Foundations of Computer SecurityLecture 59: Attacks on Cryptographic ProtocolsDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 59: 1 Attacks on Cryptographic ProtocolsAttacksA difficult aspect of analyzing cryptographic protocols is answeringthe question: What constitutes an attack?Are both authentication and secrecy assured?Is it possible to impersonate one or more of the parties?Is it possible to interject messages from an earlier exchange(replay attack)?What tools can an attacker deploy?*If any key is compromised, what are the consequences?Is the last question really fair?Some protocols have been in use for years before someone noted asignificant vulnerability.Lecture 59: 2 Attacks on Cryptographic ProtocolsAttacks on ProtocolsThis is a partial list of attacks on protocols:Known-key attack: attacker gains some keys used previously anduses this info in some malicious fashion.Replay: attacker records messages and replays them at a latertime.Impersonation: attacker assumes the identity of one of thelegitimate parties in a network.Man-in-the-Middle: attacker interposes himself between twoparties and pretends to each to be the other.Interleaving attack: attacker injects spurious messages into aprotocol run to disrupt or subvert it.Lecture 59: 3 Attacks on Cryptographic ProtocolsAttackersThe designer of a protocol should assume that an attacker canaccess all of the traffic and interject his own messages into theflow.Can the attackers messages be arbitrary? Why not? Whatrestrictions do we impose on the attacker?The protocol should be robust in the face of such a determinedand resourceful attacker.Lecture 59: 4 Attacks on Cryptographic ProtocolsImportant Point About ProtocolsDue to the distributed nature of the system, protocols are highlyasynchronous.A party to a protocol won’t know anything about the currentrun of the protocol except the messages it has received andsent.Except for the initiator, other parties will not even know thatthey are participating until they receive their first message.Each message sent must be of a form the recipient can identifyand respond to.Lecture 59: 5 Attacks on Cryptographic ProtocolsLessonsOne of the hardest things about analyzing a protocol isunderstanding what an attacker might do.The distributed nature of the system means that no-one butthe initiator knows the protocol is running until they receivetheir first message.Consequently, each message must be clear enough so that therecipient can interpret it and respond appropriately.Next lecture: Needham-SchroederLecture 59: 6 Attacks on Cryptographic
View Full Document