diff -r 1e1008403f17 -r 06a04b3b2dda handouts/ho05.tex --- a/handouts/ho05.tex Thu Oct 30 00:54:41 2014 +0000 +++ b/handouts/ho05.tex Thu Oct 30 01:17:51 2014 +0000 @@ -8,22 +8,24 @@ \section*{Handout 5 (Protocols)} Protocols are the computer science equivalent to fractals and -the Mandelbrot set in mathematics. With the latter you have a -simple formula which you just iterate and then you test -whether a point is inside or outside a region, and voila -something magically +the Mandelbrot set in mathematics. With the latter two you +have a simple formula, which you just iterate and then you +test whether a point is inside or outside a region\ldots{}it +does not look exciting, but voila something magically happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal}, \url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols are similar: they are simple exchanges of messages, but in the end something ``magical'' can happen---for example a secret channel has been established or two entities have -authenticated themselves to each other. The problem with magic -is of course it is poorly understood and even experts often -got, and get, it wrong with protocols. +authenticated themselves to each other. Even in face of strong +adversaries where we have no control over the network over +which our messages are exchanged. The problem with magic is of +course it is poorly understood and even experts often got, and +get, it wrong with protocols. -To have an idea what kind of protocols we are interested, let +To have an idea what kind of protocols we are interested in, let us look at a few examples. One example are (wireless) key -fobs which operate the central locking system and the +fobs, which operate the central locking system and the ignition in a car. \begin{center} @@ -34,51 +36,52 @@ \noindent The point of these key fobs is that everything is done over the ``air''---there is no physical connection -between the key, doors and engine. So we must achieve security -by exchanging certain messages between the key fob on one side -and doors and engine on the other. Clearly what we like to -achieve is that I can get into my car and start it, but that -thieves are kept out. The problem is that everybody can -``overhear'' or skim the exchange of messages between the key -fob and car. In this scenario the simplest attack you need to -defend against is a person-in-the-middle attack. Imagine you -park your car in front of a supermarket. One thief follows you -with a strong transmitter. A second thief ``listens'' to the -signal from the car and wirelessly transmits it to the -``colleague'' who followed you and who silently enquires about -the answer from the key fob. The answer is then send back to -the thief at the car, which then dutifully opens and possibly -starts. No need to steal your key anymore. +between the key, doors and engine, as was the case with the +old solid metal keys. With the key fobs we must achieve +security by exchanging certain messages between the key fob on +one side and the doors and engine on the other. Clearly what +we like to accomplish is that I can get into my car and start +it, but that thieves are kept out. The problem is that +everybody can ``overhear'' or skim the exchange of messages +between the key fob and car. In this scenario the simplest +attack you need to defend against is a person-in-the-middle +attack. For this imagine you park your car in front of a +supermarket. One thief follows you with a strong transmitter. +A second thief ``listens'' to the signals from the car and +wirelessly transmits them to the ``colleague'' who followed +you. This thief silently enquires what the key fob answers. +This answer is then send back to the thief at the car. If done +properly the car will dutifully open and possibly start. No +need to steal your keys anymore. -But there are many more such protocols we like to consider. -Other examples are wifi---you might sit at a Starbucks and +But there are many more such protocols we like to treat. +Another example is Wifi---you might sit at a Starbucks and talk wirelessly to the free access point there and from there -talk with your bank, for example. Also even if your have to -touch your Oyster card at the reader each time you enter and -exit the Tube, it actually operates wirelessly and with -appropriate equipment over some quite large distance. But -there are many many more examples (Bitcoins, mobile +talk to your bank. Moreover, even if your have to touch your +Oyster card at the reader each time you enter or exit the +Tube, it actually operates wirelessly and with appropriate +equipment over some quite large distance (several meters). But +there are many, many more examples (Bitcoins, mobile phones,\ldots). The common characteristics of the protocols we -are interested in here is that an adversary or attacker is -assumed to be in complete control over the network or channel -over which you exchanging messages. An attacker can install a -packet sniffer on a network, inject packets, modify packets, -replay old messages, or fake pretty much everything. In this -hostile environment, the purpose of protocols (that is -exchange of messages) is to achieve some security goal, for -example only allow the owner of the car in but everybody else -should be kept out. +are interested in is that an adversary or attacker is assumed +to be in complete control over the network or channel over +which we exchanging messages. An attacker can install a packet +sniffer on a network, inject packets, modify packets, replay +old messages, or fake pretty much everything else. In this +hostile environment, the purpose of a protocol (that is +exchange of messages) is to achieve some security goal. For +example only allow the owner of the car in, but everybody else +should stay out. The protocols we are interested here are generic descriptions -of how to exchange messages in order to achieve a goal, be it -establishing a mutual secure connection or being able to -authenticate to a system. Unlike the distant past where for -example we had to meet a person in order to authenticate him -or her (via a passport for example), the problem we are facing -on the Internet is that we cannot easily be sure who we are -``talking'' to. The obvious reason is that only some electrons -arrive at our computer; we do not see the person, or computer, -behind the incoming electrons (messages). +of how to exchange messages in order to achieve a goal. Unlike +the distant past where, for example, we had to meet a person in +order to authenticate him or her (via a passport for example), +the problem we are facing on the Internet is that we cannot +easily be sure who we are ``talking'' to. The obvious reason +is that only some electrons arrive at our computer; we do not +see the person, or computer, behind the incoming electrons +(messages). To start, let us look at one of the simplest protocols that are part of the TCP protocol (which underlies the Internet). @@ -412,11 +415,11 @@ \begin{tabular}{lllll} & \multicolumn{2}{l}{challenge mode:} & \multicolumn{2}{l}{response mode:}\smallskip\\ -1) & $A \rightarrow E$: & $N_A$\\ -2) & & & $E \rightarrow A$: & $N_A$\\ -3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\ -4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\ -5) & $A \rightarrow E$: & $N_A'$\\ +1. & $A \rightarrow E$: & $N_A$\\ +2. & & & $E \rightarrow A$: & $N_A$\\ +3. & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\ +4. & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\ +5. & $A \rightarrow E$: & $N_A'$\\ \end{tabular} \end{center} @@ -569,14 +572,14 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -1) & $A \to E :$ & $K^{pub}_A$\smallskip\\ -2) & $E \to B :$ & $K^{pub}_E$\smallskip\\ -3) & $B \to E :$ & $K^{pub}_B$\smallskip\\ -4) & $E \to A :$ & $K^{pub}_E$\smallskip\\ -5) & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\ -6) & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\ -7) & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\ -8) & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$ +1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ +2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ +3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ +4. & $E \to A :$ & $K^{pub}_E$\smallskip\\ +5. & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\ +6. & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\ +7. & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\ +8. & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$ \end{tabular} \end{center} @@ -594,14 +597,14 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -1) & $A \to B :$ & $K^{pub}_A$\smallskip\\ -2) & $B \to A :$ & $K^{pub}_B$\smallskip\\ -3) & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\ +1. & $A \to B :$ & $K^{pub}_A$\smallskip\\ +2. & $B \to A :$ & $K^{pub}_B$\smallskip\\ +3. & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\ & & $\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$\\ -4) & $A \to B :$ & $H_1$\smallskip\\ -5) & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\ -6) & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\ -7) & $B \to A :$ & $M_2$ +4. & $A \to B :$ & $H_1$\smallskip\\ +5. & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\ +6. & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\ +7. & $B \to A :$ & $M_2$ \end{tabular} \end{center} @@ -644,10 +647,10 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -1) & $A \to E :$ & $K^{pub}_A$\smallskip\\ -2) & $E \to B :$ & $K^{pub}_E$\smallskip\\ -3) & $B \to E :$ & $K^{pub}_B$\smallskip\\ -4) & $E \to A :$ & $K^{pub}_E$ +1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ +2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ +3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ +4. & $E \to A :$ & $K^{pub}_E$ \end{tabular} \end{center} @@ -663,7 +666,7 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -5) & $A \to E :$ & $H_1$ +5. & $A \to E :$ & $H_1$ \end{tabular} \end{center} @@ -674,8 +677,8 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -6) & $E \to B :$ & $H_1$\\ -7) & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$ +6. & $E \to B :$ & $H_1$\\ +7. & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$ \end{tabular} \end{center} @@ -686,7 +689,7 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -8) & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$ +8. & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$ \end{tabular} \end{center} @@ -696,7 +699,7 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -9) & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$ +9. & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$ \end{tabular} \end{center} @@ -723,7 +726,7 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -10) & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$ +10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$ \end{tabular} \end{center} @@ -733,7 +736,7 @@ \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} -11) & $B \to E :$ & $M_2$ +11. & $B \to E :$ & $M_2$ \end{tabular} \end{center} @@ -786,12 +789,12 @@ \url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf} \end{center} -\noindent is quite amusing to read. Obviously an even more -amusing paper would be ``Dismantling Megamos Crypto: -Wirelessly Lockpicking a Vehicle Immobilizer'' but because -of the court injuction by VW we are denied this entertainment. +\noindent is quite amusing to read. Obviously an even more amusing +paper would be ``Dismantling Megamos Crypto: Wirelessly Lockpicking a +Vehicle Immobilizer'' by the same authors, but because of the court +injuction by VW in this case, we are denied this entertainment. -Person-in-the-middle-attacks in the ``wild'' are described +Person-in-the-middle-attacks from the ``wild'' are described with real data in the blog post \begin{center} @@ -800,7 +803,7 @@ \noindent The conclusion in this post is that person-in-the-middle-attacks can be launched from any place on Earth---it is not required -to sit in the ``middle'' of the communication of two people. +that you sit in the ``middle'' of the communication of two people. You just have to route their traffic through a node you own. \end{document}