--- a/handouts/ho05.tex Thu Oct 30 00:54:41 2014 +0000
+++ b/handouts/ho05.tex Thu Oct 30 01:17:51 2014 +0000
@@ -8,22 +8,24 @@
\section*{Handout 5 (Protocols)}
Protocols are the computer science equivalent to fractals and
-the Mandelbrot set in mathematics. With the latter you have a
-simple formula which you just iterate and then you test
-whether a point is inside or outside a region, and voila
-something magically
+the Mandelbrot set in mathematics. With the latter two you
+have a simple formula, which you just iterate and then you
+test whether a point is inside or outside a region\ldots{}it
+does not look exciting, but voila something magically
happened.\footnote{\url{http://en.wikipedia.org/wiki/Fractal},
\url{http://en.wikipedia.org/wiki/Mandelbrot_set}} Protocols
are similar: they are simple exchanges of messages, but in the
end something ``magical'' can happen---for example a secret
channel has been established or two entities have
-authenticated themselves to each other. The problem with magic
-is of course it is poorly understood and even experts often
-got, and get, it wrong with protocols.
+authenticated themselves to each other. Even in face of strong
+adversaries where we have no control over the network over
+which our messages are exchanged. The problem with magic is of
+course it is poorly understood and even experts often got, and
+get, it wrong with protocols.
-To have an idea what kind of protocols we are interested, let
+To have an idea what kind of protocols we are interested in, let
us look at a few examples. One example are (wireless) key
-fobs which operate the central locking system and the
+fobs, which operate the central locking system and the
ignition in a car.
\begin{center}
@@ -34,51 +36,52 @@
\noindent The point of these key fobs is that everything is
done over the ``air''---there is no physical connection
-between the key, doors and engine. So we must achieve security
-by exchanging certain messages between the key fob on one side
-and doors and engine on the other. Clearly what we like to
-achieve is that I can get into my car and start it, but that
-thieves are kept out. The problem is that everybody can
-``overhear'' or skim the exchange of messages between the key
-fob and car. In this scenario the simplest attack you need to
-defend against is a person-in-the-middle attack. Imagine you
-park your car in front of a supermarket. One thief follows you
-with a strong transmitter. A second thief ``listens'' to the
-signal from the car and wirelessly transmits it to the
-``colleague'' who followed you and who silently enquires about
-the answer from the key fob. The answer is then send back to
-the thief at the car, which then dutifully opens and possibly
-starts. No need to steal your key anymore.
+between the key, doors and engine, as was the case with the
+old solid metal keys. With the key fobs we must achieve
+security by exchanging certain messages between the key fob on
+one side and the doors and engine on the other. Clearly what
+we like to accomplish is that I can get into my car and start
+it, but that thieves are kept out. The problem is that
+everybody can ``overhear'' or skim the exchange of messages
+between the key fob and car. In this scenario the simplest
+attack you need to defend against is a person-in-the-middle
+attack. For this imagine you park your car in front of a
+supermarket. One thief follows you with a strong transmitter.
+A second thief ``listens'' to the signals from the car and
+wirelessly transmits them to the ``colleague'' who followed
+you. This thief silently enquires what the key fob answers.
+This answer is then send back to the thief at the car. If done
+properly the car will dutifully open and possibly start. No
+need to steal your keys anymore.
-But there are many more such protocols we like to consider.
-Other examples are wifi---you might sit at a Starbucks and
+But there are many more such protocols we like to treat.
+Another example is Wifi---you might sit at a Starbucks and
talk wirelessly to the free access point there and from there
-talk with your bank, for example. Also even if your have to
-touch your Oyster card at the reader each time you enter and
-exit the Tube, it actually operates wirelessly and with
-appropriate equipment over some quite large distance. But
-there are many many more examples (Bitcoins, mobile
+talk to your bank. Moreover, even if your have to touch your
+Oyster card at the reader each time you enter or exit the
+Tube, it actually operates wirelessly and with appropriate
+equipment over some quite large distance (several meters). But
+there are many, many more examples (Bitcoins, mobile
phones,\ldots). The common characteristics of the protocols we
-are interested in here is that an adversary or attacker is
-assumed to be in complete control over the network or channel
-over which you exchanging messages. An attacker can install a
-packet sniffer on a network, inject packets, modify packets,
-replay old messages, or fake pretty much everything. In this
-hostile environment, the purpose of protocols (that is
-exchange of messages) is to achieve some security goal, for
-example only allow the owner of the car in but everybody else
-should be kept out.
+are interested in is that an adversary or attacker is assumed
+to be in complete control over the network or channel over
+which we exchanging messages. An attacker can install a packet
+sniffer on a network, inject packets, modify packets, replay
+old messages, or fake pretty much everything else. In this
+hostile environment, the purpose of a protocol (that is
+exchange of messages) is to achieve some security goal. For
+example only allow the owner of the car in, but everybody else
+should stay out.
The protocols we are interested here are generic descriptions
-of how to exchange messages in order to achieve a goal, be it
-establishing a mutual secure connection or being able to
-authenticate to a system. Unlike the distant past where for
-example we had to meet a person in order to authenticate him
-or her (via a passport for example), the problem we are facing
-on the Internet is that we cannot easily be sure who we are
-``talking'' to. The obvious reason is that only some electrons
-arrive at our computer; we do not see the person, or computer,
-behind the incoming electrons (messages).
+of how to exchange messages in order to achieve a goal. Unlike
+the distant past where, for example, we had to meet a person in
+order to authenticate him or her (via a passport for example),
+the problem we are facing on the Internet is that we cannot
+easily be sure who we are ``talking'' to. The obvious reason
+is that only some electrons arrive at our computer; we do not
+see the person, or computer, behind the incoming electrons
+(messages).
To start, let us look at one of the simplest protocols that
are part of the TCP protocol (which underlies the Internet).
@@ -412,11 +415,11 @@
\begin{tabular}{lllll}
& \multicolumn{2}{l}{challenge mode:} &
\multicolumn{2}{l}{response mode:}\smallskip\\
-1) & $A \rightarrow E$: & $N_A$\\
-2) & & & $E \rightarrow A$: & $N_A$\\
-3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
-4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
-5) & $A \rightarrow E$: & $N_A'$\\
+1. & $A \rightarrow E$: & $N_A$\\
+2. & & & $E \rightarrow A$: & $N_A$\\
+3. & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
+4. & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
+5. & $A \rightarrow E$: & $N_A'$\\
\end{tabular}
\end{center}
@@ -569,14 +572,14 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-1) & $A \to E :$ & $K^{pub}_A$\smallskip\\
-2) & $E \to B :$ & $K^{pub}_E$\smallskip\\
-3) & $B \to E :$ & $K^{pub}_B$\smallskip\\
-4) & $E \to A :$ & $K^{pub}_E$\smallskip\\
-5) & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
-6) & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
-7) & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
-8) & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
+1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
+2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
+3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
+4. & $E \to A :$ & $K^{pub}_E$\smallskip\\
+5. & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
+6. & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
+7. & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
+8. & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
\end{tabular}
\end{center}
@@ -594,14 +597,14 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-1) & $A \to B :$ & $K^{pub}_A$\smallskip\\
-2) & $B \to A :$ & $K^{pub}_B$\smallskip\\
-3) & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
+1. & $A \to B :$ & $K^{pub}_A$\smallskip\\
+2. & $B \to A :$ & $K^{pub}_B$\smallskip\\
+3. & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
& & $\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$\\
-4) & $A \to B :$ & $H_1$\smallskip\\
-5) & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\
-6) & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\
-7) & $B \to A :$ & $M_2$
+4. & $A \to B :$ & $H_1$\smallskip\\
+5. & $B \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$\smallskip\\
+6. & $A \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$\smallskip\\
+7. & $B \to A :$ & $M_2$
\end{tabular}
\end{center}
@@ -644,10 +647,10 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-1) & $A \to E :$ & $K^{pub}_A$\smallskip\\
-2) & $E \to B :$ & $K^{pub}_E$\smallskip\\
-3) & $B \to E :$ & $K^{pub}_B$\smallskip\\
-4) & $E \to A :$ & $K^{pub}_E$
+1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
+2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
+3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
+4. & $E \to A :$ & $K^{pub}_E$
\end{tabular}
\end{center}
@@ -663,7 +666,7 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-5) & $A \to E :$ & $H_1$
+5. & $A \to E :$ & $H_1$
\end{tabular}
\end{center}
@@ -674,8 +677,8 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-6) & $E \to B :$ & $H_1$\\
-7) & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$
+6. & $E \to B :$ & $H_1$\\
+7. & $B \to E :$ & $\{H_1, M_1\}_{K^{pub}_E}$
\end{tabular}
\end{center}
@@ -686,7 +689,7 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-8) & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$
+8. & $E \to A :$ & $\{H_1, M_1\}_{K^{pub}_A}$
\end{tabular}
\end{center}
@@ -696,7 +699,7 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-9) & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$
+9. & $A \to E :$ & $\{H_2, M_1\}_{K^{pub}_E}$
\end{tabular}
\end{center}
@@ -723,7 +726,7 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-10) & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$
+10. & $E \to B :$ & $\{H_2, M_1\}_{K^{pub}_B}$
\end{tabular}
\end{center}
@@ -733,7 +736,7 @@
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
-11) & $B \to E :$ & $M_2$
+11. & $B \to E :$ & $M_2$
\end{tabular}
\end{center}
@@ -786,12 +789,12 @@
\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}
\end{center}
-\noindent is quite amusing to read. Obviously an even more
-amusing paper would be ``Dismantling Megamos Crypto:
-Wirelessly Lockpicking a Vehicle Immobilizer'' but because
-of the court injuction by VW we are denied this entertainment.
+\noindent is quite amusing to read. Obviously an even more amusing
+paper would be ``Dismantling Megamos Crypto: Wirelessly Lockpicking a
+Vehicle Immobilizer'' by the same authors, but because of the court
+injuction by VW in this case, we are denied this entertainment.
-Person-in-the-middle-attacks in the ``wild'' are described
+Person-in-the-middle-attacks from the ``wild'' are described
with real data in the blog post
\begin{center}
@@ -800,7 +803,7 @@
\noindent The conclusion in this post is that person-in-the-middle-attacks
can be launched from any place on Earth---it is not required
-to sit in the ``middle'' of the communication of two people.
+that you sit in the ``middle'' of the communication of two people.
You just have to route their traffic through a node you own.
\end{document}