PREMISE Alice's public key is KA, Bob's public key is
KB, Malice's public key is KM.
RESULT OF ATTACK
Bob thinks he is sharing secrets NA, NB with
Alice while actually sharing them with Malice.
then step 2-6 of the attack would become
2-6. Bob sends to Malice("Alice"): {Bob, NA, NB}KA.
Now because Alice is expecting a message with Malice's identity, Malice cannot successfully replay this message in step 1-6 with an intention to use Alice as a decryption oracle.
This fix represents an instance of a principle for cryptographic protocols design suggested by Abadi and Needham [1]:
• Table of Contents
Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company
Publisher: Prentice Hall PTR Pub Date: July 25, 2003
ISBN: 0-13-066943-1 Pages: 648
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.
If the identity of a principal is essential to the meaning of a message, it is prudent to mention the principal's name explicitly in the message.
However, we should refrain from claiming that this way of "fixing" should result in a secure protocol. In §17.2.1 we will reveal several additional problems in this protocol due to an
undesirable design feature which can be referred to as "message authentication via decryption- and-checking" (we have labeled it a wrong mode of operation, see §2.6.3.1). That design feature appears generally in authentication protocols using secret-key or public-key cryptographic
techniques and has appeared in all protocols in this chapter (the design feature has been retained in our "fix" of the Needham-Schroeder Public-key Authentication Protocol, and hence our "fix" is still not a correct one). Methodical fixes for the Needham-Schroeder Authentication Protocols (both symmetric-key and public-key) will be given in §17.2.3.
The error-prone nature of authentication protocols has inspired the consideration of systematic approaches to the development of correct protocols. That topic will be introduced in Chapter 17.
• Table of Contents
Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company
Publisher: Prentice Hall PTR Pub Date: July 25, 2003
ISBN: 0-13-066943-1 Pages: 648
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.
2.7 Chapter Summary
Some design protection mechanisms, others want to crack them. This is a fact of life and there is nothing special about it. However, in this chapter we have witnessed a rather sad part of this fact of life in authentication protocols: they, as protection mechanisms, are very easily compromised.
Actually, all complex systems easily contain design errors. However, unlike in the case of
systems which provide security services, users and the environment of other complex system are generally non-hostile or even friendly. For example, a careful user of a buggy software may learn to avoid certain usages in order to avoid a system crash. However, for an information security system, its environment and some of its users are always hostile: the whole reason for their existence is to attack the system. Exploiting design errors is of course an irresistible source of tricks for them.
We have used authentication protocols as a means to manifest the error-prone nature of security systems. Although it seems that protocols are more notoriously error-prone due to their
communication nature, the real reason for us to use authentication protocols is that they require relatively simpler cryptographic techniques and therefore are more suitable for serving our introductory purpose at this early stage of the book. We should remember that it is the hostility of the environment for all security systems that should always alert us to be careful when we develop security systems.
We will return to studying authentication protocols in several later chapters. The further study will include a study on the principles and structures of authentication protocols and a taxonomy of attacks on authentication protocols (Chapter 11), case studies of several protocols for real world applications (Chapter 12), and formalism approaches to the development of correct authentication protocols (Chapter 17).
• Table of Contents
Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company
Publisher: Prentice Hall PTR Pub Date: July 25, 2003
ISBN: 0-13-066943-1 Pages: 648
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.
Exercises
2.1 What sort of things can an active attacker do?
2.2 Under the Dolev-Yao Threat Model, Malice is very powerful because he is in control of the entire open communications network. Can he decrypt or create a ciphertext message without using the correct key? Can he find the key encryption key from a ciphertext message? Can he predict a nonce value?
2.3 What is the role of Trent in authenticated key establishment protocols?
2.4 What is a long-term key, a key-encryption key, a short-term key and a session key?
2.5 Why with the perfect encryption and the perfect message authentication services, can authentication protocols still be broken?
2.6 What is a nonce? What is a timestamp? What are their roles in authentication or authenticated key establishment protocols?
2.7 Why must some messages transmitted in authentication or authenticated key establishment protocols be fresh?
2.8 How can a principal decide the freshness of a protocol message?
2.9 For the perfect encryption notation {M}K, differentiate the following three
properties: (i) message confidentiality, (ii) key secrecy, and (iii) message authentication.
2.10 Provide another attack on Protocol "Session Key From Trent (Prot 2.2), which allows Malice to masquerade not only as Bob toward Alice as in Attack 2.1, but at the same time also as Alice toward Bob, and hence Malice can relay "confidential" communications between Alice and Bob.
Hint: run another instance of Attack 2.1 between Malice("Alice") and Bob.
2.11 What is the difference between message authentication and entity authentication?
2.12 Provide another attack on the Needham-Schroeder Authentication Protocol in which Alice (and Trent) stays offline completely.
2.13 Does digital signature play an important role in the Needham-Schroeder Public-key Authentication Protocol?
Hint: consider that that protocol can be simplified to the version which only contains message lines 2, 6 and 7.
• Table of Contents
Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company
Publisher: Prentice Hall PTR Pub Date: July 25, 2003
ISBN: 0-13-066943-1 Pages: 648
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.