sen-material: comparison handouts/ho05.tex

equal deleted inserted replaced

-:977c3ac60d62
+:88ee59591384
 \[
 \{\{msg\}_{K_1}\}_{K_2}
 \]
-\noindent The idea is that even if attacker Eve has the
+\noindent This protocol is called lockstep protocol.
+The idea is that even if attacker Eve has the
 key $K_2$ she could decrypt the outer envelop, but
 still does not get to the message, because it is still
 encrypted with the key $K_1$. Note, however,
 while an attacker cannot obtain the content of the message
 without the key, encrypted messages can be observed
 \noindent Similarly $B$ splits its message into two halves
 $M_1$ and $M_2$. However, $A$ initially only sends the first
 half $H_1$ to $B$. Which $B$ answers with the message
 consisting of the received $H_1$ and its own first half $M_1$
 encrypted with $A$'s public key. The message in step 5. $A$
-receives this message, decrypts it and only when the $H_1$
+receives this message, decrypts it and \textbf{only} when the $H_1$
 matches with its first half it send out earlier, $A$
 will send out the second half; see step 6. For this, $A$
 adds the received $M_1$ and encrypts both parts with $B$'s
 public key. Finally $B$ checks whether the received $M_1$
 matches with its first half, and if yes sends $A$ its
 to make sense out of the two halves (which again do not fit
 together). So one option is to send $M_2$.
 With this the protocol has ended. $E$ was able to decrypt all
 messages, but what messages did $A$ and $B$ receive and from
-whom? Do you notice that $A$ and $B$ will find out that
+whom? Was $E$ able to modify the messages? If yes, were
+$A$ and $B$ able to find out that
 something strange is going on and probably not talk on this
-channel anymore? I leave you to think about it.
+channel anymore? I leave you to think about it.\footnote{\rotatebox{180}{
-\footnote{\rotatebox{180}{
 \begin{minipage}{10cm}
 Consider the case where $A$ sends
 the message ``How is your grandmother?'' to $B$, and $B$
-send the message ``How is the weather in London today'' to $A$.
+send the message ``How is the weather in London today'' to $A$. Another
-\end{minipage}}}
+possibility: what if $A$ and $B$ include a voice message in there
+messages.
+\end{minipage}}}\bigskip
+\noindent
+I hope you have thought about all these questions. Maybe you noticed that
+there is a way to defeat the lockstep protocol. If an attacker could only
+forward the (unmodified) messages, then all would be great. Because then
+it could be used to establish secret keys using the Hellman-Diffie
+technique (see further reading). That $E$ was able to decrypt all messages
+is of no importance for the Hellman-Diffie
+technique.
+Unfortunately, $E$ can create completely fake messages. Let
+us look at this possibility: $E$ intercepts again the keys from $A$
+and $B$, and substitutes its own keys.
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
+2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
+3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
+4. & $E \to A :$ & $K^{pub}_E$
+\end{tabular}
+\end{center}
+\noindent
+Now $A$ and $B$ build again their message halves:
+\[
+\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad
+\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2
+\]
+\noindent
+$A$ sends its first half $H_1$.
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+5. & $A \to E :$ & $H_1$
+\end{tabular}
+\end{center}
+\noindent At this stage of the protocol,
+also $E$ creates two messages and halves them, say
+\[
+\{E,m_E\}_{K^{pub}_E} \;\mapsto\; C_1,C_2\qquad
+\{E,m'_E\}_{K^{pub}_E} \;\mapsto\; D_1,D_2
+\]
+\noindent
+But notice that $E$ has to make up these messages out of
+thin air. No information from $A$ and $B$ is usable yet---remember
+the half $H_1$ on its own cannot be decrypted. $E$ can then send
+$C_1$ to $B$, which dutifully responds
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+6. & $E \to B :$ & $C_1$\\
+7. & $B \to E :$ & $\{C_1, M_1\}_{K^{pub}_E}$
+\end{tabular}
+\end{center}
+\noindent
+Next $E$ has to send a message to $A$---it can use the made up $D_1$ and
+the $H_1$ received earlier.
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+8. & $E \to A :$ & $\{H_1, D_1\}_{K^{pub}_A}$
+\end{tabular}
+\end{center}
+\noindent
+$A$ can verify it received $H_1$ and thus sends out
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+9. & $A \to E :$ & $\{H_2, D_1\}_{K^{pub}_E}$
+\end{tabular}
+\end{center}
+\noindent
+With this $E$ is in the possesion of both halves from $A$.
+In order to get the reply from $B$, $E$ can send the message
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+10. & $E \to B :$ & $\{C_2, M_1\}_{K^{pub}_E}$
+\end{tabular}
+\end{center}
+\noindent
+and $B$ can verify that it received $M_1$. So it answer
+with
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+11. & $B \to E :$ & $M_2$
+\end{tabular}
+\end{center}
+\noindent Finally $E$ can complete the protocol with sending $D_2$ to $A$:
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+12. & $E \to A :$ & $D_2$
+\end{tabular}
+\end{center}
+\noindent
+$A$ and $B$ receive expected messages and were able to verify
+their first halves. That means they do not suspect anything dodgy
+going on: $E$ has sucessfully managed a man-in-the middle attack.
+In case $A$ and $B$ are computers, there is not much that can
+prevent this attack. In case they are humans, there are a few
+things they can do. For example $A$ and $B$ can craft their
+messages such that they include a specific question only $A$ and
+$B$ are likely to be able to answer, or include a voice message
+which identifies $A$ and $B$ by their voice.  The point is $E$ should
+not be able to create legit looking messages. Humans can do this
+if they have some minimal knowledge of the protocol partner (for example
+know their voice from TV); but computers cannot. The conclusion is
+that there is no protocol that can establish a trusted connection
+without any preshared information. The solution that has evolved
+over the years is to use certificates which have been created by an
+authority we (or better the browser) already trust.
+\section*{Key Fob Protocol}
 Recall from the beginning that a person-in-the middle
 attack can easily be mounted at the key fob and car
 protocol unless we are careful. If you look at actual
 key fob protocols, they use a variant of the protocol
 \item $T \to C$: $N, G'$
 \item $C$ checks that $G = G'$
 \end{enumerate}
 \noindent The assumption is that the key $K$ is only known to
-the car and the transponder. The claim is that $C$ and $T$ can
+the car and the transponder.
+The claim is that $C$ and $T$ can
 authenticate to each other. Again, I leave it to you to find
-out if this protocol is immune from
+out, if this protocol is immune from
-person-in-the-middle attacks.
+person-in-the-middle attacks. (Hint: Does it establish a
+trusted connection from ``zero''?)
 \subsubsection*{Further Reading}
 \begin{itemize}
-\item A nice video explaining the Hellman-Diffie key excahnge technique
+\item A nice video explaining the Hellman-Diffie key exchange technique
 is here
 \begin{center}
 \url{https://www.youtube.com/watch?v=YEBfamv-_do}
 \end{center}
 The main point of this technique is that no sensitive information
-is sent over the network---both parties create the key together.
+is sent over the network---both parties create the key together, but
+on their computer, not over the network.
 While the technique is cryptographic magic, it can be attacked
-when messages can be manipulated during transit.
+when messages can be manipulated during transit. Remember that
+the lockstep protocol can only be attacked by either passively
+forwarding the messages (without being able to modify them) or
+by creating complete fake messages.
 \item A blogpost that describes the first few milliseconds of
 an HTTPS connection is at
 \begin{center}

changeset 494	88ee59591384
parent 491	d2e522c2bfdf
child 495	f5172bb6cf45