Security protocols: Difference between revisions
Jump to navigation
Jump to search
(One intermediate revision by the same user not shown) | |||
Line 41: | Line 41: | ||
=== using public-key crypto - signature === |
=== using public-key crypto - signature === |
||
* The private key could be derived from a passphrase (GitHub does that apparently [https://news.ycombinator.com/item?id=25741840]). This way, secret data never leaves the client side. |
Latest revision as of 10:59, 12 January 2021
References
- Handbook of applied cryptography
- ! this book is not always up-to-date ! Some protocols might be broken today (eg. Needham-Schroeder public-key protocol)
Authentication Protocol
using symmetric crypto
using public-key crypto - encrytion
Needham-Schroeder protocol (NS)
References: [1]
- Vulnerable to MiTM attack — use the NSL variant!
The protocol:
A --> B: P_B(k_1,A) A <== B: P_A(k_1,k_2) A --> B: P_B(k_2)
The MiTM attack (via relay):
- If E can persuade A to start a session with him, he can relay to B and convince B that he is communicating with A.
A --> E : P_E(k_1,A) E --> B: P_B(k_1,A) A <== E <== B: P_A(k_1,k_2) # E simply relays B's nonce back to A A --> E : P_E(k_2) # E learns k_2 from A's message E --> B: P_B(k_2) # ... and forwards it to B with B public key
- Now, B falsely believes that A is communicating with him, and that k_1 and k_2 are known only to A and B.
Needham-Schroeder-Lowe protocol (NSL)
References: [2], hac, chap 12, §12.38
- Don't confuse with the symmetric variant (used in Kerberos).
- Original version (NS protocol) broken — use this variant instead.
The protocol:
A --> B: P_B(k_1,A) A <== B: P_A(k_1,k_2,B) A --> B: P_B(k_2)
using public-key crypto - signature
- The private key could be derived from a passphrase (GitHub does that apparently [3]). This way, secret data never leaves the client side.