 something that needs to be established beforehand. Not all |
377 something that needs to be established beforehand. Not all |
378 situations allow such an assumption. For example if I am |
378 situations allow such an assumption. For example if I am a |
379 a whistle blower (say Snowden) and want to talk to a |
379 whistle blower (say Snowden) and want to talk to a journalist |
380 journalist (say Greenwald) then I might not have a secret |
380 (say Greenwald) then I might not have a secret pre-shared key. |
381 pre-shared key. The other problem is that such mutual |
381 |
382 challenge-response systems often work in the same system |
382 |
383 in the ``challenge mode'' but also in the ``response mode''. |
383 Another problem is that such mutual challenge-response systems |
384 For example if two servers want to talk to each other---they |
384 often work in the same system in the ``challenge mode'' but |
385 would need the protocol in response mode, but also if they |
385 also in the ``response mode''. For example if two servers want |
386 want to talk to other servers in challenge mode. Similarly |
386 to talk to each other---they would need the protocol in |
387 if you in an military aircraft you have to challenge everybody |
387 response mode, but also if they want to talk to other servers |
388 you see, in case there is a friend amongst the targets you |
388 in challenge mode. Similarly if you in an military aircraft |
389 like to shoot, but you also have to respond to any of your |
389 you have to challenge everybody you see, in case there is a |
390 own anti-aircraft guns on the ground. In these situations |
390 friend amongst the targets you like to shoot, but you also |
391 you have to be careful to not decode, or answer, your own |
391 have to respond to any of your own anti-aircraft guns on the |
392 challenge. |
392 ground lest they shoot you. In these situations you have to be |
393 |
393 careful to not decode, or answer, your own challenge. Recall |
394 |
394 the protocol is |
|
395 |
|
396 \begin{center} |
|
397 \begin{tabular}{l@{\hspace{2mm}}l} |
|
398 $A \rightarrow B$: & $N_A$\\ |
|
399 $B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\ |
|
400 $A \rightarrow B$: & $N_B$\\ |
|
401 \end{tabular} |
|
402 \end{center} |
|
403 |
|
404 \noindent but it does not specify who is $A$ and who is $B$. |
|
405 If, as supposed, the protocol works in response and in |
|
406 challenge mode, then $A$ will be $A$ in one instance, but $B$ |
|
407 in the other. I hope this makes sense. Let us look at the |
|
408 details and lets assume our adversary is $E$ who just deflects |
|
409 our messages back to us. |
|
410 |
|
411 \begin{center} |
|
412 \begin{tabular}{lllll} |
|
413 & \multicolumn{2}{l}{challenge mode:} & |
|
414 \multicolumn{2}{l}{response mode:}\smallskip\\ |
|
415 1) & $A \rightarrow E$: & $N_A$\\ |
|
416 2) & & & $E \rightarrow A$: & $N_A$\\ |
|
417 3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
|
418 4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\ |
|
419 5) & $A \rightarrow E$: & $N_A'$\\ |
|
420 \end{tabular} |
|
421 \end{center} |
|
422 |
|
423 \noindent In the first step we challenge $E$ with a nonce we |
|
424 created. Since we also run the protocol in ``response mode'', |
|
425 $E$ can now feed us the same challenge in step 2. We do not |
|
426 know where it came from (it's over the air), but if we are in |
|
427 an aircraft we should better quickly answer it, otherwise we |
|
428 risk to be shot. So we add our own challenge $N'_A$ and |
|
429 encrypt it under the secret key $K_{AB}$ (step 3). Now $E$ |
|
430 does not need to know this key in order to form the correct |
|
431 answer for the first protocol. It will just replays this |
|
432 message back to us in the challenge mode (step 4). I happily |
|
433 accept this message---after all it is encrypted under the |
|
434 secret key $K_{AB}$ and it contains the correct challenge from |
|
435 me, namely $N_A$. So I accept that $E$ is a friend and send |
|
436 even back the challenge $N'_A$. The problem is that $E$ now |
|
437 starts firing at me and I have no clue what is going on and |
|
438 suspect, erroneously, that an idiot must have leaked the |
|
439 secret key. I followed in both cases the protocol to the |
|
440 letter, but somehow $E$, with my help, managed to disguise as |
|
441 a friend. As a pilot, I would rather prefer the designer of |
|
442 this challenge-response protocol were a tad smarter. For one |
|
443 thing they violated the best practice in protocol design of |
|
444 using the same key, $K_{AB}$, for two different |
|
445 purposes---challenging and responding. They better had used |
|
446 two different keys. This would have averted this attack and |
|
447 would have saved me a lot of trouble. |
395 |
448 |
396 \bigskip\bigskip |
449 \bigskip\bigskip |
397 Keyfobs - protocol |
450 Keyfobs - protocol |
398 |
451 |
399 \subsubsection*{Further Reading} |
452 \subsubsection*{Further Reading} |