Lecture 6: Protocols cont.

1
Lecture 6 Protocols (cont.)

• In this lecture we will cover
• Further examples of protocol attacks
• Interleaving and Oracle
• Nonces
• Replay attacks
• timestamps
• Name Omission
• Reflection

2
Interleaving attack

• in order to illustrate some of the remaining
  concepts we will assume from now onwards that the
  network uses a trusted third party to securely
  establish public keys between the parties
• Malice M can no longer use a Person-in-the-middl
  e attack, but in our example protocol may still
  be able to learn the symmetric key and
  impersonate one of the 2 parties to the
  communication
• M can do this using an interleaving attack to
  trick one of the parties into performing one of
  the protocol steps which it could not perform for
  itself, providing M with information it needs
  (where this happens the party that has
  inadvertently given M information is said to have
  acted as an oracle)

3

• an interleaving attack, interleaves different
  runs of the same protocol to achieve its effect
• We will focus on stages 6 and 7 of our previous
  protocol - the establishment of the symmetric key
  between A and B by using their public keys
• The problem with the protocol is that it does not
  provide for mutual authentication of the 2
  parties in the communication in stages 6 and 7
  i.e. there is nothing in message 6 and 7 which
  guarantees the actual source of those messages

4

• to illustrate an interleaving attack, assume that
• 1. A and B have gone through steps 1 to 5 and now
  have each others public keys
• 2. M has also gone through stages 1 to 5 with A,
  and so has As public key, and A has Ms public
  key for communicating a shared secret key between
  A and M
• the attack proceeds now as follows with the
  interleaving of A and B completing their protocol
  with M completing its protocol with A. To show
  the interleaving the message numbers will be
  prefixed with MA or BA to show which protocol is
  executing.

5

• 1. Message BA.6 B-gtMA K(AB)K(A)
• 2. Message MA.6 M-gtA K(AB)K(A)
• 3. Message MA.7 A-gtM K(AB)K(M)
• 4. Message BA.6 MB-gtA K(AB)K(A)
• 5. Message BA.7 A-gtB K(AB)K(B)
• The attack is actually simple - in step MA.6 of
  Ms protocol with A, M is required to send A a
  symmetric key encrypted with As public key, but
  instead of creating a symmetric key K(MA), M uses
  the intercepted symmetric key sent by B and sends
  that to A.

6

• A decrypts K(AB)K(A) to extract the key K(AB)
  which it has received from M. It completes the
  protocol with M by sending back to M the key
  K(AB) encrypted with Ms public key - which of
  course M can decrypt and so obtain the key K(AB)
• M then passes on the key K(AB) to A as if it came
  from B which allows A and B to complete their
  protocol

7
Use of Nonces

• The interleaving type of attack worked against
  our protocol because in the exchanges between A
  and B, the messages did not provide any mechanism
  for authenticating the source of the messages,
  allowing M to intercept the messages and send
  them on as M wished
• to defeat this A and B need something that works
  in a way similar to a password
• A Nonce (Number used ONCE) is a random number
  that is generated by one of the participants
  which can then be used uniquely to identify that
  the given encrypted message came from it (or from
  a mutual participant)

8

• a random number is used to make guessing the
  number infeasible
• a separate random number can be used for each
  communication session between 2 parties
• the random number is generated by one party to
  the communication
• the nonce will form part of the initial encrypted
  message and thus once decrypted by the other
  party to the communication will be a shared
  secret known only to the sender and the receiver

9

• if Malice M intercepts the message with a nonce
  in it then it cannot use an interleaving attack
  because it cannot simply substitute an encrypted
  message between A and B for a message between M
  and A because the 2 sets of messages would be
  using different nonces and so would be rejected
  by A or B as coming from someone other than whom
  they expected

10

• The following is a change to our Trusted Third
  Party protocol which uses a nonce in the initial
  communication between A and T which is then used
  throughout the stages of the protocol
• Message 1 A-gtT NA.A.BK(TA)
• Message 2 T-gtA NA.B.K(B)K(TA)
• Message 3 A-gtT NA.A.K(B)K(TA)
• Message 4 T-gtB NA.A.K(A)K(TB)
• Message 5 B-gtT (NA.B.K(A)K(TB)
• Message 6 B-gtA NA.K(AB)K(A)
• Message 7 A-gtB NA.K(AB)K(B)

11

• if M was to execute the protocol with A, all the
  messages between it and A would have the nonce NM
  in them and so it could not substitute in message
  6 NA.K(AB)K(A) for NM.K(AB)K(A) which is what
  A would be expecting to receive from M - the
  interleave attack would fail

12
Message Replay

• in message replay attacks Malice M records the
  messages that pass between users and users and
  the Trusted Third Party across the network. M may
  then a an appropriate point replay some or all of
  the messages from some historical instance of the
  protocol. The basic idea is that even if it may
  be impossible to decrypt the messages or directly
  produce spoof messages that might fool normal
  users, M may be able to replay valid messages to
  achieve some malicious purpose.

13

• If we look at how this might work using our
  example protocol that now uses nonces.
• Assume that from time to time in order to
  improve the security of their communication,
• A and B will change their symmetric key in a
  secure fashion with a simple key update protocol
  based on Message 6 and 7 of the previous
  protocol. Hence
• Message 1 A-gtB NA.Knew(AB)K(B)
• Message 2 B-gtA NA.Knew(AB)K(A)

14

• However, this can be attacked using a replay
  attack as follows
• Message 1 MA-gtB NA.Kold(AB)K(B)
• Message 2 B-gtA NA.Kold(AB)K(A)
• Message 3 A-gtMB NA.Kold(AB)K(B)
• Essentially M initiates the key updating protocol
  by pretending to be A and sending a replay of an
  old A symmetric key exchange message
• B thinks that A is initiating a key update
  protocol and generates the correct response using
  the encrypted nonce that A sent it. M allows that
  message to go straight to A - this looks like the
  first message of a key update protocol initiated
  by B.

15

• Thus A thinks that B is initiating a key update
  protocol and generates the correct response which
  it sends to B - however, M intercepts this
  response and discards it because if B received it
  B would know that something had gone wrong.
• So both A and B think that the other party to the
  communication have initiated a key update
  protocol and have complied with the update.
  However, the update has now ensured that even
  though M cannot decrypt the public key encrypted
  messages, both A and B will now pass messages
  between them using an old symmetric key of Ms
  choosing.

16

• M may be able to exploit this because the old key
  may not have been disposed of securely when A and
  B first stopped using it and M has got hold of a
  copy, or if A and B continue to use the same key
  it significantly increases the chances that M may
  be able to break the key - a cryptanalysts
  ability to break a key increases with the amount
  of encrypted data that the cryptanalyst can use

17
Timestamping

• The reason that the message replay attack worked
  was because the protocol had no means of ensuring
  that any message received was recent or timely.
  Thus the simple strategy of using timestamps on
  messages (and checking the timestamps) will
  defeat a message replay attack.
• The full public key distribution protocol that we
  have been looking at is susceptible to a replay
  attack if ever the parties on the network or T
  decides that public keys need updating (not
  unreasonable). You can work through the details
  as an exercise.

18

• So we need to modify our full protocol as
  follows. I will use lowercase t to represent a
  timestamp, so tA is timestamp generated by A at
  the time the current message was sent
• Message 1 A-gtT tA .NA.A.BK(TA)
• Message 2 T-gtA tT .NA.B.K(B)K(TA)
• Message 3 A-gtT tA .NA.A.K(B)K(TA)
• Message 4 T-gtB tT .NA.A.K(A)K(TB)
• Message 5 B-gtT (tB .NA.B.K(A)K(TB)
• Message 6 B-gtA tB .NA.K(AB)K(A)
• Message 7 A-gtB tA .NA.K(AB)K(B)

19

• However one drawback of the use of timestamps for
  such protocols is the requirement that all the
  parties to the protocol use synchronised clocks -
  otherwise timestamps might appear out of date
  when in fact they were not

20
Reflection attacks

• in a reflection attack the message sent by one
  participant is simply sent back as a new message
  purporting to be from some other participant
• note - the message is not bounced back i.e.
  rejected by some participant - just a copy of the
  same message is sent to the participant as if it
  was a new message
• Reflection attacks are very simple attacks which
  work when there is a symmetry about the message
  structures used in the protocol.

21

• To illustrate this let consider a simplified
  version of the first protocol we represented
  using the protocol description notation - it was
  a challenge-response identity authentication
  protocol. We have simplified by eliminating the
  timestamp and name.
• a problem with the original protocol was that it
  did not provide for mutual authentication i.e. A
  attempted to establish its identity with B but A
  did not know that it was speaking to B - Malice
  could easily pretend to be B, all it has to do is
  send a nonce to A that purports to come from B.

22

• So let us look at a version of the protocol that
  attempts to introduce mutual authentication
• Message 1 A -gtB A
• Message 2 B -gtA B
• Message 3 A -gtB NA
• Message 4 B -gtA NB
• Message 5 A -gtB NBK(AB)
• Message 6 B -gtA NAK(AB)
• so now both A and B have received a nonce as a
  challenge which can only be correctly responded
  to by someone who has the shared symmetric key
  K(AB) i.e. only A and B can correctly respond to
  the challenges.

23

• Malice can exploit the symmetry in the protocol
  to trick A in performing as an oracle in a manner
  similar to the interleaving attack
• The attack proceeds as follows
• Message 1 A-gtMB A
• Message 2 MB-gtA B
• Message 3 A-gtMB NA
• Message 4 MB-gtA NA
• Message 5 A-gtMB NAK(AB)
• Message 6 MB-gtA NAK(AB)

24

• in step 4 of the protocol A is expecting B to
  send it a random nonce, M sends the random nonce
  that A has just sent it (reflection). Thus A then
  sends in step 5 the properly encrypted version of
  the nonce that was sent to it. Since that nonce
  was the same nonce as it sent to M as a
  challenge, M can simply reflect the encrypted
  message back to A, which A accepts as a correct
  response. A is now falsely confident that it is
  talking to B.

25

• This is an example of a name omission flaw if
  the name of the actual source (and intended
  destination) is included in the encrypted element
  of the protocol message, then it prevents M from
  simply reflecting the encypted message back,
  because the receiver of the reflected message
  would see that it is the source of the message
  when it decrypts the message so it knows that
  something is wrong
• an version of our protocol for steps 5 6 which
  would prevent simple reflection from working is
• Message 5 A -gtB A.NBK(AB)
• Message 6 B -gtA B.NAK(AB)