48 supermarket. One thief follows you with a strong transmitter. |
48 supermarket. One thief follows you with a strong transmitter. |
49 A second thief ``listens'' to the signals from the car and |
49 A second thief ``listens'' to the signals from the car and |
50 wirelessly transmits them to the ``colleague'' who followed |
50 wirelessly transmits them to the ``colleague'' who followed |
51 you. This thief silently enquires what the key fob answers. |
51 you. This thief silently enquires what the key fob answers. |
52 This answer is then send back to the thief at the car. If done |
52 This answer is then send back to the thief at the car. If done |
53 properly the car will dutifully open and possibly start. No |
53 properly, the car will dutifully open and possibly start. No |
54 need to steal your keys anymore. |
54 need to steal your keys anymore. |
55 That this is an attack one needs to reckon with is |
55 That this is an attack one needs to reckon with is |
56 demonstrated by the fact that certain dodgy |
56 demonstrated by the fact that dodgy |
57 websites\footnote{\url{http://autokeydevices.com/product/wave/} |
57 websites\footnote{\url{http://autokeydevices.com/product/wave/} |
58 \ldots{} funnily this webpage says ``not intended for illegal |
58 \ldots{} funnily this webpage says ``not intended for illegal |
59 use'', but I have a hard time finding any legal purpose for |
59 use'', but I have a hard time finding any legal purpose for |
60 such a device.} sell the necessary equipment for top Ruble. |
60 such a device.} sell the necessary equipment for top Ruble. |
61 This webpage is notable for the very helpful picture |
61 This webpage is notable for the very helpful picture |
68 \caption{From a dodgy webpage about modern car theft. Note the |
68 \caption{From a dodgy webpage about modern car theft. Note the |
69 stylish attackers Malice and Mallet.\label{rsa}} |
69 stylish attackers Malice and Mallet.\label{rsa}} |
70 \end{figure} |
70 \end{figure} |
71 |
71 |
72 |
72 |
73 But there are many more such protocols we like to treat. |
73 But there are many more such protocols we like to study. |
74 Another example is Wifi---you might sit at a Starbucks and |
74 Another example is Wifi---you might sit at a Starbucks and |
75 talk wirelessly to the free access point there and from there |
75 talk wirelessly to the free access point there and from there |
76 talk to your bank (see The Guardian article cited at the very |
76 talk to your bank (see The Guardian article cited at the very |
77 end of this handout). Moreover, even if your have to touch |
77 end of this handout). Moreover, even if you have to touch in |
78 your Oyster card at the reader each time you enter or exit the |
78 and out your Oyster card at the reader each time you enter or |
79 Tube, it actually operates wirelessly and with appropriate |
79 exit the Tube, it actually operates wirelessly and with |
80 equipment over some quite large distance (several meters). But |
80 appropriate equipment over some quite large distance (several |
81 there are many, many more examples (Bitcoins, mobile |
81 meters). But there are many, many more examples for protocols |
82 phones,\ldots). |
82 (Bitcoins, Tor, mobile phones,\ldots). |
83 |
83 |
84 The common characteristics of the protocols we are interested |
84 The common characteristics of the protocols we are interested |
85 in is that an adversary or attacker is assumed to be in |
85 in is that an adversary or attacker is assumed to be in |
86 complete control over the network or channel over which we |
86 complete control over the network or channel over which we |
87 exchanging messages. An attacker can install a packet sniffer |
87 exchanging messages. An attacker can install a packet sniffer |
88 on a network, inject packets, intercept packets modify |
88 on a network, inject packets, intercept packets, modify |
89 packets, replay old messages, or fake pretty much everything |
89 packets, replay old messages, or fake pretty much everything |
90 else. In this hostile environment, the purpose of a protocol |
90 else. In this hostile environment, the purpose of a protocol |
91 (that is exchange of messages) is to achieve some security |
91 (that is exchange of messages) is to achieve some security |
92 goal. For example only allow the owner of the car in, but |
92 goal. For example only allow the owner of the car in, but |
93 everybody else should be kept out. |
93 everybody else should be kept out. |
147 A \to S: & ACK\\ |
147 A \to S: & ACK\\ |
148 \end{array}\label{SYNACK} |
148 \end{array}\label{SYNACK} |
149 \end{equation} |
149 \end{equation} |
150 |
150 |
151 |
151 |
152 \noindent The left-hand side specifies who is the sender and |
152 \noindent The left-hand side of each clause specifies who is |
153 who is the receiver of the message. On the right of the colon |
153 the sender and who is the receiver of the message. On the |
154 is the message that is send. The order from top to down |
154 right of the colon is the message that is send. The order from |
155 specifies in which order the messages are sent. We also |
155 top to down specifies in which order the messages are sent. We |
156 have the convention that messages, like $SYN$ above, are send |
156 also have the convention that messages, like $SYN$ above, are |
157 in clear-text over the network. If we want that a message is |
157 send in clear-text over the network. If we want that a message |
158 encrypted, then we use the notation |
158 is encrypted, then we use the notation |
159 |
159 |
160 \[ |
160 \[ |
161 \{msg\}_{K_{AB}} |
161 \{msg\}_{K_{AB}} |
162 \] |
162 \] |
163 |
163 |
269 $B$, for example a password. The idea is that if only $A$ and |
269 $B$, for example a password. The idea is that if only $A$ and |
270 $B$ know the key $K_{AB}$ then this should be sufficient for |
270 $B$ know the key $K_{AB}$ then this should be sufficient for |
271 $B$ to infer it is talking to $A$. But this is of course too |
271 $B$ to infer it is talking to $A$. But this is of course too |
272 naive in the context where the message can be observed by |
272 naive in the context where the message can be observed by |
273 everybody else on the network. Eve, for example, could just |
273 everybody else on the network. Eve, for example, could just |
274 record this message $A$ just sent, and next time send the same |
274 record this message $A$ just sent, and next time sends the same |
275 message to $B$. $B$ has no other choice than believing it |
275 message to $B$. $B$ has no other choice than believing it |
276 talks to $A$. But actually it talks to Eve, who now clears |
276 talks to $A$. But actually it talks to Eve, who now clears |
277 out $A$'s back account assuming $B$ had been a bank. |
277 out $A$'s bank account assuming $B$ had been a bank. |
278 |
278 |
279 A more sophisticated protocol which tries to avoid the |
279 A more sophisticated protocol which tries to avoid the |
280 replay attack is as follows |
280 replay attack is as follows |
281 |
281 |
282 \begin{center} |
282 \begin{center} |
527 I would not even start to hope for this. |
527 I would not even start to hope for this. |
528 |
528 |
529 The cryptographic ``magic'' of public-private keys |
529 The cryptographic ``magic'' of public-private keys |
530 seems to offer an elegant solution for this, but as we shall |
530 seems to offer an elegant solution for this, but as we shall |
531 see in the next section, this requires some very clever |
531 see in the next section, this requires some very clever |
532 protocol design. |
532 protocol design and does not solve the authentication |
|
533 problem completely. |
533 |
534 |
534 \subsubsection*{Averting Person-in-the-Middle Attacks} |
535 \subsubsection*{Averting Person-in-the-Middle Attacks} |
535 |
536 |
536 The idea of public-private key encryption is that one can make |
537 The idea of public-private key encryption is that one can |
537 publish the key $K^{pub}$ which people can use to encrypt |
538 publish the key $K^{pub}$ which people can use to encrypt |
538 messages for me and I can use my private key $K^{priv}$ to be |
539 messages for me and I can use my private key $K^{priv}$ to be |
539 the only one that can decrypt them. While this sounds all |
540 the only one that can decrypt them. While this sounds all |
540 good, it relies on the ability that people can associate me |
541 good, it relies on the ability that people can associate me |
541 with my public key. That is not as trivial as it sounds. For |
542 with my public key. That is not as trivial as it sounds. For |
558 really the wrong incentive for the certification organisations |
559 really the wrong incentive for the certification organisations |
559 to clean up their mess. |
560 to clean up their mess. |
560 |
561 |
561 The problem we want to study closer here is that protocols |
562 The problem we want to study closer here is that protocols |
562 based on public-private key encryption are susceptible to |
563 based on public-private key encryption are susceptible to |
563 person-in-the-middle attack. Consider the following protocol |
564 simple person-in-the-middle attacks. Consider the following |
564 where $A$ and $B$ attempt to exchange secret messages using |
565 protocol where $A$ and $B$ attempt to exchange secret messages |
565 public-private keys. |
566 using public-private keys. |
566 |
567 |
567 \begin{itemize} |
568 \begin{itemize} |
568 \item $A$ sends public key to $B$ |
569 \item $A$ sends public key to $B$ |
569 \item $B$ sends public key to $A$ |
570 \item $B$ sends public key to $A$ |
570 \item $A$ sends a message encrypted with $B$'s public |
571 \item $A$ sends a message encrypted with $B$'s public |
604 \end{center} |
605 \end{center} |
605 |
606 |
606 \noindent where in steps 6 and 8, $E$ can modify the messages |
607 \noindent where in steps 6 and 8, $E$ can modify the messages |
607 by including the $E$ in the message. Both messages are |
608 by including the $E$ in the message. Both messages are |
608 received encrypted with $E$'s public key; therefore it can |
609 received encrypted with $E$'s public key; therefore it can |
609 decrypt it and repackage it with new content. $A$ and $B$ have |
610 decrypt them and repackage them with new content. $A$ and $B$ |
610 no idea that they talking to an attacker. To them all messages |
611 have no idea that they talking to an attacker. To them all |
611 look legit. Because $E$ can modify messages, it seems very |
612 messages look legit. Because $E$ can modify messages, it seems |
612 difficult to defend against this attack. |
613 very difficult to defend against this attack. |
613 |
614 |
614 But there is a clever trick\ldots{}dare I say some magic. |
615 But there is a clever trick\ldots{}dare I say some magic which |
615 Modify the protocol above so that $A$ and $B$ send their |
616 makes this attack very difficult to perform on people who know |
616 messages in two halves, like |
617 each other---but not necessarily have a shared key. Modify the |
|
618 protocol above so that $A$ and $B$ send their messages in two |
|
619 halves, like |
617 |
620 |
618 \begin{center} |
621 \begin{center} |
619 \begin{tabular}{ll@{\hspace{2mm}}l} |
622 \begin{tabular}{ll@{\hspace{2mm}}l} |
620 1. & $A \to B :$ & $K^{pub}_A$\smallskip\\ |
623 1. & $A \to B :$ & $K^{pub}_A$\smallskip\\ |
621 2. & $B \to A :$ & $K^{pub}_B$\smallskip\\ |
624 2. & $B \to A :$ & $K^{pub}_B$\smallskip\\ |
648 half $H_1$ to $B$. Which $B$ answers with the message |
651 half $H_1$ to $B$. Which $B$ answers with the message |
649 consisting of the received $H_1$ and its own first half $M_1$ |
652 consisting of the received $H_1$ and its own first half $M_1$ |
650 encrypted with $A$'s public key. The message in step 5. $A$ |
653 encrypted with $A$'s public key. The message in step 5. $A$ |
651 receives this message, decrypts it and only when the $H_1$ |
654 receives this message, decrypts it and only when the $H_1$ |
652 matches with its first half it send out earlier, $A$ |
655 matches with its first half it send out earlier, $A$ |
653 will send out the second half. See step 6. For this $A$ |
656 will send out the second half; see step 6. For this, $A$ |
654 adds the received $M_1$ and encrypts both parts with $B$'s |
657 adds the received $M_1$ and encrypts both parts with $B$'s |
655 public key. Finally $B$ checks whether the received $M_1$ |
658 public key. Finally $B$ checks whether the received $M_1$ |
656 matches with its first half, and if yes sends $A$ its |
659 matches with its first half, and if yes sends $A$ its |
657 second half $M_2$. Now $A$ and $B$ are in the possession |
660 second half $M_2$. Now $A$ and $B$ are in the possession |
658 of $H_1$ and $H_2$, respectively $M_1$ and $M_2$, and can |
661 of $H_1$ and $H_2$, respectively $M_1$ and $M_2$, and can |
739 it will now receive two different halves. Let us call |
742 it will now receive two different halves. Let us call |
740 them $H'_1$ and $H'_2$. If $E$ now sends $B$ the $H'_2$, |
743 them $H'_1$ and $H'_2$. If $E$ now sends $B$ the $H'_2$, |
741 $B$ will be in the possession of $H_1$ and $H'_2$. But |
744 $B$ will be in the possession of $H_1$ and $H'_2$. But |
742 after joining both halves it will not be able to |
745 after joining both halves it will not be able to |
743 decrypt the resulting message---the two halves simply |
746 decrypt the resulting message---the two halves simply |
744 do not fit. So it can only send out the original $H_2$ |
747 do not fit. It can send out the original $H_2$ |
745 as follows: |
748 as follows: |
746 |
749 |
747 \begin{center} |
750 \begin{center} |
748 \begin{tabular}{ll@{\hspace{2mm}}l} |
751 \begin{tabular}{ll@{\hspace{2mm}}l} |
749 10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$ |
752 10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$ |
765 get $\{B, m'\}_{K^{pub}_E}$. It can decrypt this message |
768 get $\{B, m'\}_{K^{pub}_E}$. It can decrypt this message |
766 but still is not finished completely, because it has to send |
769 but still is not finished completely, because it has to send |
767 $A$ a message. It could try to build the message |
770 $A$ a message. It could try to build the message |
768 $\{E, m'\}_{K^{pub}_A}$, but like above $A$ would not be able |
771 $\{E, m'\}_{K^{pub}_A}$, but like above $A$ would not be able |
769 to make sense out of the two halves (which again do not fit |
772 to make sense out of the two halves (which again do not fit |
770 together). So the only option is to send $M_2$. |
773 together). So one option is to send $M_2$. |
771 |
774 |
772 With this the protocol has ended. $E$ was able to decrypt all |
775 With this the protocol has ended. $E$ was able to decrypt all |
773 messages, but what messages did $A$ and $B$ receive and from |
776 messages, but what messages did $A$ and $B$ receive and from |
774 whom? Do you notice that $A$ and $B$ will find out that |
777 whom? Do you notice that $A$ and $B$ will find out that |
775 something strange is going on and probably not talk on this |
778 something strange is going on and probably not talk on this |
776 channel anymore? I leave you to think about it. |
779 channel anymore? I leave you to think about it. |
|
780 \footnote{\rotatebox{180}{ |
|
781 \begin{minipage}{10cm} |
|
782 Consider the case where $A$ sends |
|
783 the message ``How is your grandmother?'' to $B$, and $B$ |
|
784 send the message ``How is the weather in London today'' to $A$. |
|
785 \end{minipage}}} |
777 |
786 |
778 Recall from the beginning that a person-in-the middle |
787 Recall from the beginning that a person-in-the middle |
779 attack can easily be mounted at the key fob and car |
788 attack can easily be mounted at the key fob and car |
780 protocol unless we are careful. If you look at actual |
789 protocol unless we are careful. If you look at actual |
781 key fob protocols, they use a variant of the protocol |
790 key fob protocols, they use a variant of the protocol |
794 \end{enumerate} |
803 \end{enumerate} |
795 |
804 |
796 \noindent The assumption is that the key $K$ is only known to |
805 \noindent The assumption is that the key $K$ is only known to |
797 the car and the transponder. The claim is that $C$ and $T$ can |
806 the car and the transponder. The claim is that $C$ and $T$ can |
798 authenticate to each other. Again, I leave it to you to find |
807 authenticate to each other. Again, I leave it to you to find |
799 out the magic why this protocol is immune from |
808 out if this protocol is immune from |
800 person-in-the-middle attacks. |
809 person-in-the-middle attacks. |
801 |
810 |
802 |
811 |
803 \subsubsection*{Further Reading} |
812 \subsubsection*{Further Reading} |
804 |
813 |
807 |
816 |
808 \begin{center} |
817 \begin{center} |
809 \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf} |
818 \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf} |
810 \end{center} |
819 \end{center} |
811 |
820 |
812 \noindent is quite amusing to read. Obviously an even more amusing |
821 \noindent is quite amusing to read. Obviously an even more |
813 paper would be ``Dismantling Megamos Crypto: Wirelessly Lockpicking a |
822 amusing paper would be ``Dismantling Megamos Crypto: |
814 Vehicle Immobilizer'' by the same authors, but because of the court |
823 Wirelessly Lockpicking a Vehicle Immobilizer'' by the same |
815 injuction by VW in this case, we are denied this entertainment. |
824 authors, but because of the court injunction by VW, |
|
825 we are denied this entertainment. |
816 |
826 |
817 Person-in-the-middle-attacks from the ``wild'' are described |
827 Person-in-the-middle-attacks from the ``wild'' are described |
818 with real data in the blog post |
828 with real data in the blog post |
819 |
829 |
820 \begin{center} |
830 \begin{center} |