# HG changeset patch # User Christian Urban # Date 1414601340 0 # Node ID 37821a377c4a4575b83899db0ed85d91d9c6f544 # Parent e711cfd1ec703da8ae4d28a75ff8a24d376793f1 updated diff -r e711cfd1ec70 -r 37821a377c4a handouts/ho05.pdf Binary file handouts/ho05.pdf has changed diff -r e711cfd1ec70 -r 37821a377c4a handouts/ho05.tex --- a/handouts/ho05.tex Wed Oct 29 16:07:22 2014 +0000 +++ b/handouts/ho05.tex Wed Oct 29 16:49:00 2014 +0000 @@ -375,23 +375,76 @@ the authentication problem, there are some problems. One is of course that it requires a pre-shared secret key. That is something that needs to be established beforehand. Not all -situations allow such an assumption. For example if I am -a whistle blower (say Snowden) and want to talk to a -journalist (say Greenwald) then I might not have a secret -pre-shared key. The other problem is that such mutual -challenge-response systems often work in the same system -in the ``challenge mode'' but also in the ``response mode''. -For example if two servers want to talk to each other---they -would need the protocol in response mode, but also if they -want to talk to other servers in challenge mode. Similarly -if you in an military aircraft you have to challenge everybody -you see, in case there is a friend amongst the targets you -like to shoot, but you also have to respond to any of your -own anti-aircraft guns on the ground. In these situations -you have to be careful to not decode, or answer, your own -challenge. +situations allow such an assumption. For example if I am a +whistle blower (say Snowden) and want to talk to a journalist +(say Greenwald) then I might not have a secret pre-shared key. +Another problem is that such mutual challenge-response systems +often work in the same system in the ``challenge mode'' but +also in the ``response mode''. For example if two servers want +to talk to each other---they would need the protocol in +response mode, but also if they want to talk to other servers +in challenge mode. Similarly if you in an military aircraft +you have to challenge everybody you see, in case there is a +friend amongst the targets you like to shoot, but you also +have to respond to any of your own anti-aircraft guns on the +ground lest they shoot you. In these situations you have to be +careful to not decode, or answer, your own challenge. Recall +the protocol is + +\begin{center} +\begin{tabular}{l@{\hspace{2mm}}l} +$A \rightarrow B$: & $N_A$\\ +$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\ +$A \rightarrow B$: & $N_B$\\ +\end{tabular} +\end{center} + +\noindent but it does not specify who is $A$ and who is $B$. +If, as supposed, the protocol works in response and in +challenge mode, then $A$ will be $A$ in one instance, but $B$ +in the other. I hope this makes sense. Let us look at the +details and lets assume our adversary is $E$ who just deflects +our messages back to us. + +\begin{center} +\begin{tabular}{lllll} +& \multicolumn{2}{l}{challenge mode:} & +\multicolumn{2}{l}{response mode:}\smallskip\\ +1) & $A \rightarrow E$: & $N_A$\\ +2) & & & $E \rightarrow A$: & $N_A$\\ +3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\ +4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\ +5) & $A \rightarrow E$: & $N_A'$\\ +\end{tabular} +\end{center} + +\noindent In the first step we challenge $E$ with a nonce we +created. Since we also run the protocol in ``response mode'', +$E$ can now feed us the same challenge in step 2. We do not +know where it came from (it's over the air), but if we are in +an aircraft we should better quickly answer it, otherwise we +risk to be shot. So we add our own challenge $N'_A$ and +encrypt it under the secret key $K_{AB}$ (step 3). Now $E$ +does not need to know this key in order to form the correct +answer for the first protocol. It will just replays this +message back to us in the challenge mode (step 4). I happily +accept this message---after all it is encrypted under the +secret key $K_{AB}$ and it contains the correct challenge from +me, namely $N_A$. So I accept that $E$ is a friend and send +even back the challenge $N'_A$. The problem is that $E$ now +starts firing at me and I have no clue what is going on and +suspect, erroneously, that an idiot must have leaked the +secret key. I followed in both cases the protocol to the +letter, but somehow $E$, with my help, managed to disguise as +a friend. As a pilot, I would rather prefer the designer of +this challenge-response protocol were a tad smarter. For one +thing they violated the best practice in protocol design of +using the same key, $K_{AB}$, for two different +purposes---challenging and responding. They better had used +two different keys. This would have averted this attack and +would have saved me a lot of trouble. \bigskip\bigskip Keyfobs - protocol diff -r e711cfd1ec70 -r 37821a377c4a slides/slides05.pdf Binary file slides/slides05.pdf has changed diff -r e711cfd1ec70 -r 37821a377c4a slides/slides05.tex --- a/slides/slides05.tex Wed Oct 29 16:07:22 2014 +0000 +++ b/slides/slides05.tex Wed Oct 29 16:49:00 2014 +0000 @@ -277,7 +277,7 @@ \begin{center} \begin{tabular}{ll} \bl{$A \rightarrow B$:} & \bl{$N_A$}\\ -\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{ab}}$}\\ +\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\ \bl{$A \rightarrow B$:} & \bl{$N_B$}\\ \end{tabular} \end{center}