Protocol for Protecting Against Impersonation

1
Protocol for Protecting Against Impersonation
2
Protocol for Protecting Against Impersonation
Given
A Monitor wishing to "prove" its identity
3
Protocol for Protecting Against Impersonation
Given
A Monitor wishing to "prove" its identity A
Client wishing to "verify" the identity of the
Monitor
4
Protocol for Protecting Against Impersonation
Given
A Monitor wishing to "prove" its identity A
Client wishing to "verify" the identity of the
Monitor An attacker wishing to impersonate the
Monitor to the Client
5
Protocol for Protecting Against Impersonation
Given
A Monitor wishing to "prove" its identity A
Client wishing to "verify" the identity of the
Monitor An attacker wishing to impersonate the
Monitor to the Client
Rules
The attacker can generate keys just like the
Monitor can
6
Protocol for Protecting Against Impersonation
Given
A Monitor wishing to "prove" its identity A
Client wishing to "verify" the identity of the
Monitor An attacker wishing to impersonate the
Monitor to the Client
Rules
The attacker can generate keys just like the
Monitor can The attacker has a "prover" just like
the one used by the Monitor
7
Protocol for Protecting Against Impersonation
Given
A Monitor wishing to "prove" its identity A
Client wishing to "verify" the identity of the
Monitor An attacker wishing to impersonate the
Monitor to the Client
Rules
The attacker can generate keys just like the
Monitor can The attacker has a "prover" just like
the one used by the Monitor But only sees the
outputs, not internal coin-flips, etc.
8
Protocol for Protecting Against Impersonation
Given
A Monitor wishing to "prove" its identity A
Client wishing to "verify" the identity of the
Monitor An attacker wishing to impersonate the
Monitor to the Client
Rules
The attacker can generate keys just like the
Monitor can The attacker has a "prover" just like
the one used by the Monitor But only sees the
outputs, not internal coin-flips, etc. Attacker
may query the "prover" some small number of
times (that is, tries to reveal key information
from the "prover")
9
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
10
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
Monitor to "prove" itself to Client
11
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
Monitor to "prove" itself to Client Monitor
gets Client's public key
12
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
Monitor to "prove" itself to Client Monitor
gets Client's public key... and using its keys
proves "I know Client's secret key or I know
Monitor's private key"
13
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
Monitor to "prove" itself to Client Monitor
gets Client's public key... and using its keys
proves "I know Client's secret key or I know
Monitor's private key" If no info is released
saying which, only Client can be sure he is
talking to Monitor since attacker only knows
he is talking to one or the other.
14
Protocol for Protecting Against Impersonation
Client (prover) public/private keys
Horowitz (verifier) public/private keys
Suppose Client wants to be the man in the
middle Client tries to make Horowitz think he
is the Monitor
15
Protocol for Protecting Against Impersonation
Client (prover) public/private keys
Horowitz (verifier) public/private keys
Suppose Client wants to be the man in the
middle Client tries to make Horowitz think he
is the Monitor But that requires no
communication with Monitor
16
Protocol for Protecting Against Impersonation
Client (prover) public/private keys
Horowitz (verifier) public/private keys
Suppose Client wants to be the man in the
middle Client tries to make Horowitz think he
is the Monitor But that requires no
communication with Monitor If Client's attack
succeeds, then Client knows Monitor's private
key.
17
Protocol for Protecting Against Impersonation
Client (prover) public/private keys
Horowitz (verifier) public/private keys
Suppose Client wants to be the man in the
middle Client tries to make Horowitz think he
is the Monitor But that requires no
communication with Monitor If Client's attack
succeeds, then Client knows Monitor's private
key. Hence Client's attack cannot succeed.
18
Protocol for Protecting Against Impersonation
More Specifically...
19
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
x
Protocol Client remembers and sends random
number x to Monitor
20
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
a f(x, w)
Protocol Client remembers and sends random
number x to Monitor Monitor computes and sends
message a from x and w
21
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
challenge c
Protocol Client remembers and sends random
number x to Monitor Monitor computes and sends
message a from x and w Client sends a
"challenge" number c to Monitor
22
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
z g(x,w,a,c)
Protocol Client remembers and sends random
number x to Monitor Monitor computes and sends
message a from x and w Client sends a
"challenge" number c to Monitor Monitor computes
and sends response z to Client
23
Protocol for Protecting Against Impersonation
Client (verifier) public/private keys
Monitor (prover) public/private keys
Protocol Client remembers and sends random
number x to Monitor Monitor computes and sends
message a from x and w Client sends a
"challenge" number c to Monitor Monitor computes
and sends response z to Client Client verifies
validity of the exchange