diff -r 88ee59591384 -r f5172bb6cf45 handouts/ho05.tex --- a/handouts/ho05.tex Fri Oct 28 01:03:10 2016 +0100 +++ b/handouts/ho05.tex Sat Nov 05 17:09:05 2016 +0000 @@ -3,7 +3,7 @@ \usepackage{../langs} \begin{document} -\fnote{\copyright{} Christian Urban, 2014} +\fnote{\copyright{} Christian Urban, King's College London, 2014, 2016} %% the expectation is that anything encrypted today, will be %% decrypted in 20 years time @@ -95,7 +95,7 @@ The common characteristics of the protocols we are interested in is that an adversary or attacker is assumed to be in -complete control over the network or channel over which we +complete control of the network or channel over which we exchanging messages. An attacker can install a packet sniffer on a network, inject packets, intercept packets, modify packets, replay old messages, or fake pretty much everything @@ -573,9 +573,12 @@ organisations, VeriSign, has limited its liability to \$100 in case it issues a false certificate. This is really a joke and really the wrong incentive for the certification organisations -to clean up their mess. +to clean up their mess. The problem is compounded that +browser vendors also play a crucial role for this to +work (and they might have completely different incentives +according to which they operate). -The problem we want to study closer here is that protocols +The problem we want to study closer now is that protocols based on public-private key encryption are susceptible to simple person-in-the-middle attacks. Consider the following protocol where $A$ and $B$ attempt to exchange secret messages @@ -604,8 +607,8 @@ \noindent Since we assume an attacker, say $E$, has complete control over the network, $E$ can intercept the first two -messages and substitutes her own public key. The protocol -run would therefore be +messages and substitutes her own public key. The resulting protocol +run would be \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l} @@ -803,17 +806,18 @@ \end{minipage}}}\bigskip \noindent -I hope you have thought about all these questions. Maybe you noticed that -there is a way to defeat the lockstep protocol. If an attacker could only -forward the (unmodified) messages, then all would be great. Because then -it could be used to establish secret keys using the Hellman-Diffie -technique (see further reading). That $E$ was able to decrypt all messages -is of no importance for the Hellman-Diffie -technique. +I hope you have thought about all these questions. $E$ cannot modify +the received messages---$A$ and $B$ woudl find this out. To stay +undetected, $E$ can only forward the messages (unmodified) and this is +all what $A$ and $B$ need in order to establish a shared secret. For +example they can use the Hellman-Diffie key exchange protocol (see +further reading) which works, even if $E$ can decrypt all messages. -Unfortunately, $E$ can create completely fake messages. Let -us look at this possibility: $E$ intercepts again the keys from $A$ -and $B$, and substitutes its own keys. +All good? Unfortunately, there is a way to defeat this lockstep +protocol---the name of this protocol that halves the messages. The +problem is $E$ can create completely fake messages. Let us look at +this possibility: $E$ intercepts again the keys from $A$ and $B$, and +substitutes its own keys. \begin{center} \begin{tabular}{ll@{\hspace{2mm}}l}