diff -r 37821a377c4a -r 43629c8c88c6 handouts/ho05.tex --- a/handouts/ho05.tex Wed Oct 29 16:49:00 2014 +0000 +++ b/handouts/ho05.tex Wed Oct 29 17:35:41 2014 +0000 @@ -446,6 +446,55 @@ two different keys. This would have averted this attack and would have saved me a lot of trouble. +\subsubsection*{Trusted Third Parties} + +One limitation the protocols we discussed so far is +that they pre-suppose a secret shared key. As already +mentioned, this is a convenience we cannot always assume. +How to establish a secret key then? Well, if both parties, +say $A$ and $B$, mutually trust a third party, say $S$, +then they can use the following protocol: + +\begin{center} +\begin{tabular}{l@{\hspace{2mm}}l} +$A \rightarrow S :$ & $A, B$\\ +$S \rightarrow A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\ +$A \rightarrow B :$ & $\{K_{AB}\}_{K_{BS}}$\\ +$A \rightarrow B :$ & $\{m\}_{K_{AB}}$\\ +\end{tabular} +\end{center} + +\noindent The assumption in this protocol is that $A$ and $S$ +share a secret key, and also $B$ and $S$ ($S$ being the +trusted third party). The goal is that $A$ can send $B$ a +message $m$ under a shared secret key $K_{AB}$, which at the +beginning of the protocol does not exist yet. How does this +protocol work? In the first step $A$ contacts $S$ and says +that it wants to talk to $B$. In turn $S$ invents a new key +$K_{AB}$ and sends two messages back to $A$: one message is +$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and +$S$ share, and also the message +$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$. which is encrypted with +$K_{AB}$ but also a second time with $K_{BS}$. The point of +the second message is that it is a message intended for $B$. +So a receives both messages and can decrypt them---in the +first case it obtains the key $K_{AB}$ which $S$ suggested to +use. In the second case it obtains a message it can forward to +$B$. $B$ receives this message and since it knows the key it +shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can +start to exchange messages with the shared secret key +$K_{AB}$. What is the advantage of $S$ sending $A$ two +messages instead of contacting $B$ instead? Well, for one +there can now be a time-delay between the second and +third step in the protocol. At some point in the past +$A$ and $S$ need to have come together to share +a key, similarly $B$ and $S$. After that $B$ does not need to +be ``online'' anymore until $A$ actually starts sending messages +to $B$. $A$ and $S$ can completely on their own negotiate a +new key. + +\subsubsection*{Averting Person-in-the-Middle Attacks} + \bigskip\bigskip Keyfobs - protocol