diff -r 0079db1a1c9d -r 2ce6b7c94763 handouts/ho05.tex --- a/handouts/ho05.tex Wed Oct 29 14:23:20 2014 +0000 +++ b/handouts/ho05.tex Wed Oct 29 15:16:33 2014 +0000 @@ -241,6 +241,90 @@ $A \to B: K_{AB}$ \end{center} +\noindent It can be sought of as $A$ sends a common secret to +$B$ like a password. The idea is that if only $A$ and $B$ know +the key $K_{AB}$ then this should be sufficient for $B$ to +infer it is talking to $A$. But this is of course too naive, +if the message can be observed by everybody else on the +network. Eve could just record this message $A$ just send, and +next time send the same message to $B$ and $B$ would believe +it talked to $A$. But actually it talked to Eve which now +clears out $A$s back account if $B$ had been a bank. + +A more sophisticated protocol which tries to avoid the +replay attack is as follows + +\begin{center} +\begin{tabular}{l@{\hspace{2mm}}l} +$A \to B:$ & $HELLO$\\ +$B \to A:$ & $N$\\ +$A \to B:$ & $\{N\}_{K_{AB}}$\\ +\end{tabular} +\end{center} + +\noindent With this protocol the idea is that $A$ first sends +a message to $B$ saying ``I want to talk to you''. $B$ sends +then a challenge in form of a random number $N$. In protocols +such random numbers are often called \emph{nonce}. What is the +purpose of this nonce? Well, if an attacker records $A$ +answer, it will not make sense to replay this message, because +next time this protocol is run the nonce $B$ sends will be +different. So if we run this protocol, what can $B$ infer: +it has send out an (unpredictable) nonce to $A$ and +received this challenge back, but encoded under the key +$K_{AB}$. If $B$ assumes only $A$ and $B$ know the key $K_{AB}$ +and the nonce is unpredictable, then $B$ is able to +infer it must be talking to $A$. Of course the implicit +assumption on this inference are that nobody else knows +about the key $K_{AB}$ and nobody else can decrypt the +message. $B$ of course can decrypt the answer from $A$ +and check whether the answer corresponds to the challenge +(nonce) $B$ has send earlier. + +But what about $A$? Can $A$ make any assumptions about who it +talks to? It dutifully answered the challenge and hopes its +bank, say, will be the only one to understand her answer. But +is this the case? No! Lets consider an attacker Eve who has +control over the network. She could have intercepted the +message $HELLO$ and just replied herself to $A$ using a random +number\ldots{} for example one which she observed in a +previous run of this protocol. Remember that if a message is +send without curly braces it is sent in clear text. Then +$A$ would encrypt the nonce with the key $K_{AB}$ and send +it back to Eve. She just throws the answer away. $A$ would +hope that she talked to $B$ because she followed the protocol, +but unfortunately she cannot be sure who she is talking to. + +The solution is to follow a \emph{mutual challenge-response} +protocol. There $A$ already starts off with a challenge (nonce) +on her own. + +\begin{center} +\begin{tabular}{l@{\hspace{2mm}}l} +$A \to B:$ & $N_A$\\ +$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\ +$A \to B:$ & $N_B$\\ +\end{tabular} +\end{center} + +\noindent As seen, $B$ receives this nonce, $N_A$, adds his +own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$ +receives this message, is able to decrypt it since we assume +she has the key $K_{AB}$, and sends back the nonce of $B$. +Let us analyse which assumptions $A$ and $B$ can make after +the protocol has run. $B$ received a challenge and answered +correctly to $A$ (in the encrypted message). An attacker +would just not be able to answer this challenge correctly +because the attacker is assumed to not be in the possession of +the key $K_{AB}$; so could not have formed this message. +It could also not have just replayed an old message, because +$A$ would send out each time a fresh nonce. So with this +protocol you can ensure also for $A$ that it talks to $B$. +I leave you to argue that $B$ can be sure to talk to $A$. +Of course these arguments will depend on the assumptions that +only $A$ and $B$ know the key $K_{AB}$ and that nobody can +break the encryption unless they have this key. + \bigskip\bigskip