Trudy-type Attackers

As already mentioned in our introducing analysis, a Trudy type attacker can mount two active attacks in order to intrude the network. In both cases, the participants would not notice the presence of Trudy, even though she gained access to new established keys. In the following we analyze in detail the two sketched attacks – i.e. the man-in-the-middle and the Sybil attack – and provide possible countermeasures.

Man-In-The-Middle Attack and Countermeasures

If Trudy wants to gain access to a new key between devices A and B she can launch a man-in-the-middle attack as shown in Figure4.10. First, Trudy will discover s device-disjoint secure paths to device A. Now she generates s key shares and sends them over the s device-disjoint paths to A using the ”FTKeyShareTransport”-message. However, she will include the ID of device B as the InitiatorID (see Procedure4.1and4.2). Note that no device is able to detect this deception. Device A receives these key shares and stores it in its own (secondary) key store but with the ID of device B. Furthermore, device A will send acknowledges to device B – but since device B is not waiting for any acknowledgement, these messages will simply be discarded.

4.3 ACTIVEATTACKER 99

After Trudy established a new key with device A she does the same with device B. After that, she holds two keys (possibly the same) which can be used in order to impersonate device A against B and vice versa. If device A now sends a secure message to device B it will use the key from its establishment key store. If Trudy used two different keys for A and B she does not even need to intercept this message, since when it arrives at device B it will be discarded due to decryption failure. Trudy, however, can read the message - do whatever she wants to do with it, and then decide if she wants to forward it to B such that B can respond, so A does not become suspicions.

This attack is possible since although each message is authenticated per each hop, there is no authentication from end-to-end. Hence, when a device – let’s say device A from the above example – establishes a key with some other device, it cannot be sure that it really establishes a new key with the ID which is pretended in the key share transport messages.

To prevent this attack, we need to integrate a classical challenge-response mechanism in our key exchange protocol. With such a mechanism both devices can be sure that they talk to the right device. In detail we modify the sending of the acknowledgement. When receiving a key share, the corresponding acknowledgement must be sent securely over device-disjoint paths. Whenever a device receives a key share it additionally discovers s device-disjoint secure paths to the claimed initiator. Over these paths the acknowledgment is sent. Additionally we need to piggyback a random number encrypted with the specific key share in each of these acknowledgment-parts (challenge). Note that due to our assumption Trudy has less than s devices subverted, she is not able to gain access to all random numbers. A device receiving these acknowledgments and really being the initiator of a key establishment, will collect all random numbers and perform some mathematical operation on them, i.e. simply add them. It will then send back the result encrypted with the newly established key. After that both devices are authenticated against each other – before that point in time the established key must be considered as invalid and must not be used.

With the additional measures as described above it is no longer possible for Trudy to mount a man-in-the-middle attack. Imagine she sends - just like in the example above – the manipulated key shares to device A, which in turn will send along s device-disjoint paths an acknowledge-ment with some nonces to device B. Device B however, knows that it did not initiate a key establishment with device A, so it will not confirm by sending the result. Hence, device A will not use the new key and will run eventually in a timeout and therefore remove the fake key.

Furthermore there is no way for Trudy to send this confirmation since she lacks the information of at least one nonce (assuming she has at most s − 1 devices subverted).

Note that the initiating device can be sure that it really talks to the intended device when it has received all acknowledgments for the key shares sent and it was able to decrypt each of them.

Hence, by integrating this challenge-response mechanism we provide a two-way authentication

100 CHAPTER4: FAULT TOLERANTKEYDISTRIBUTIONSCHEME

from end-to-end, which is resilient against Trudy as long as she was not able to subvert more than s − 1 devices.

Sybil Attack and Countermeasures

To gain access to newly established keys Trudy must subvert at least s nodes in the key graph.

One way to do so is to subvert s devices. Alternatively, Trudy could subvert one device and add it into the key graph multiple times resulting in multiple nodes representing the same device.

Such an attack is called a Sybil-attack and is depicted in Figure4.11.

v_j

In order to launch a Sybil-attack, Trudy just picks randomly s devices from the network and initiates a key establishment with them. However, she again fakes the identity - she claims that there is a device ”behind” her – which actually does not exist but is only a virtual ID invented by Trudy - let’s call it Trudy-1. In this case the key establishment will succeed - especially the countermeasures from above do not work, since here Trudy has full access (it is herself) over the initiator of the key establishment. Therefore, she can send challenges and respond correctly to them. Hence, she introduces a new virtual ID into the network with only one subverted device. Clearly, she could do that as many times as she needs in order to introduce any number of virtual IDs. With the aid of the ”NewChild”-message, which is needed for the recovery algorithms, she can additionally make these keys part of the main key store, i.e. she is able to generate edges in the key graph. The more virtual IDs she introduces, the higher the likelihood that all s key shares of some new key establishment will actually be sent over her virtual IDs, i.e. through Trudy herself. Hence, she can access newly established keys with only one subverted device.

This problem arises since we assumed that the used paths are always device-disjoint – espe-cially when receiving key shares. However, it is not enough, that one device discovers these paths and then initiates the key establishment. By doing that, we implicitly trusted the key establishment initiator. However, if the initiator is subverted by Trudy, it should not be trusted.

Hence, all devices being part in the key establishment must check the disjointness of the paths.

4.3 ACTIVEATTACKER 101

Trudywas able to initiate key establishments, claiming it was initiated from devices which lie

”behind” her, i.e. these devices are only reachable through her – this is not allowed and must be prevented.

The first step to prevent this, is that the path along which a key share is sent, is not shortened at every device – only a pointer is moved on. Now, on each device the whole path is available, especially at the receiver of a key establishment. Before saving the key, the receiver must check if all key shares did really come over device-disjoint paths. With this modification, Trudy’s attack from above is already not possible, since the contacted devices would recognize that the key shares from Trudy-1 have all been routed over Trudy. However, this is not enough since Trudy might simply write something different in the paths, in a way, that she no longer is a common device on all paths. This can be prevented, by letting every device additionally check its predecessor on the path, i.e. if the previous device was really the one written in the path. In case of a wrong path entry, the packet is simply not forwarded, hence the fake key establishment cannot succeed.

With these modifications Trudy is no longer able to introduce new virtual device IDs into the network. She still can establish keys at will with as many devices as possible, she even can add edges in the key graph. However, due to the s disjoint paths property of our key establishment she will never be able to be on all paths with less than s subverted devices.