Security protocols: Difference between revisions

From miki
Jump to navigation Jump to search
Line 41: Line 41:


=== using public-key crypto - signature ===
=== using public-key crypto - signature ===
* The private key could be derived from a passphrase (GitHub does that apparently [https://news.ycombinator.com/item?id=25741840]).

Revision as of 10:59, 12 January 2021

References

  • Handbook of applied cryptography
! this book is not always up-to-date ! Some protocols might be broken today (eg. Needham-Schroeder public-key protocol)

Authentication Protocol

using symmetric crypto

using public-key crypto - encrytion

Needham-Schroeder protocol (NS)

References: [1]

  • Vulnerable to MiTM attack — use the NSL variant!

The protocol:

A --> B: P_B(k_1,A)
A <== B: P_A(k_1,k_2)
A --> B: P_B(k_2)

The MiTM attack (via relay):

  • If E can persuade A to start a session with him, he can relay to B and convince B that he is communicating with A.
A --> E      : P_E(k_1,A)
      E --> B: P_B(k_1,A)
A <== E <== B: P_A(k_1,k_2)          # E simply relays B's nonce back to A
A --> E      : P_E(k_2)              # E learns k_2 from A's message
      E --> B: P_B(k_2)              # ... and forwards it to B with B public key
Now, B falsely believes that A is communicating with him, and that k_1 and k_2 are known only to A and B.

Needham-Schroeder-Lowe protocol (NSL)

References: [2], hac, chap 12, §12.38

  • Don't confuse with the symmetric variant (used in Kerberos).
  • Original version (NS protocol) broken — use this variant instead.

The protocol:

A --> B: P_B(k_1,A)
A <== B: P_A(k_1,k_2,B)
A --> B: P_B(k_2)

using public-key crypto - signature

  • The private key could be derived from a passphrase (GitHub does that apparently [3]).