Security Protocols I - Information Security

More documents

Recommendations

Info

Sebastian Mödersheim 49Type flaw attack on the Otway-Rees protocolM1. A → B : M, A, B, {|NA, M, A, B|} sk(A,S)M2. B → S : M, A, B, {|NA, M, A, B|} sk(A,S) , {|NB, M, A, B|} sk(B,S)M3. S → B : M, {|NA, K AB |} sk(A,S) , {|NB, K AB |} sk(B,S)M4. B → A : M, {|NA, K AB |} sk(A,S)• Suppose |M, A, B| = |K AB |,e.g. M is 32 bits, A and B are 16bits, and K AB is 64 bits.MA B1001101100111100 11011011 00010010Ciphertext1001101100111100 11011011 00010010K ABIntendedinterpretationof senderEncryptionDecryptionInterpretationof receiver• Attack 1 (Reflection/type-flaw): i replays parts of message 1 asmessage 4 (omitting steps 2 and 3).M1. a → i(b) : m, a, b, {|na, m, a, b|} sk(a,s)M4. i(b) → a : m, {|na, m,} {{a,}bmistaken as kab|} sk(a,s)FMSEC Module 2, v.2 28.09.2009
Sebastian Mödersheim 50Type flaw attack on the Otway-Rees protocol (cont.)M1. A → B : M, A, B, {|NA, M, A, B|} sk(A,S)M2. B → S : M, A, B, {|NA, M, A, B|} sk(A,S) , {|NB, M, A, B|} sk(B,S)M3. S → B : M, {|NA, K AB |} sk(A,S) , {|NB, K AB |} sk(B,S)M4. B → A : M, {|NA, K AB |} sk(A,S)Attack 2: The intruder can play the role of S in M2 and M3 byreflecting the encrypted components of M2 back to B. Namely:M1. a → b : m, a, b, {|na, m, a, b|} sk(a,s)M2. b → i(s) : m, a, b, {|na, m, a, b|} sk(a,s) , {|nb, m, a, b|} sk(b,s)M3. i(s) → b : m, {|na, m, a, b|} sk(a,s) , {|nb, m, a, b|} sk(b,s)M4. b → a : m, {|na, m, a, b|} sk(a,s)⇒ a and b accept wrong key and i can decrypt their subsequentcommunication! So key authentication (and secrecy) fails!FMSEC Module 2, v.2 28.09.2009
Page 1 and 2: Security Protocols IIntroductionSeb
Page 3 and 4: Sebastian Mödersheim 2Good Crypto
Page 5 and 6: Sebastian Mödersheim 4Motivation
Page 7 and 8: Sebastian Mödersheim 6Road map•
Page 9 and 10: Sebastian Mödersheim 8Building a k
Page 11 and 12: Sebastian Mödersheim 1. A, B10Buil
Page 13 and 14: Sebastian Mödersheim 1. A, B12Buil
Page 15 and 16: Sebastian Mödersheim 14Building a
Page 19: Sebastian Mödersheim 18Building a
Page 24 and 25: iSebastian Mödersheim 23Building a
Page 32 and 33: Sebastian Mödersheim 31ExerciseCan
Page 34 and 35: Sebastian Mödersheim 33Summary: Co
Page 36 and 37: Sebastian Mödersheim 35Summary: Pr
Page 38 and 39: Sebastian Mödersheim 37An authenti
Page 40 and 41: Sebastian Mödersheim 39Informal Co
Page 42 and 43: Sebastian Mödersheim 41Man-in-the-
Page 44 and 45: Sebastian Mödersheim 43Assumptions
Page 46 and 47: Sebastian Mödersheim 45Examples of
Page 48 and 49: Sebastian Mödersheim 47Type flaw a
Page 52 and 53: Sebastian Mödersheim 51Example of
Page 54 and 55: Sebastian Mödersheim 53Example of
Page 56 and 57: Sebastian Mödersheim 55. . . and s
Page 58 and 59: Sebastian Mödersheim 57Prudent eng
Page 60: Sebastian Mödersheim 59Bibliograph

Security Protocols I - Information Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?