Mercurial Mercurial > hg > sen-material / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | gz | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
updated
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Wed, 29 Oct 2014 16:49:00 +0000
changeset 267 37821a377c4a
parent 266 e711cfd1ec70
child 268 43629c8c88c6
updated
handouts/ho05.pdf file | annotate | diff | comparison | revisions
handouts/ho05.tex file | annotate | diff | comparison | revisions
slides/slides05.pdf file | annotate | diff | comparison | revisions
slides/slides05.tex file | annotate | diff | comparison | revisions 
Binary file handouts/ho05.pdf has changed
--- a/handouts/ho05.tex	Wed Oct 29 16:07:22 2014 +0000
+++ b/handouts/ho05.tex	Wed Oct 29 16:49:00 2014 +0000
@@ -375,23 +375,76 @@
 the authentication problem, there are some problems. One is of
 course that it requires a pre-shared secret key. That is
 something that needs to be established beforehand. Not all
-situations allow such an assumption. For example if I am 
-a whistle blower (say Snowden) and want to talk to a
-journalist (say Greenwald) then I might not have a secret
-pre-shared key. The other problem is that such mutual
-challenge-response systems often work in the same system
-in the ``challenge mode'' but also in the ``response mode''.
-For example if two servers want to talk to each other---they
-would need the protocol in response mode, but also if they
-want to talk to other servers in challenge mode. Similarly
-if you in an military aircraft you have to challenge everybody
-you see, in case there is a friend amongst the targets you 
-like to shoot, but you also have to respond to any of your
-own anti-aircraft guns on the ground. In these situations
-you have to be careful to not decode, or answer, your own 
-challenge. 
+situations allow such an assumption. For example if I am a
+whistle blower (say Snowden) and want to talk to a journalist
+(say Greenwald) then I might not have a secret pre-shared key.
 
 
+Another problem is that such mutual challenge-response systems
+often work in the same system in the ``challenge mode'' but
+also in the ``response mode''. For example if two servers want
+to talk to each other---they would need the protocol in
+response mode, but also if they want to talk to other servers
+in challenge mode. Similarly if you in an military aircraft
+you have to challenge everybody you see, in case there is a
+friend amongst the targets you like to shoot, but you also
+have to respond to any of your own anti-aircraft guns on the
+ground lest they shoot you. In these situations you have to be
+careful to not decode, or answer, your own challenge. Recall 
+the protocol is
+
+\begin{center}
+\begin{tabular}{l@{\hspace{2mm}}l}
+$A \rightarrow B$: & $N_A$\\  
+$B \rightarrow A$: & $\{N_A, N_B\}_{K_{AB}}$\\
+$A \rightarrow B$: & $N_B$\\
+\end{tabular}
+\end{center}
+
+\noindent but it does not specify who is $A$ and who is $B$.
+If, as supposed, the protocol works in response and in 
+challenge mode, then $A$ will be $A$ in one instance, but $B$
+in the other. I hope this makes sense. Let us look at the 
+details and lets assume our adversary is $E$ who just deflects
+our messages back to us. 
+
+\begin{center}
+\begin{tabular}{lllll}
+& \multicolumn{2}{l}{challenge mode:} & 
+\multicolumn{2}{l}{response mode:}\smallskip\\
+1) & $A \rightarrow E$: & $N_A$\\ 
+2) & & & $E \rightarrow A$: & $N_A$\\ 
+3) & & & $A \rightarrow E$: & $\{N_A, N_A'\}_{K_{AB}}$\\
+4) & $E \rightarrow A$: & $\{N_A, N_A'\}_{K_{AB}}$\\
+5) & $A \rightarrow E$: & $N_A'$\\
+\end{tabular}
+\end{center}
+
+\noindent In the first step we challenge $E$ with a nonce we
+created. Since we also run the protocol in ``response mode'',
+$E$ can now feed us the same challenge in step 2. We do not
+know where it came from (it's over the air), but if we are in
+an aircraft we should better quickly answer it, otherwise we
+risk to be shot. So we add our own challenge $N'_A$ and
+encrypt it under the secret key $K_{AB}$ (step 3). Now $E$
+does not need to know this key in order to form the correct
+answer for the first protocol. It will just replays this
+message back to us in the challenge mode (step 4). I happily
+accept this message---after all it is encrypted under the
+secret key $K_{AB}$ and it contains the correct challenge from
+me, namely $N_A$. So I accept that $E$ is a friend and send
+even back the challenge $N'_A$. The problem is that $E$ now
+starts firing at me and I have no clue what is going on and
+suspect, erroneously, that an idiot must have leaked the
+secret key. I followed in both cases the protocol to the
+letter, but somehow $E$, with my help, managed to disguise as
+a friend. As a pilot, I would rather prefer the designer of
+this challenge-response protocol were a tad smarter. For one
+thing they violated the best practice in protocol design of
+using the same key, $K_{AB}$, for two different
+purposes---challenging and responding. They better had used
+two different keys. This would have averted this attack and
+would have saved me a lot of trouble.
 
 \bigskip\bigskip
 Keyfobs - protocol
Binary file slides/slides05.pdf has changed
--- a/slides/slides05.tex	Wed Oct 29 16:07:22 2014 +0000
+++ b/slides/slides05.tex	Wed Oct 29 16:49:00 2014 +0000
@@ -277,7 +277,7 @@
 \begin{center}
 \begin{tabular}{ll}
 \bl{$A \rightarrow B$:} & \bl{$N_A$}\\  
-\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{ab}}$}\\
+\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
 \bl{$A \rightarrow B$:} & \bl{$N_B$}\\
 \end{tabular}
 \end{center}
sen-material