444 using the same key, $K_{AB}$, for two different |
444 using the same key, $K_{AB}$, for two different |
445 purposes---challenging and responding. They better had used |
445 purposes---challenging and responding. They better had used |
446 two different keys. This would have averted this attack and |
446 two different keys. This would have averted this attack and |
447 would have saved me a lot of trouble. |
447 would have saved me a lot of trouble. |
448 |
448 |
|
449 \subsubsection*{Trusted Third Parties} |
|
450 |
|
451 One limitation the protocols we discussed so far is |
|
452 that they pre-suppose a secret shared key. As already |
|
453 mentioned, this is a convenience we cannot always assume. |
|
454 How to establish a secret key then? Well, if both parties, |
|
455 say $A$ and $B$, mutually trust a third party, say $S$, |
|
456 then they can use the following protocol: |
|
457 |
|
458 \begin{center} |
|
459 \begin{tabular}{l@{\hspace{2mm}}l} |
|
460 $A \rightarrow S :$ & $A, B$\\ |
|
461 $S \rightarrow A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\ |
|
462 $A \rightarrow B :$ & $\{K_{AB}\}_{K_{BS}}$\\ |
|
463 $A \rightarrow B :$ & $\{m\}_{K_{AB}}$\\ |
|
464 \end{tabular} |
|
465 \end{center} |
|
466 |
|
467 \noindent The assumption in this protocol is that $A$ and $S$ |
|
468 share a secret key, and also $B$ and $S$ ($S$ being the |
|
469 trusted third party). The goal is that $A$ can send $B$ a |
|
470 message $m$ under a shared secret key $K_{AB}$, which at the |
|
471 beginning of the protocol does not exist yet. How does this |
|
472 protocol work? In the first step $A$ contacts $S$ and says |
|
473 that it wants to talk to $B$. In turn $S$ invents a new key |
|
474 $K_{AB}$ and sends two messages back to $A$: one message is |
|
475 $\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and |
|
476 $S$ share, and also the message |
|
477 $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$. which is encrypted with |
|
478 $K_{AB}$ but also a second time with $K_{BS}$. The point of |
|
479 the second message is that it is a message intended for $B$. |
|
480 So a receives both messages and can decrypt them---in the |
|
481 first case it obtains the key $K_{AB}$ which $S$ suggested to |
|
482 use. In the second case it obtains a message it can forward to |
|
483 $B$. $B$ receives this message and since it knows the key it |
|
484 shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can |
|
485 start to exchange messages with the shared secret key |
|
486 $K_{AB}$. What is the advantage of $S$ sending $A$ two |
|
487 messages instead of contacting $B$ instead? Well, for one |
|
488 there can now be a time-delay between the second and |
|
489 third step in the protocol. At some point in the past |
|
490 $A$ and $S$ need to have come together to share |
|
491 a key, similarly $B$ and $S$. After that $B$ does not need to |
|
492 be ``online'' anymore until $A$ actually starts sending messages |
|
493 to $B$. $A$ and $S$ can completely on their own negotiate a |
|
494 new key. |
|
495 |
|
496 \subsubsection*{Averting Person-in-the-Middle Attacks} |
|
497 |
449 \bigskip\bigskip |
498 \bigskip\bigskip |
450 Keyfobs - protocol |
499 Keyfobs - protocol |
451 |
500 |
452 \subsubsection*{Further Reading} |
501 \subsubsection*{Further Reading} |
453 |
502 |