Security protocols: Difference between revisions
Jump to navigation
Jump to search
| (3 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
=== using public-key crypto - encrytion === |
=== using public-key crypto - encrytion === |
||
==== Needham-Schroeder protocol (NS) ==== |
|||
References: [http://en.wikipedia.org/wiki/Needham–Schroeder_protocol] |
|||
* '''{{red|Vulnerable to MiTM attack}}''' — use the NSL variant! |
|||
The protocol: |
|||
A --> B: P_B(k_1,A) |
|||
A <== B: P_A(k_1,k_2) |
|||
A --> B: P_B(k_2) |
|||
The MiTM attack (via relay): |
|||
* If E can persuade A to start a session with him, he can relay to B and convince B that he is communicating with A. |
|||
A --> E : P_E(k_1,A) |
|||
E --> B: P_B(k_1,A) |
|||
A <== E <== B: P_A(k_1,k_2) # E simply relays B's nonce back to A |
|||
A --> E : P_E(k_2) # E learns k_2 from A's message |
|||
E --> B: P_B(k_2) # ... and forwards it to B with B public key |
|||
:Now, B falsely believes that A is communicating with him, and that k_1 and k_2 are known only to A and B. |
|||
==== Needham-Schroeder-Lowe protocol (NSL) ==== |
==== Needham-Schroeder-Lowe protocol (NSL) ==== |
||
| Line 13: | Line 33: | ||
* '''{{red|Don't confuse with}}''' the symmetric variant (used in Kerberos). |
* '''{{red|Don't confuse with}}''' the symmetric variant (used in Kerberos). |
||
* '''{{red| |
* '''{{red|Original version (NS protocol) broken}}''' — use this variant instead. |
||
The protocol: |
|||
A --> B: P_B(k_1,A) |
A --> B: P_B(k_1,A) |
||
A <== B: P_A(k_1,k_2,B) |
A <== B: P_A(k_1,k_2,B) |
||
| Line 20: | Line 41: | ||
=== using public-key crypto - signature === |
=== using public-key crypto - signature === |
||
* The private key could be derived from a passphrase (GitHub does that apparently [https://news.ycombinator.com/item?id=25741840]). This way, secret data never leaves the client side. |
|||
Latest revision as of 10:59, 12 January 2021
References
- Handbook of applied cryptography
- ! this book is not always up-to-date ! Some protocols might be broken today (eg. Needham-Schroeder public-key protocol)
Authentication Protocol
using symmetric crypto
using public-key crypto - encrytion
Needham-Schroeder protocol (NS)
References: [1]
- Vulnerable to MiTM attack — use the NSL variant!
The protocol:
A --> B: P_B(k_1,A) A <== B: P_A(k_1,k_2) A --> B: P_B(k_2)
The MiTM attack (via relay):
- If E can persuade A to start a session with him, he can relay to B and convince B that he is communicating with A.
A --> E : P_E(k_1,A)
E --> B: P_B(k_1,A)
A <== E <== B: P_A(k_1,k_2) # E simply relays B's nonce back to A
A --> E : P_E(k_2) # E learns k_2 from A's message
E --> B: P_B(k_2) # ... and forwards it to B with B public key
- Now, B falsely believes that A is communicating with him, and that k_1 and k_2 are known only to A and B.
Needham-Schroeder-Lowe protocol (NSL)
References: [2], hac, chap 12, §12.38
- Don't confuse with the symmetric variant (used in Kerberos).
- Original version (NS protocol) broken — use this variant instead.
The protocol:
A --> B: P_B(k_1,A) A <== B: P_A(k_1,k_2,B) A --> B: P_B(k_2)
using public-key crypto - signature
- The private key could be derived from a passphrase (GitHub does that apparently [3]). This way, secret data never leaves the client side.