Berkeley COMPSCI 261N - Cryptographic protocols: design and analysis

Unformatted text preview:

Cryptographic protocols:design and analysisDavid WagnerUniversity of California, Berkeley1WarmupEstablishing a secure channel with a challenge-response protocol:1. A → B : A2. B → A : NB3. A → B : [NB]K−1A4. A → B : {message}KB5. A → B : {message0}KB. . .Can you spot the flaw?2X.509 standard #1Sending a signed, encrypted message to B:1. A → B : A, [TA, B, {message}KB]K−1AThis has a subtle issue, depending upon how it is used.3Breaking X.509 standard #1Look again:1. A → B : A, [TA, B, {message}KB]K−1AThere’s no reason to believe the sender was ever aware of the contents of themessage. Signatures imply approval but not authorship.4An Attack on X.509 #1Example: Proving yourself by sending a password.Attacker M intercepts Alice’s encrypted password:1. A → B : A, [TA, B, {password}KB]K−1AThen M extracts {password}KB, and sends10. M → B : M, [TM, B, {password}KB]K−1MNow M is in, without needing to know the password.5Another Attack on X.509 #1Example: Secure auctions.The same attack provides an easy way for M to send in a copy of A’s bid underhis own name, without needing to know what A’s bid was.6LessonsAn important difference between• Authentication as endorsement (i.e., taking responsibility).• Authentication as a way of claiming credit.Encrypting before signing provides a secure way of assigning responsibility,but an insecure way to establishing credit.Moral: sign before encrypting.Credits: Abadi and Needham.7TMNA, B establish a shared key kBusing the help of a fast server S:1. A → S : {kA}KS2. B → S : {kB}KS3. S → A : kA⊕ kBA recovers kBas kA⊕ (kA⊕ kB).What’s the flaw?8Breaking TMNLet’s play spot the oracle!The attack: Given {kB}KS, M, M0can conspire to recover kB:10. M → S : {kB}KS20. M0→ S : {kM0}KS30. S → M : kB⊕ kM0Now M, M0can recover kBfrom {kB}KS.This lets eavesdroppers recover session keys established by other parties.Credits: Simmons.9Needham-SchroederA, B establish a secure channel, given knowledge of each other’s public key:1. A → B : {A, NA}KB2. B → A : {NA, NB}KA3. A → B : {NB, message}KBThis protocol was published in 1978. In 1996, Gavin Lowe found a flaw. Can youfind it, too?10The Lowe attackSuppose Alice initiates a session with dishonest Dave:1. A → D : {A, NA}KDDave can then convince Bob he is Alice:10. D → B : {A, NA}KB20. B → A : {NA, NB}KA3. A → D : {NB, message}KD30. D → B : {NB, message0}KB11The Smash protocolA, B establish a secure channel, given knowledge of each other’s public key:1. A → B : {A, NA}KB2. B → A : {NA}KA3. A → B : {NA, message}KBYes, this too has a flaw. What is it?12Smashing the SmashNothing prevents Zorro from lying about his identity in the first message:1. Z → B : {A, NZ}KB2. B → A : {NZ}KA3. Z → B : {NZ,


View Full Document

Berkeley COMPSCI 261N - Cryptographic protocols: design and analysis

Download Cryptographic protocols: design and analysis
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Cryptographic protocols: design and analysis and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Cryptographic protocols: design and analysis 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?