Mercurial Mercurial > hg > sen-material / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | gz | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
updated
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Wed, 29 Oct 2014 15:16:33 +0000
changeset 265 2ce6b7c94763
parent 264 0079db1a1c9d
child 266 e711cfd1ec70
updated
handouts/ho05.pdf file | annotate | diff | comparison | revisions
handouts/ho05.tex file | annotate | diff | comparison | revisions 
Binary file handouts/ho05.pdf has changed
--- a/handouts/ho05.tex	Wed Oct 29 14:23:20 2014 +0000
+++ b/handouts/ho05.tex	Wed Oct 29 15:16:33 2014 +0000
@@ -241,6 +241,90 @@
 $A \to B: K_{AB}$ 
 \end{center}
 
+\noindent It can be sought of as $A$ sends a common secret to
+$B$ like a password. The idea is that if only $A$ and $B$ know
+the key $K_{AB}$ then this should be sufficient for $B$ to
+infer it is talking to $A$. But this is of course too naive,
+if the message can be observed by everybody else on the
+network. Eve could just record this message $A$ just send, and
+next time send the same message to $B$ and $B$ would believe
+it talked to $A$. But actually it talked to Eve which now
+clears out $A$s back account if $B$ had been a bank.
+
+A more sophisticated protocol which tries to avoid the
+replay attack is as follows
+
+\begin{center}
+\begin{tabular}{l@{\hspace{2mm}}l}
+$A \to B:$ & $HELLO$\\
+$B \to A:$ & $N$\\
+$A \to B:$ & $\{N\}_{K_{AB}}$\\
+\end{tabular}
+\end{center} 
+
+\noindent With this protocol the idea is that $A$ first sends 
+a message to $B$ saying ``I want to talk to you''. $B$ sends 
+then a challenge in form of a random number $N$. In protocols 
+such random numbers are often called \emph{nonce}. What is the
+purpose of this nonce? Well, if an attacker records $A$ 
+answer, it will not make sense to replay this message, because
+next time this protocol is run the nonce $B$ sends will be
+different. So if we run this protocol, what can $B$ infer:
+it has send out an (unpredictable) nonce to $A$ and
+received this challenge back, but encoded under the key 
+$K_{AB}$. If $B$ assumes only $A$ and $B$ know the key $K_{AB}$
+and the nonce is unpredictable, then $B$ is able to
+infer it must be talking to $A$. Of course the implicit 
+assumption on this inference are that nobody else knows
+about the key $K_{AB}$ and nobody else can decrypt the
+message. $B$ of course can decrypt the answer from $A$
+and check whether the answer corresponds to the challenge
+(nonce) $B$ has send earlier.
+
+But what about $A$? Can $A$ make any assumptions about who it
+talks to? It dutifully answered the challenge and hopes its
+bank, say, will be the only one to understand her answer. But
+is this the case? No! Lets consider an attacker Eve who has
+control over the network. She could have intercepted the
+message $HELLO$ and just replied herself to $A$ using a random
+number\ldots{} for example one which she observed in a
+previous run of this protocol. Remember that if a message is
+send without curly braces it is sent in clear text. Then
+$A$ would encrypt the nonce with the key $K_{AB}$ and send
+it back to Eve. She just throws the answer away. $A$ would
+hope that she talked to $B$ because she followed the protocol,
+but unfortunately she cannot be sure who she is talking to. 
+
+The solution is to follow a \emph{mutual challenge-response}
+protocol. There $A$ already starts off with a challenge (nonce)
+on her own.
+
+\begin{center}
+\begin{tabular}{l@{\hspace{2mm}}l}
+$A \to B:$ & $N_A$\\
+$B \to A:$ & $\{N_A, N_B\}_{K_{AB}}$\\
+$A \to B:$ & $N_B$\\
+\end{tabular} 
+\end{center}
+
+\noindent As seen, $B$ receives this nonce, $N_A$, adds his
+own nonce, $N_B$ and encrypts it with the key $K_{AB}$. $A$
+receives this message, is able to decrypt it since we assume
+she has the key $K_{AB}$, and sends back the nonce of $B$.
+Let us analyse which assumptions $A$ and $B$ can make after 
+the protocol has run. $B$ received a challenge and answered 
+correctly to $A$ (in the encrypted message). An attacker
+would just not be able to answer this challenge correctly 
+because the attacker is assumed to not be in the possession of
+the key $K_{AB}$; so could not have formed this message.
+It could also not have just replayed an old message, because
+$A$ would send out each time a fresh nonce. So with this
+protocol you can ensure also for $A$ that it talks to $B$.
+I leave you to argue that $B$ can be sure to talk to $A$.
+Of course these arguments will depend on the assumptions that
+only $A$ and $B$ know the key $K_{AB}$ and that nobody can
+break the encryption unless they have this key.
+
 
 
 \bigskip\bigskip
sen-material