199 |
199 |
200 \[ |
200 \[ |
201 \{\{msg\}_{K_1}\}_{K_2} |
201 \{\{msg\}_{K_1}\}_{K_2} |
202 \] |
202 \] |
203 |
203 |
204 \noindent This protocol is called lockstep protocol. |
204 \noindent |
205 The idea is that even if attacker Eve has the |
205 The idea is that even if attacker Eve has the |
206 key $K_2$ she could decrypt the outer envelop, but |
206 key $K_2$, she could decrypt the outer envelop, but |
207 still does not get to the message, because it is still |
207 still does not get to the message, because it is still |
208 encrypted with the key $K_1$. Note, however, |
208 encrypted with the key $K_1$. Note, however, |
209 while an attacker cannot obtain the content of the message |
209 while an attacker cannot obtain the content of the message |
210 without the key, encrypted messages can be observed |
210 without the key, encrypted messages can be observed |
211 and be recorded and then replayed at another time, or |
211 and be recorded and then replayed at another time, or |
414 While the mutual challenge-response protocol solves the |
414 While the mutual challenge-response protocol solves the |
415 authentication problem, there are some limitations. One is of |
415 authentication problem, there are some limitations. One is of |
416 course that it requires a pre-shared secret key. That is |
416 course that it requires a pre-shared secret key. That is |
417 something that needs to be established beforehand. Not all |
417 something that needs to be established beforehand. Not all |
418 situations allow such an assumption. For example if I am a |
418 situations allow such an assumption. For example if I am a |
419 whistleblower (say Snowden) and want to talk to a journalist |
419 whistle-blower (say Snowden) and want to talk to a journalist |
420 (say Greenwald) then I might not have a secret pre-shared key. |
420 (say Greenwald) then I might not have a secret pre-shared key. |
421 |
421 |
422 Another limitation is that such mutual challenge-response |
422 Another limitation is that such mutual challenge-response |
423 systems often work in the same system in the ``challenge |
423 systems often work in the same system in the ``challenge |
424 mode'' but also in the ``response mode''. For example if two |
424 mode'' but also in the ``response mode''. For example if two |
465 know where it came from (it's over the air), but if we are in |
465 know where it came from (it's over the air), but if we are in |
466 a fighter aircraft we better quickly answer it, otherwise we |
466 a fighter aircraft we better quickly answer it, otherwise we |
467 risk to be shot. So we add our own challenge $N'_A$ and |
467 risk to be shot. So we add our own challenge $N'_A$ and |
468 encrypt it under the secret key $K_{AB}$ (step 3). Now $E$ |
468 encrypt it under the secret key $K_{AB}$ (step 3). Now $E$ |
469 does not need to know this key in order to form the correct |
469 does not need to know this key in order to form the correct |
470 answer for the first protocol. It will just replays this |
470 answer for the first protocol. It will just replay this |
471 message back to us in the challenge mode (step 4). I happily |
471 message back to us in the challenge mode (step 4). I happily |
472 accept this message---after all it is encrypted under the |
472 accept this message---after all it is encrypted under the |
473 secret key $K_{AB}$ and it contains the correct challenge from |
473 secret key $K_{AB}$ and it contains the correct challenge from |
474 me, namely $N_A$. So I accept that $E$ is a friend and send |
474 me, namely $N_A$. So I accept that $E$ is a friend and send |
475 even back the challenge $N'_A$. The problem is that $E$ now |
475 even back the challenge $N'_A$. The problem is that $E$ now |
476 starts firing at me and I have no clue what is going on. I |
476 starts firing at me and I have no clue what is going on. I |
477 might suspect, erroneously, that an idiot must have leaked the |
477 might suspect, erroneously, that an idiot must have leaked the |
478 secret key. Because I followed in both cases the protocol to |
478 secret key. Because I followed in both cases the protocol to |
479 the letter, but somehow $E$, unknowingly to me with my help, |
479 the letter, but somehow $E$, unknowingly to me with my help, |
480 managed to disguise as a friend. As a pilot, I would be a bit |
480 managed to disguise as a friend. As a fighter-pilot, I would be a bit |
481 peeved at that moment and would have preferred the designer of |
481 peeved at that moment and would have preferred the designer of |
482 this challenge-response protocol had been a tad smarter. For |
482 this challenge-response protocol had been a tad smarter. For |
483 one thing they violated the best practice in protocol design |
483 one thing they violated the best practice in protocol design |
484 of using the same key, $K_{AB}$, for two different |
484 of using the same key, $K_{AB}$, for two different |
485 purposes---namely challenging and responding. They better had |
485 purposes---namely challenging and responding. They better had |
805 messages. |
805 messages. |
806 \end{minipage}}}\bigskip |
806 \end{minipage}}}\bigskip |
807 |
807 |
808 \noindent |
808 \noindent |
809 I hope you have thought about all these questions. $E$ cannot modify |
809 I hope you have thought about all these questions. $E$ cannot modify |
810 the received messages---$A$ and $B$ woudl find this out. To stay |
810 the received messages---$A$ and $B$ would find this out. To stay |
811 undetected, $E$ can only forward the messages (unmodified) and this is |
811 undetected, $E$ can only forward the messages (unmodified) and this is |
812 all what $A$ and $B$ need in order to establish a shared secret. For |
812 all what $A$ and $B$ need in order to establish a shared secret. For |
813 example they can use the Hellman-Diffie key exchange protocol (see |
813 example they can use the Hellman-Diffie key exchange protocol (see |
814 further reading) which works, even if $E$ can decrypt all messages. |
814 further reading) which works, even if $E$ can decrypt all messages. |
815 |
815 |
884 9. & $A \to E :$ & $\{H_2, D_1\}_{K^{pub}_E}$ |
884 9. & $A \to E :$ & $\{H_2, D_1\}_{K^{pub}_E}$ |
885 \end{tabular} |
885 \end{tabular} |
886 \end{center} |
886 \end{center} |
887 |
887 |
888 \noindent |
888 \noindent |
889 With this $E$ is in the possesion of both halves from $A$. |
889 With this $E$ is in the possession of both halves from $A$. |
890 In order to get the reply from $B$, $E$ can send the message |
890 In order to get the reply from $B$, $E$ can send the message |
891 |
891 |
892 \begin{center} |
892 \begin{center} |
893 \begin{tabular}{ll@{\hspace{2mm}}l} |
893 \begin{tabular}{ll@{\hspace{2mm}}l} |
894 10. & $E \to B :$ & $\{C_2, M_1\}_{K^{pub}_E}$ |
894 10. & $E \to B :$ & $\{C_2, M_1\}_{K^{pub}_E}$ |
914 \end{center} |
914 \end{center} |
915 |
915 |
916 \noindent |
916 \noindent |
917 $A$ and $B$ receive expected messages and were able to verify |
917 $A$ and $B$ receive expected messages and were able to verify |
918 their first halves. That means they do not suspect anything dodgy |
918 their first halves. That means they do not suspect anything dodgy |
919 going on: $E$ has sucessfully managed a man-in-the middle attack. |
919 going on: $E$ has successfully managed a man-in-the middle attack. |
920 In case $A$ and $B$ are computers, there is not much that can |
920 In case $A$ and $B$ are computers, there is not much that can |
921 prevent this attack. In case they are humans, there are a few |
921 prevent this attack. In case they are humans, there are a few |
922 things they can do. For example $A$ and $B$ can craft their |
922 things they can do. For example $A$ and $B$ can craft their |
923 messages such that they include a specific question only $A$ and |
923 messages such that they include a specific question only $A$ and |
924 $B$ are likely to be able to answer, or include a voice message |
924 $B$ are likely to be able to answer, or include a voice message |