sen-material: comparison handouts/ho05.tex

equal deleted inserted replaced

-:8f2749152f1e
+:4796f424cf12
 say $A$ and $B$, mutually trust a third party, say $S$,
 then they can use the following protocol:
 \begin{center}
 \begin{tabular}{l@{\hspace{2mm}}l}
-$A \rightarrow S :$ & $A, B$\\
+$A \to S :$ & $A, B$\\
-$S \rightarrow A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
+$S \to A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
-$A \rightarrow B :$ & $\{K_{AB}\}_{K_{BS}}$\\
+$A \to B :$ & $\{K_{AB}\}_{K_{BS}}$\\
-$A \rightarrow B :$ & $\{m\}_{K_{AB}}$\\
+$A \to B :$ & $\{m\}_{K_{AB}}$\\
 \end{tabular}
 \end{center}
 \noindent The assumption in this protocol is that $A$ and $S$
 share a secret key, and also $B$ and $S$ ($S$ being the
 organisations, VeriSign, has limited its liability to \$100 in
 case it issues a false certificate. This is really a joke and
 really the wrong incentive for the certification organisations
 to clean up their mess.
-The problem we want to study closer here is that
+The problem we want to study closer here is that protocols
-public-private key encryption is susceptible to
+based on public-private key encryption are susceptible to
 person-in-the-middle attack. Consider the following protocol
 where $A$ and $B$ attempt to exchange secret messages using
 public-private keys.
 \begin{itemize}
 \item $A$ sends public key  to $B$
 \item $B$ sends public key  to $A$
-\item $A$ sends message encrypted with $B$'s public
+\item $A$ sends a message encrypted with $B$'s public
 key,\\ $B$ decrypts it with its private key
-\item $B$ sends message encrypted with $A$'s public
+\item $B$ sends a message encrypted with $A$'s public
 key,\\ $A$ decrypts it with its private key
 \end{itemize}
+\noindent In our formal notation for protocols, this would
-\bigskip\bigskip Keyfobs - protocol
+look as follows:
+\begin{center}
+\begin{tabular}{l@{\hspace{2mm}}l}
+$A \to B :$ & $K^{pub}_A$\smallskip\\
+$B \to A :$ & $K^{pub}_B$\smallskip\\
+$A \to B :$ & $\{A,m\}_{K^{pub}_B}$\smallskip\\
+$B \to A :$ & $\{B,m'\}_{K^{pub}_A}$
+\end{tabular}
+\end{center}
+\noindent Since we assume an attacker, say $E$, has complete
+control over the network, $E$ can intercept the first two
+messages and substitutes her own public key. The protocol
+run would therefore be
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+1) & $A \to E :$ & $K^{pub}_A$\smallskip\\
+2) & $E \to B :$ & $K^{pub}_E$\smallskip\\
+3) & $B \to E :$ & $K^{pub}_B$\smallskip\\
+4) & $E \to A :$ & $K^{pub}_E$\smallskip\\
+5) & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
+6) & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
+7) & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
+8) & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
+\end{tabular}
+\end{center}
+\noindent where in steps 6 and 8, $E$ can modify the
+messages by including the $E$ in the message. Both messages
+are received encrypted with $E$'s public key; therefore it
+can decrypt it and repackage it with new content. $A$ and $B$
+have no idea that they talking to an attacker. Because $E$
+can modify messages, it seems very difficult to defend
+against this attack.
+But there is a clever trick\ldots{}dare I say some magic.
+Modify the protocol above so that $A$ and $B$ send their
+messages in two halves.
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+1) & $A \to B :$ & $K^{pub}_A$\smallskip\\
+2) & $B \to A :$ & $K^{pub}_B$\smallskip\\
+3) & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
+4) & $A \to B :$ & $H_1$\smallskip\\
+5) & $B \to A :$ & $\{H_1\}_{K^{pub}_A}$\smallskip\\
+6) & $A \to B :$ & $H_2$
+\end{tabular}
+\end{center}
+\noindent The idea is that in step 3, $A$ encrypts the
+message (with $B$'s public key) and then splits the encrypted
+message into two halves. Say the encrypted message is
+\begin{center}
+\texttt{\Grid{0X1peUVTGJK0XI7G+H70mMjAM8piY0sI}}
+\end{center}
+\noindent then $A$ splits it up into two halves
+\begin{center}
+$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G}}}_{H_1}$\qquad
+$\underbrace{\texttt{\Grid{+H70mMjAM8piY0sI}}}_{H_2}$
+\end{center}
+\noindent sends the first half $H_1$ to $b$. $B$ (and also any
+potential attacker) cannot do much with this half. What $B$
+does, it encrypts it with $A$'s public key and sends it back
+to $A$. Now $A$ can decrypt it and if it matches with what it
+had send, it will send $B$ the second half $H_2$. Only after
+$B$ received this second part, it will be able to decrypt the
+entire message $\{A,m\}_{K^{pub}_B}$ and see what $A$ had
+written.
+\begin{enumerate}
+\item $C$ generates a random number $r$
+\item $C$ calculates $(F,G) = \{r\}_K$
+\item $C \to T$: $r, F$
+\item $T$ calculates $(F',G') = \{r\}_K$
+\item $T$ checks that $F = F'$
+\item $T \to C$: $r, G'$
+\item $C$ checks that $G = G'$
+\end{enumerate}
 \subsubsection*{Further Reading}
 {\small
 \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}}

changeset 271	4796f424cf12
parent 270	8f2749152f1e
child 272	4f4612d5f670