--- a/handouts/ho05.tex Thu Oct 27 15:42:23 2016 +0100
+++ b/handouts/ho05.tex Fri Oct 28 01:03:10 2016 +0100
@@ -201,7 +201,8 @@
\{\{msg\}_{K_1}\}_{K_2}
\]
-\noindent The idea is that even if attacker Eve has the
+\noindent This protocol is called lockstep protocol.
+The idea is that even if attacker Eve has the
key $K_2$ she could decrypt the outer envelop, but
still does not get to the message, because it is still
encrypted with the key $K_1$. Note, however,
@@ -666,7 +667,7 @@
half $H_1$ to $B$. Which $B$ answers with the message
consisting of the received $H_1$ and its own first half $M_1$
encrypted with $A$'s public key. The message in step 5. $A$
-receives this message, decrypts it and only when the $H_1$
+receives this message, decrypts it and \textbf{only} when the $H_1$
matches with its first half it send out earlier, $A$
will send out the second half; see step 6. For this, $A$
adds the received $M_1$ and encrypts both parts with $B$'s
@@ -789,15 +790,144 @@
With this the protocol has ended. $E$ was able to decrypt all
messages, but what messages did $A$ and $B$ receive and from
-whom? Do you notice that $A$ and $B$ will find out that
+whom? Was $E$ able to modify the messages? If yes, were
+$A$ and $B$ able to find out that
something strange is going on and probably not talk on this
-channel anymore? I leave you to think about it.
-\footnote{\rotatebox{180}{
+channel anymore? I leave you to think about it.\footnote{\rotatebox{180}{
\begin{minipage}{10cm}
Consider the case where $A$ sends
the message ``How is your grandmother?'' to $B$, and $B$
-send the message ``How is the weather in London today'' to $A$.
-\end{minipage}}}
+send the message ``How is the weather in London today'' to $A$. Another
+possibility: what if $A$ and $B$ include a voice message in there
+messages.
+\end{minipage}}}\bigskip
+
+\noindent
+I hope you have thought about all these questions. Maybe you noticed that
+there is a way to defeat the lockstep protocol. If an attacker could only
+forward the (unmodified) messages, then all would be great. Because then
+it could be used to establish secret keys using the Hellman-Diffie
+technique (see further reading). That $E$ was able to decrypt all messages
+is of no importance for the Hellman-Diffie
+technique.
+
+Unfortunately, $E$ can create completely fake messages. Let
+us look at this possibility: $E$ intercepts again the keys from $A$
+and $B$, and substitutes its own keys.
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+1. & $A \to E :$ & $K^{pub}_A$\smallskip\\
+2. & $E \to B :$ & $K^{pub}_E$\smallskip\\
+3. & $B \to E :$ & $K^{pub}_B$\smallskip\\
+4. & $E \to A :$ & $K^{pub}_E$
+\end{tabular}
+\end{center}
+
+\noindent
+Now $A$ and $B$ build again their message halves:
+
+\[
+\{A,m\}_{K^{pub}_E} \;\mapsto\; H_1,H_2\qquad
+\{B,m'\}_{K^{pub}_E} \;\mapsto\; M_1,M_2
+\]
+
+\noindent
+$A$ sends its first half $H_1$.
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+5. & $A \to E :$ & $H_1$
+\end{tabular}
+\end{center}
+
+\noindent At this stage of the protocol,
+also $E$ creates two messages and halves them, say
+
+\[
+\{E,m_E\}_{K^{pub}_E} \;\mapsto\; C_1,C_2\qquad
+\{E,m'_E\}_{K^{pub}_E} \;\mapsto\; D_1,D_2
+\]
+
+\noindent
+But notice that $E$ has to make up these messages out of
+thin air. No information from $A$ and $B$ is usable yet---remember
+the half $H_1$ on its own cannot be decrypted. $E$ can then send
+$C_1$ to $B$, which dutifully responds
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+6. & $E \to B :$ & $C_1$\\
+7. & $B \to E :$ & $\{C_1, M_1\}_{K^{pub}_E}$
+\end{tabular}
+\end{center}
+
+\noindent
+Next $E$ has to send a message to $A$---it can use the made up $D_1$ and
+the $H_1$ received earlier.
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+8. & $E \to A :$ & $\{H_1, D_1\}_{K^{pub}_A}$
+\end{tabular}
+\end{center}
+
+\noindent
+$A$ can verify it received $H_1$ and thus sends out
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+9. & $A \to E :$ & $\{H_2, D_1\}_{K^{pub}_E}$
+\end{tabular}
+\end{center}
+
+\noindent
+With this $E$ is in the possesion of both halves from $A$.
+In order to get the reply from $B$, $E$ can send the message
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+10. & $E \to B :$ & $\{C_2, M_1\}_{K^{pub}_E}$
+\end{tabular}
+\end{center}
+
+\noindent
+and $B$ can verify that it received $M_1$. So it answer
+with
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+11. & $B \to E :$ & $M_2$
+\end{tabular}
+\end{center}
+
+\noindent Finally $E$ can complete the protocol with sending $D_2$ to $A$:
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+12. & $E \to A :$ & $D_2$
+\end{tabular}
+\end{center}
+
+\noindent
+$A$ and $B$ receive expected messages and were able to verify
+their first halves. That means they do not suspect anything dodgy
+going on: $E$ has sucessfully managed a man-in-the middle attack.
+In case $A$ and $B$ are computers, there is not much that can
+prevent this attack. In case they are humans, there are a few
+things they can do. For example $A$ and $B$ can craft their
+messages such that they include a specific question only $A$ and
+$B$ are likely to be able to answer, or include a voice message
+which identifies $A$ and $B$ by their voice. The point is $E$ should
+not be able to create legit looking messages. Humans can do this
+if they have some minimal knowledge of the protocol partner (for example
+know their voice from TV); but computers cannot. The conclusion is
+that there is no protocol that can establish a trusted connection
+without any preshared information. The solution that has evolved
+over the years is to use certificates which have been created by an
+authority we (or better the browser) already trust.
+
+\section*{Key Fob Protocol}
Recall from the beginning that a person-in-the middle
attack can easily be mounted at the key fob and car
@@ -818,16 +948,18 @@
\end{enumerate}
\noindent The assumption is that the key $K$ is only known to
-the car and the transponder. The claim is that $C$ and $T$ can
+the car and the transponder.
+The claim is that $C$ and $T$ can
authenticate to each other. Again, I leave it to you to find
-out if this protocol is immune from
-person-in-the-middle attacks.
+out, if this protocol is immune from
+person-in-the-middle attacks. (Hint: Does it establish a
+trusted connection from ``zero''?)
\subsubsection*{Further Reading}
\begin{itemize}
-\item A nice video explaining the Hellman-Diffie key excahnge technique
+\item A nice video explaining the Hellman-Diffie key exchange technique
is here
\begin{center}
@@ -835,9 +967,13 @@
\end{center}
The main point of this technique is that no sensitive information
- is sent over the network---both parties create the key together.
+ is sent over the network---both parties create the key together, but
+ on their computer, not over the network.
While the technique is cryptographic magic, it can be attacked
- when messages can be manipulated during transit.
+ when messages can be manipulated during transit. Remember that
+ the lockstep protocol can only be attacked by either passively
+ forwarding the messages (without being able to modify them) or
+ by creating complete fake messages.
\item A blogpost that describes the first few milliseconds of
an HTTPS connection is at