

















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An analysis of various cryptographic protocols, including their design and potential vulnerabilities. It covers topics such as challenge-response protocols, key exchange protocols, and mutual authentication. The document also includes exercises and moral lessons to help readers understand the importance of secure communication and the potential consequences of protocol flaws.
Typology: Papers
1 / 25
This page cannot be seen from the preview
Don't miss anything!


















David Wagner
University of California, Berkeley
: names of legitimate parties.
M (Short for: Alice, Bob, client, server.)
(^) : name of a malicious attacker. (Short for: Mallet.)
x
Do note:
only receives the message
(^) x
, not who it came from.
know it.)(Thus, messages should include the sender’s name if the recipient needs to
, the network, or the adversary will behave as
(Thus, messages might be intercepted, modified, re-ordered, etc.)intended.
Establishing a secure channel with a challenge-response protocol:
A
message
K B
message
K B
Can you spot the flaw?
Look closely:
cert
A , (^) cert
B , (^) { [ k AB
A ] K − 1
A
} K B
The key
(^) k AB
isn’t bound to the names of the endpoints
Therefore,
can extract the quantity
k AB
A ] K − 1
A
and use it to spoof
in a new
connection to
, like this:
3 ′. B → C :
cert
A , (^) cert
C , (^) { [ k AB
A ] K − 1
A
} K C
As a result,
mistakenly concludes he is speaking with
Exercise: Why do so many protocols fail this way? message. Moral: Be explicit. Bind all names, and all other relevant context, to every
Credits: Abadi and Needham.
Look closely:
AB
K B
AB
cert
A
} k AB
Alice will sign
anything
with her private key.
can open a connection to
and pretend to be
, as follows:
B → C : { k
BC
K C
C } k BC
When
challenges
with nonce
C , Bob sends
B
=
C
back to
and uses her as an oracle.
k AB
K B
C } k AB
cert
A , (^) [ N C ] K − 1
A
k AB
will sign
(^) anything
, so
extracts
A
and he’s in:
cert
A , (^) [ N C ] K − 1
A
} k AB
is cellphone handset,
is a base station.
B
AB
data
k
where
k
=
f (^) ( K
AB
B ) (^) is the voice privacy key.
Can you spot the weakness?
Sending a signed, encrypted message to
A , B,
message
K B (^) ] K − 1
A
This has a subtle issue, depending upon how it is used.
Attacker Example: Proving yourself by sending a password.
intercepts Alice’s encrypted password:
A , B,
password
K B (^) ] K − 1
A
Then
extracts
password
K B (^) , and sends
M
(^) , B,
password
K B (^) ] K − 1
M
Now
is in, without needing to know the password.
The same attack provides an easy way for Example: Secure auctions.
to send in a copy of
’s bid under his
own name, without needing to know what
’s bid was.
establish a shared key
(^) k B
using the help of a fast server
: { k A } K S
: { k B } K S
(^) k B
recovers
(^) k B
as
k A (^) ⊕
(^) ( k A (^) ⊕
(^) k B ) .
What’s the flaw?
The attack: Given Let’s play spot the oracle!
{ k B } K S
(^) ′ can conspire to recover
(^) k B :
M → S : { k B } K S
(^) ′ →
(^) S
k M (^) ′ } K S
S → M : k B ⊕
(^) k M
(^) ′
Now
(^) ′ can recover
(^) k B
from
k B } K S (^).
This lets eavesdroppers recover session keys established by other parties.
Credits: Simmons.