# HG changeset patch # User Christian Urban # Date 1477612990 -3600 # Node ID 88ee5959138416b82ea07a569b0070e146e5b349 # Parent 977c3ac60d620af05f2992345ed1fcceb46cb516 updated diff -r 977c3ac60d62 -r 88ee59591384 handouts/ho05.pdf Binary file handouts/ho05.pdf has changed diff -r 977c3ac60d62 -r 88ee59591384 handouts/ho05.tex --- a/handouts/ho05.tex Thu Oct 27 15:42:23 2016 +0100 +++ b/handouts/ho05.tex Fri Oct 28 01:03:10 2016 +0100 @@ -201,7 +201,8 @@ \{\{msg\}_{K_1}\}_{K_2} \] -\noindent The idea is that even if attacker Eve has the +\noindent This protocol is called lockstep protocol. +The idea is that even if attacker Eve has the key $K_2$ she could decrypt the outer envelop, but still does not get to the message, because it is still encrypted with the key $K_1$. Note, however, @@ -666,7 +667,7 @@ half $H_1$ to $B$. Which $B$ answers with the message consisting of the received $H_1$ and its own first half $M_1$ encrypted with $A$'s public key. The message in step 5. $A$ -receives this message, decrypts it and only when the $H_1$ +receives this message, decrypts it and \textbf{only} when the $H_1$ matches with its first half it send out earlier, $A$ will send out the second half; see step 6. For this, $A$ adds the received $M_1$ and encrypts both parts with $B$'s @@ -789,15 +790,144 @@ With this the protocol has ended. $E$ was able to decrypt all messages, but what messages did $A$ and $B$ receive and from -whom? Do you notice that $A$ and $B$ will find out that +whom? Was $E$ able to modify the messages? If yes, were +$A$ and $B$ able to find out that something strange is going on and probably not talk on this -channel anymore? I leave you to think about it. -\footnote{\rotatebox{180}{ +channel anymore? I leave you to think about it.\footnote{\rotatebox{180}{ \begin{minipage}{10cm} Consider the case where $A$ sends the message ``How is your grandmother?'' to $B$, and $B$ -send the message ``How is the weather in London today'' to $A$. -\end{minipage}}} +send the message ``How is the weather in London today'' to $A$. Another +possibility: what if $A$ and $B$ include a voice message in there +messages. +\end{minipage}}}\bigskip + +\noindent +I hope you have thought about all these questions. Maybe you noticed that +there is a way to defeat the lockstep protocol. If an attacker could only +forward the (unmodified) messages, then all would be great. Because then +it could be used to establish secret keys using the Hellman-Diffie +technique (see further reading). That $E$ was able to decrypt all messages +is of no importance for the Hellman-Diffie +technique. + +Unfortunately, $E$ can create completely fake messages. Let +us look at this possibility: $E$ intercepts again the keys from $A$ +and $B$, and substitutes its own keys. + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +1. & $A \to E :$ & $K^{pub}_A$\smallskip\\ +2. & $E \to B :$ & $K^{pub}_E$\smallskip\\ +3. & $B \to E :$ & $K^{pub}_B$\smallskip\\ +4. & $E \to A :$ & $K^{pub}_E$ +\end{tabular} +\end{center} + +\noindent +Now $A$ and $B$ build again their message halves: + +\[ +\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad +\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2 +\] + +\noindent +$A$ sends its first half $H_1$. + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +5. & $A \to E :$ & $H_1$ +\end{tabular} +\end{center} + +\noindent At this stage of the protocol, +also $E$ creates two messages and halves them, say + +\[ +\{E,m_E\}_{K^{pub}_E} \;\mapsto\; C_1,C_2\qquad +\{E,m'_E\}_{K^{pub}_E} \;\mapsto\; D_1,D_2 +\] + +\noindent +But notice that $E$ has to make up these messages out of +thin air. No information from $A$ and $B$ is usable yet---remember +the half $H_1$ on its own cannot be decrypted. $E$ can then send +$C_1$ to $B$, which dutifully responds + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +6. & $E \to B :$ & $C_1$\\ +7. & $B \to E :$ & $\{C_1, M_1\}_{K^{pub}_E}$ +\end{tabular} +\end{center} + +\noindent +Next $E$ has to send a message to $A$---it can use the made up $D_1$ and +the $H_1$ received earlier. + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +8. & $E \to A :$ & $\{H_1, D_1\}_{K^{pub}_A}$ +\end{tabular} +\end{center} + +\noindent +$A$ can verify it received $H_1$ and thus sends out + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +9. & $A \to E :$ & $\{H_2, D_1\}_{K^{pub}_E}$ +\end{tabular} +\end{center} + +\noindent +With this $E$ is in the possesion of both halves from $A$. +In order to get the reply from $B$, $E$ can send the message + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +10. & $E \to B :$ & $\{C_2, M_1\}_{K^{pub}_E}$ +\end{tabular} +\end{center} + +\noindent +and $B$ can verify that it received $M_1$. So it answer +with + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +11. & $B \to E :$ & $M_2$ +\end{tabular} +\end{center} + +\noindent Finally $E$ can complete the protocol with sending $D_2$ to $A$: + +\begin{center} +\begin{tabular}{ll@{\hspace{2mm}}l} +12. & $E \to A :$ & $D_2$ +\end{tabular} +\end{center} + +\noindent +$A$ and $B$ receive expected messages and were able to verify +their first halves. That means they do not suspect anything dodgy +going on: $E$ has sucessfully managed a man-in-the middle attack. +In case $A$ and $B$ are computers, there is not much that can +prevent this attack. In case they are humans, there are a few +things they can do. For example $A$ and $B$ can craft their +messages such that they include a specific question only $A$ and +$B$ are likely to be able to answer, or include a voice message +which identifies $A$ and $B$ by their voice. The point is $E$ should +not be able to create legit looking messages. Humans can do this +if they have some minimal knowledge of the protocol partner (for example +know their voice from TV); but computers cannot. The conclusion is +that there is no protocol that can establish a trusted connection +without any preshared information. The solution that has evolved +over the years is to use certificates which have been created by an +authority we (or better the browser) already trust. + +\section*{Key Fob Protocol} Recall from the beginning that a person-in-the middle attack can easily be mounted at the key fob and car @@ -818,16 +948,18 @@ \end{enumerate} \noindent The assumption is that the key $K$ is only known to -the car and the transponder. The claim is that $C$ and $T$ can +the car and the transponder. +The claim is that $C$ and $T$ can authenticate to each other. Again, I leave it to you to find -out if this protocol is immune from -person-in-the-middle attacks. +out, if this protocol is immune from +person-in-the-middle attacks. (Hint: Does it establish a +trusted connection from ``zero''?) \subsubsection*{Further Reading} \begin{itemize} -\item A nice video explaining the Hellman-Diffie key excahnge technique +\item A nice video explaining the Hellman-Diffie key exchange technique is here \begin{center} @@ -835,9 +967,13 @@ \end{center} The main point of this technique is that no sensitive information - is sent over the network---both parties create the key together. + is sent over the network---both parties create the key together, but + on their computer, not over the network. While the technique is cryptographic magic, it can be attacked - when messages can be manipulated during transit. + when messages can be manipulated during transit. Remember that + the lockstep protocol can only be attacked by either passively + forwarding the messages (without being able to modify them) or + by creating complete fake messages. \item A blogpost that describes the first few milliseconds of an HTTPS connection is at