Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho05.tex
changeset 415 56bc53ba7c5b
parent 409 0c04ec017892
child 443 67d7d239c617 
--- a/handouts/ho05.tex	Tue Oct 20 01:01:17 2015 +0100
+++ b/handouts/ho05.tex	Wed Oct 21 13:31:56 2015 +0100
@@ -159,12 +159,12 @@
 is encrypted, then we use the notation
 
 \[
-\{msg\}_{K_{AB}}
+\{msg\}_{K}
 \]  
   
   
 \noindent for messages. The curly braces indicate a kind of
-envelope which can only be opened if you know the key $K_{AB}$
+envelope which can only be opened if you know the key $K$
 with which the message has been encrypted. We always assume
 that an attacker, say Eve, cannot get to the content of the
 message, unless she is also in the possession of the key. We
@@ -178,7 +178,7 @@
 this case we would write something like
 
 \[
-\{msg_1, msg_2\}_{K_{AB}}
+\{msg_1, msg_2\}_{K}
 \] 
 
 \noindent But again Eve would not be able to know 
@@ -187,13 +187,13 @@
 different keys. In this case we write
 
 \[
-\{\{msg\}_{K_{AB}}\}_{K_{BC}}
+\{\{msg\}_{K_1}\}_{K_2}
 \] 
 
 \noindent The idea is that even if attacker Eve has the
-key $K_{BC}$ she could decrypt the outer envelop, but
+key $K_2$ she could decrypt the outer envelop, but
 still does not get to the message, because it is still
-encrypted with the key $K_{AB}$. Note, however,
+encrypted with the key $K_1$. Note, however,
 while an attacker cannot obtain the content of the message
 without the key, encrypted messages can be observed
 and be recorded and then replayed at another time, or
@@ -307,19 +307,19 @@
 corresponds to the challenge (nonce) $B$ has sent earlier.
 
 But what about $A$? Can $A$ make any inferences about whom it
-talks to? It dutifully answered the challenge and hopes its
-bank, say, will be the only one to understand her answer. But
-is this the case? No! Let us consider again an attacker Eve
-who has control over the network. She could have intercepted
-the message $HELLO$ and just replied herself to $A$ using a
-random number\ldots{}for example one which she observed in a
-previous run of this protocol. Remember that if a message is
-sent without curly braces it is sent in clear text. $A$ would
-encrypt the nonce with the key $K_{AB}$ and send it back to
-Eve. She just throws away the answer. $A$ would hope that she
-talked to $B$ because she followed the protocol, but
-unfortunately she cannot be sure who she is talking to---it 
-might be Eve. 
+talks to? It dutifully answered the challenge and hopes his or
+her bank, say, will be the only one to understand her answer.
+But is this the case? No! Let us consider again an attacker
+Eve who has control over the network. She could have
+intercepted the message $HELLO$ and just replied herself to
+$A$ using a random number\ldots{}for example one which she
+observed in a previous run of this protocol. Remember that if
+a message is sent without curly braces it is sent in clear
+text. $A$ would encrypt the nonce with the key $K_{AB}$ and
+send it back to Eve. She just throws away the answer. $A$
+would hope that she talked to $B$ because she followed the
+protocol, but unfortunately she cannot be sure who she is
+talking to---it might be Eve. 
 
 The solution is to follow a \emph{mutual challenge-response}
 protocol. There $A$ already starts off with a challenge (nonce)
@@ -343,14 +343,14 @@
 would not be able to answer this challenge correctly because
 the attacker is assumed to not be in the possession of the key
 $K_{AB}$; so is not able to generate this message. It could
-also not have been that it is an old message replayed, because
-$A$ would send out each time a fresh nonce. So with this
-protocol you can ensure also for $A$ that it talks to $B$. I
-leave you to argue that $B$ can be sure to talk to $A$. Of
-course these arguments will depend on the assumptions that
-only $A$ and $B$ know the key $K_{AB}$ and that nobody can
-break the encryption unless they have this key and that the
-nonces are fresh each time the protocol is run.
+also not have been the case that it is an old message
+replayed, because $A$ would send out each time a fresh nonce.
+So with this protocol you can ensure also for $A$ that it
+talks to $B$. I leave you to argue that $B$ can be sure to
+talk to $A$. Of course these arguments will depend on the
+assumptions that only $A$ and $B$ know the key $K_{AB}$ and
+that nobody can break the encryption unless they have this key
+and that the nonces are fresh each time the protocol is run.
 
 The purpose of the nonces, the random numbers that are sent
 around, might be a bit opaque. Because they are unpredictable
@@ -391,10 +391,13 @@
       must have come from you
 \end{itemize}
 
-\noindent Even if this does not seem much information I can
+\noindent Even if this does not seem much information we can
 glean from such an exchange, it is in fact the basic building
 block in protocols for establishing some secret or for
-achieving some security goal (like authentication).
+achieving some security goal (like authentication). This is
+what I meant by magic: we send around ``just'' some random
+numbers, but actually can use them to make some meaningful
+inferences.
 
 While the mutual challenge-response protocol solves the
 authentication problem, there are some limitations. One is of
@@ -812,61 +815,65 @@
 
 \subsubsection*{Further Reading}
 
-A blogpost that describes the first few milliseconds of an HTTPS connection
-is at
+\begin{itemize}
+\item A blogpost that describes the first few milliseconds of
+      an HTTPS connection is at
 
 \begin{center}
 \url{http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html}
 \end{center}
 
-\noindent
-It disentangles every message sent between a client and a server.
+It disentangles every message sent between a client and a
+server.
 
-If you want to know more about how cars can be hijacked,
-the paper  
+\item If you want to know more about how cars can be hijacked,
+      the paper  
 
 \begin{center}
 \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}
 \end{center}
 
-\noindent is quite amusing to read. Obviously an even more
-amusing paper would be ``Dismantling Megamos Crypto:
-Wirelessly Lockpicking a Vehicle Immobilizer'' by the same
-authors, but because of the court injunction by VW, 
-we are denied this entertainment.
+is quite amusing to read. Obviously an even more amusing paper
+would ``Dismantling Megamos Crypto: Wirelessly Lockpicking a
+Vehicle Immobilizer'' by the same authors, but because of the
+court injunction by VW, we are denied this entertainment.
+UPDATE: This paper is now in the public domain.
 
-Person-in-the-middle-attacks from the ``wild'' are described 
-with real data in the blog post
+\item Man-in-the-middle-attacks from the ``wild'' are
+      described with real data in the blog post
 
 \begin{center}
 \url{http://www.renesys.com/2013/11/mitm-internet-hijacking}
 \end{center}
 
-\noindent The conclusion in this post is that person-in-the-middle-attacks
-can be launched from any place on Earth---it is not required 
-that you sit in the ``middle'' of the communication of two people.
-You just have to route their traffic through a node you own.
+The conclusion in this post is that man-in-the-middle-attacks
+can be launched from any place on Earth---it is not required
+that you sit in the ``middle'' of the communication of two
+people. You just have to route their traffic through a node
+you own.
 
-An article in The Guardian from 2013 reveals how GCHQ and the NSA at a
-G20 Summit in 2009 sniffed emails from Internet cafes, monitored phone
-calls from delegates and attempted to listen on phone calls which were made
-by Russians and which were transmitted via satellite links:
+\item An article in The Guardian from 2013 reveals how GCHQ
+      and the NSA at a G20 Summit in 2009 sniffed emails from
+      Internet cafes, monitored phone calls from delegates and
+      attempted to listen on phone calls which were made by
+      Russians and which were transmitted via satellite links:
 
 \begin{center}
 \url{http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits}
 \end{center}
 
-\noindent
 \ldots all in the name of having a better position for
 negotiations. Hmmm\ldots
 
-A paper how the NSA can decrypt so much of the encrypted 
-Internet traffic:
+\item A paper guessing how the NSA can decrypt so much of the
+encrypted Internet traffic:
 
 \begin{center}
 \url{https://weakdh.org/imperfect-forward-secrecy.pdf}
 \end{center}
 
+\end{itemize}
+
 \end{document}
 
 %%% Local Variables:
sen-material