157 also have the convention that messages, like $SYN$ above, are |
157 also have the convention that messages, like $SYN$ above, are |
158 send in clear-text over the network. If we want that a message |
158 send in clear-text over the network. If we want that a message |
159 is encrypted, then we use the notation |
159 is encrypted, then we use the notation |
160 |
160 |
161 \[ |
161 \[ |
162 \{msg\}_{K_{AB}} |
162 \{msg\}_{K} |
163 \] |
163 \] |
164 |
164 |
165 |
165 |
166 \noindent for messages. The curly braces indicate a kind of |
166 \noindent for messages. The curly braces indicate a kind of |
167 envelope which can only be opened if you know the key $K_{AB}$ |
167 envelope which can only be opened if you know the key $K$ |
168 with which the message has been encrypted. We always assume |
168 with which the message has been encrypted. We always assume |
169 that an attacker, say Eve, cannot get to the content of the |
169 that an attacker, say Eve, cannot get to the content of the |
170 message, unless she is also in the possession of the key. We |
170 message, unless she is also in the possession of the key. We |
171 explicitly exclude in our study that the encryption can be |
171 explicitly exclude in our study that the encryption can be |
172 broken.\footnote{\ldots{}which of course is what a good |
172 broken.\footnote{\ldots{}which of course is what a good |
176 which has been attacked and broken.} It is also |
176 which has been attacked and broken.} It is also |
177 possible that an encrypted message contains several parts. In |
177 possible that an encrypted message contains several parts. In |
178 this case we would write something like |
178 this case we would write something like |
179 |
179 |
180 \[ |
180 \[ |
181 \{msg_1, msg_2\}_{K_{AB}} |
181 \{msg_1, msg_2\}_{K} |
182 \] |
182 \] |
183 |
183 |
184 \noindent But again Eve would not be able to know |
184 \noindent But again Eve would not be able to know |
185 this unless she also has the key. We also allow the |
185 this unless she also has the key. We also allow the |
186 possibility that a message is encrypted twice under |
186 possibility that a message is encrypted twice under |
187 different keys. In this case we write |
187 different keys. In this case we write |
188 |
188 |
189 \[ |
189 \[ |
190 \{\{msg\}_{K_{AB}}\}_{K_{BC}} |
190 \{\{msg\}_{K_1}\}_{K_2} |
191 \] |
191 \] |
192 |
192 |
193 \noindent The idea is that even if attacker Eve has the |
193 \noindent The idea is that even if attacker Eve has the |
194 key $K_{BC}$ she could decrypt the outer envelop, but |
194 key $K_2$ she could decrypt the outer envelop, but |
195 still does not get to the message, because it is still |
195 still does not get to the message, because it is still |
196 encrypted with the key $K_{AB}$. Note, however, |
196 encrypted with the key $K_1$. Note, however, |
197 while an attacker cannot obtain the content of the message |
197 while an attacker cannot obtain the content of the message |
198 without the key, encrypted messages can be observed |
198 without the key, encrypted messages can be observed |
199 and be recorded and then replayed at another time, or |
199 and be recorded and then replayed at another time, or |
200 send to another person! |
200 send to another person! |
201 |
201 |
305 and nobody else can decrypt the message. $B$ of course can |
305 and nobody else can decrypt the message. $B$ of course can |
306 decrypt the answer from $A$ and check whether the answer |
306 decrypt the answer from $A$ and check whether the answer |
307 corresponds to the challenge (nonce) $B$ has sent earlier. |
307 corresponds to the challenge (nonce) $B$ has sent earlier. |
308 |
308 |
309 But what about $A$? Can $A$ make any inferences about whom it |
309 But what about $A$? Can $A$ make any inferences about whom it |
310 talks to? It dutifully answered the challenge and hopes its |
310 talks to? It dutifully answered the challenge and hopes his or |
311 bank, say, will be the only one to understand her answer. But |
311 her bank, say, will be the only one to understand her answer. |
312 is this the case? No! Let us consider again an attacker Eve |
312 But is this the case? No! Let us consider again an attacker |
313 who has control over the network. She could have intercepted |
313 Eve who has control over the network. She could have |
314 the message $HELLO$ and just replied herself to $A$ using a |
314 intercepted the message $HELLO$ and just replied herself to |
315 random number\ldots{}for example one which she observed in a |
315 $A$ using a random number\ldots{}for example one which she |
316 previous run of this protocol. Remember that if a message is |
316 observed in a previous run of this protocol. Remember that if |
317 sent without curly braces it is sent in clear text. $A$ would |
317 a message is sent without curly braces it is sent in clear |
318 encrypt the nonce with the key $K_{AB}$ and send it back to |
318 text. $A$ would encrypt the nonce with the key $K_{AB}$ and |
319 Eve. She just throws away the answer. $A$ would hope that she |
319 send it back to Eve. She just throws away the answer. $A$ |
320 talked to $B$ because she followed the protocol, but |
320 would hope that she talked to $B$ because she followed the |
321 unfortunately she cannot be sure who she is talking to---it |
321 protocol, but unfortunately she cannot be sure who she is |
322 might be Eve. |
322 talking to---it might be Eve. |
323 |
323 |
324 The solution is to follow a \emph{mutual challenge-response} |
324 The solution is to follow a \emph{mutual challenge-response} |
325 protocol. There $A$ already starts off with a challenge (nonce) |
325 protocol. There $A$ already starts off with a challenge (nonce) |
326 on her own. |
326 on her own. |
327 |
327 |
341 protocol has run. $B$ received a challenge and answered |
341 protocol has run. $B$ received a challenge and answered |
342 correctly to $A$ (inside the encrypted message). An attacker |
342 correctly to $A$ (inside the encrypted message). An attacker |
343 would not be able to answer this challenge correctly because |
343 would not be able to answer this challenge correctly because |
344 the attacker is assumed to not be in the possession of the key |
344 the attacker is assumed to not be in the possession of the key |
345 $K_{AB}$; so is not able to generate this message. It could |
345 $K_{AB}$; so is not able to generate this message. It could |
346 also not have been that it is an old message replayed, because |
346 also not have been the case that it is an old message |
347 $A$ would send out each time a fresh nonce. So with this |
347 replayed, because $A$ would send out each time a fresh nonce. |
348 protocol you can ensure also for $A$ that it talks to $B$. I |
348 So with this protocol you can ensure also for $A$ that it |
349 leave you to argue that $B$ can be sure to talk to $A$. Of |
349 talks to $B$. I leave you to argue that $B$ can be sure to |
350 course these arguments will depend on the assumptions that |
350 talk to $A$. Of course these arguments will depend on the |
351 only $A$ and $B$ know the key $K_{AB}$ and that nobody can |
351 assumptions that only $A$ and $B$ know the key $K_{AB}$ and |
352 break the encryption unless they have this key and that the |
352 that nobody can break the encryption unless they have this key |
353 nonces are fresh each time the protocol is run. |
353 and that the nonces are fresh each time the protocol is run. |
354 |
354 |
355 The purpose of the nonces, the random numbers that are sent |
355 The purpose of the nonces, the random numbers that are sent |
356 around, might be a bit opaque. Because they are unpredictable |
356 around, might be a bit opaque. Because they are unpredictable |
357 they fulfil an important role in protocols. Suppose |
357 they fulfil an important role in protocols. Suppose |
358 |
358 |
389 |
389 |
390 \item if only you and me know the key $K_{IY}$, the message |
390 \item if only you and me know the key $K_{IY}$, the message |
391 must have come from you |
391 must have come from you |
392 \end{itemize} |
392 \end{itemize} |
393 |
393 |
394 \noindent Even if this does not seem much information I can |
394 \noindent Even if this does not seem much information we can |
395 glean from such an exchange, it is in fact the basic building |
395 glean from such an exchange, it is in fact the basic building |
396 block in protocols for establishing some secret or for |
396 block in protocols for establishing some secret or for |
397 achieving some security goal (like authentication). |
397 achieving some security goal (like authentication). This is |
|
398 what I meant by magic: we send around ``just'' some random |
|
399 numbers, but actually can use them to make some meaningful |
|
400 inferences. |
398 |
401 |
399 While the mutual challenge-response protocol solves the |
402 While the mutual challenge-response protocol solves the |
400 authentication problem, there are some limitations. One is of |
403 authentication problem, there are some limitations. One is of |
401 course that it requires a pre-shared secret key. That is |
404 course that it requires a pre-shared secret key. That is |
402 something that needs to be established beforehand. Not all |
405 something that needs to be established beforehand. Not all |
810 person-in-the-middle attacks. |
813 person-in-the-middle attacks. |
811 |
814 |
812 |
815 |
813 \subsubsection*{Further Reading} |
816 \subsubsection*{Further Reading} |
814 |
817 |
815 A blogpost that describes the first few milliseconds of an HTTPS connection |
818 \begin{itemize} |
816 is at |
819 \item A blogpost that describes the first few milliseconds of |
|
820 an HTTPS connection is at |
817 |
821 |
818 \begin{center} |
822 \begin{center} |
819 \url{http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html} |
823 \url{http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html} |
820 \end{center} |
824 \end{center} |
821 |
825 |
822 \noindent |
826 It disentangles every message sent between a client and a |
823 It disentangles every message sent between a client and a server. |
827 server. |
824 |
828 |
825 If you want to know more about how cars can be hijacked, |
829 \item If you want to know more about how cars can be hijacked, |
826 the paper |
830 the paper |
827 |
831 |
828 \begin{center} |
832 \begin{center} |
829 \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf} |
833 \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf} |
830 \end{center} |
834 \end{center} |
831 |
835 |
832 \noindent is quite amusing to read. Obviously an even more |
836 is quite amusing to read. Obviously an even more amusing paper |
833 amusing paper would be ``Dismantling Megamos Crypto: |
837 would ``Dismantling Megamos Crypto: Wirelessly Lockpicking a |
834 Wirelessly Lockpicking a Vehicle Immobilizer'' by the same |
838 Vehicle Immobilizer'' by the same authors, but because of the |
835 authors, but because of the court injunction by VW, |
839 court injunction by VW, we are denied this entertainment. |
836 we are denied this entertainment. |
840 UPDATE: This paper is now in the public domain. |
837 |
841 |
838 Person-in-the-middle-attacks from the ``wild'' are described |
842 \item Man-in-the-middle-attacks from the ``wild'' are |
839 with real data in the blog post |
843 described with real data in the blog post |
840 |
844 |
841 \begin{center} |
845 \begin{center} |
842 \url{http://www.renesys.com/2013/11/mitm-internet-hijacking} |
846 \url{http://www.renesys.com/2013/11/mitm-internet-hijacking} |
843 \end{center} |
847 \end{center} |
844 |
848 |
845 \noindent The conclusion in this post is that person-in-the-middle-attacks |
849 The conclusion in this post is that man-in-the-middle-attacks |
846 can be launched from any place on Earth---it is not required |
850 can be launched from any place on Earth---it is not required |
847 that you sit in the ``middle'' of the communication of two people. |
851 that you sit in the ``middle'' of the communication of two |
848 You just have to route their traffic through a node you own. |
852 people. You just have to route their traffic through a node |
849 |
853 you own. |
850 An article in The Guardian from 2013 reveals how GCHQ and the NSA at a |
854 |
851 G20 Summit in 2009 sniffed emails from Internet cafes, monitored phone |
855 \item An article in The Guardian from 2013 reveals how GCHQ |
852 calls from delegates and attempted to listen on phone calls which were made |
856 and the NSA at a G20 Summit in 2009 sniffed emails from |
853 by Russians and which were transmitted via satellite links: |
857 Internet cafes, monitored phone calls from delegates and |
|
858 attempted to listen on phone calls which were made by |
|
859 Russians and which were transmitted via satellite links: |
854 |
860 |
855 \begin{center} |
861 \begin{center} |
856 \url{http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits} |
862 \url{http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits} |
857 \end{center} |
863 \end{center} |
858 |
864 |
859 \noindent |
|
860 \ldots all in the name of having a better position for |
865 \ldots all in the name of having a better position for |
861 negotiations. Hmmm\ldots |
866 negotiations. Hmmm\ldots |
862 |
867 |
863 A paper how the NSA can decrypt so much of the encrypted |
868 \item A paper guessing how the NSA can decrypt so much of the |
864 Internet traffic: |
869 encrypted Internet traffic: |
865 |
870 |
866 \begin{center} |
871 \begin{center} |
867 \url{https://weakdh.org/imperfect-forward-secrecy.pdf} |
872 \url{https://weakdh.org/imperfect-forward-secrecy.pdf} |
868 \end{center} |
873 \end{center} |
|
874 |
|
875 \end{itemize} |
869 |
876 |
870 \end{document} |
877 \end{document} |
871 |
878 |
872 %%% Local Variables: |
879 %%% Local Variables: |
873 %%% mode: latex |
880 %%% mode: latex |