Download
1 / 13
130 likes | 146 Vues
Man in the Middle Attacks. Man in the Middle. SSH authentication with agent is an example of (benign) “ man in the middle ” in authentication M-i-M is a fundamental problem in all authentication protocols The protocols can only prove that the legitimate party is talking
E N D
Man in the Middle • SSH authentication with agent is an example of (benign) “man in the middle” in authentication • M-i-M is a fundamental problem in all authentication protocols • The protocols can only prove that the legitimate party is talking • But does it yield the desired protection against adversaries?
Building a Secure Channel • What is a secure channel? • Messages sent between Alice and Bob should not be • eavesdropped by the attacker • tampered with by the attacker • Provide assurance on who you are talking to
Building a secure channel out of an insecure medium • Use symmetric cipher • Faster than public-key cipher • Encryption ensures confidentiality of communication • Authentication and data integrity ensured by applying message authentication code • Need to establish a shared secret
PKB is Bob’s public key Building a secure channel out of an insecure medium I am Alice I am Bob, inc PKB E(PKB , s) {m}KC || MACKM(m) Alice Bob KC, KM = h(s)
PKB is Bob’s public key SSL/TLS I am Alice I am Bob, inc PKB E(PKB , s) {m}KC || MACKM(m) Alice Bob KC, KM = h(s)
Borrowed from Vitaly Shmatikov’s lecture slides MiM Attack Example: Needham-Schroeder • Very (in)famous example • Appeared in a 1979 paper • Goal: authentication in a network of workstations • In 1995, Gavin Lowe discovered unintended property while preparing formal analysis using FDR system • Background: public-key cryptography • Every agent A has a key pair Ka, Ka-1 • Everybody knows public key Ka and can encrypt messages to A with it (we’ll use {m}Ka notation) • Only A knows secret key Ka-1, therefore, only A can decrypt messages encrypted with Ka
Borrowed from Vitaly Shmatikov’s lecture slides {A, NonceA} Kb {NonceA, NonceB } Ka { NonceB} Kb Needham-Schroeder Public-Key Protocol A’s identity Fresh random number generated by A A B B’s reasoning: The only way to learn NonceB is to decrypt 2nd message Only A can decrypt 2nd message Therefore, A is on the other end A is authenticated! A’s reasoning: The only person who could know NonceA is the person who decrypted 1st message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated!
Borrowed from Vitaly Shmatikov’s lecture slides {A, NonceA} Kb {NonceA, NonceB } Ka { NonceB} Kb What Does This Protocol Achieve? • Protocol aims to provide both authentication and secrecy • After this the exchange, only A and B know NonceA and NonceB • NonceA and NonceB can be used to derive a shared key A B
{ A, Na } Kb { Na, Nc } Ka { Nc } Kb { A, Na } { Na, Nc } Kc Ka C Adapted from Vitaly Shmatikov’s lecture slides Anomaly in Needham-Schroeder [published by Lowe] A B Evil B pretends that he is A B can’t decrypt this message, but he can forward it { Nc } Kc Evil agent B tricks honest A into revealing C’s private value Nc C is convinced that he is talking to A!
Adapted from Vitaly Shmatikov’s lecture slides Lessons of Needham-Schroeder • Classic man-in-the-middle attack • Exploits participants’reasoning to fool them • A is correct that B must have decrypted {A,Na}Kb message, but this does not mean that message {Na,Nb}Ka came from B • The attack has nothing to do with cryptography! • It is important to realize limitations of attacks • The attack requires that A willingly talk to adversary • In the original setting, each workstation is assumed to be well-behaved, and the protocol is correct!
{A, NonceA} Kb {NonceA, NonceB, B} Ka { NonceB} Kb Fixing Needham-Schroeder’s protocol A B
{ A, Na } Kb { Na, Nc, C } Ka { A, Na } { Na, Nc, C } Kc Ka C Adapted from Vitaly Shmatikov’s lecture slides The attack no longer works [published by Lowe] A B Evil B pretends that he is A A will detect that the message was actually sent by C.
