october 7, 2003serguei a. mokhov, [email protected] 1 cryptographic protocols and possible...
TRANSCRIPT
![Page 1: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/1.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
1
Cryptographic Protocols andPossible Attacks
SOEN321- Information-Systems Security
Revision: 1.1
Date: November 25, 2004
![Page 2: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/2.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
2
Contents
• Security Flaws in Cryptographic Protocols– Freshness Flaws– Oracle Flaws– Type Flaws– Implementation-Dependent Flaws– Elementary Flaws– Others
![Page 3: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/3.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
3
Security Flaws
• A flaw is a protocol property that contradicts the security requirements.
• A security flaw is a part of a program that can cause the system to violate its security requirements.
• Finding security flaws, then, demands some knowledge of the system security requirements. These requirements vary according to the system and the application [Landweher, Bull, McDermott and Choi].
• The proof of a flaw is commonly known as an “attack” and it is generally presented as actions performed on the protocol.
![Page 4: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/4.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
4
Flow Types
• Freshness
• Oracle
• Type
• Implementation-Dependent
• Others…
![Page 5: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/5.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
5
Freshness Flaws
• Freshness flaws appear when critical messages are used in the protocol without including freshness information such as nonces and/or timestamps.
• This lack can be exploited by an intruder to do a masquerade by replaying messages belonging to previous runs.
![Page 6: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/6.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
6
Freshness Flaws
• A classical example of a freshness flaw occurs in the symmetric-key protocol proposed by Needham-Shroeder:– Message 1 A -> S : A,B,Na
– Message 2 S -> A : {Na,B, kab, {kab,A}kbs }kas
– Message 3 A -> B : {kab,A}kbs
– Message 4 B -> A : {Nb}kab
– Message 5 A -> B : {Nb + 1}kab
![Page 7: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/7.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
7
Freshness Flaws (2)
• This protocol aims to provide a mutual authentication between two principals A and B.
• Each principal shares a secret key with a trusted server S.
• This protocol was thought to be correct until 1981 when the basic weakness was pointed out by Denning and Sacco.
• The main problem of this protocol is that the principal playing the role B cannot detect whether the message {kab,A} sent by the principal playing the role A at step 3 has been recently created or not since it does not contain any freshness information.
![Page 8: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/8.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
8
Freshness Flaws (3)
• Suppose, for example, that an intruder can compromise one previously distributed key k’ab (by using cryptanalysis for example) and it replays the appropriate message to the principal playing the role B in step 3.
• In this case, the principal playing the role B will accept this key as a new one and it replays by the message {Nb}k’ab
• Hence, the intruder can intercept this message and impersonate A’s reply by sending the message {Nb + 1}k’ab
![Page 9: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/9.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
9
Freshness Flaws (4)
• To fix this weakness, Denning and Sacco have proposed to add a timestamp to the messages used at step 2 and step 3:– Message 1 A -> S : A,B,Na
– Message 2 S -> A : {T,Na,B, kab, {kab,A, T}kbs}kas
– Message 3 A -> B : {kab,A, T}kbs
– Message 4 B -> A : {Nb}kab
– Message 5 A -> B : {Nb + 1}kab
• Needham and Shroeder have proposed a solution based on the use of nonces. The two proposed solutions seem to resolve the problem, however there is no correction proof for any one of those new versions.
![Page 10: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/10.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
10
Oracle Flaws
• Oracle flaws occur when the cryptographic protocol dialog allows an adversary to know some secret information or to foretell the content of some encrypted messages.
• Two subclasses of oracle flaws are distinguished:– Single oracle flaws and,– Multi-role oracle flaws.
![Page 11: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/11.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
11
Single Oracle Flaws
• It consists of oracle flaws that occur when the protocol does not allow principals to change their roles from one protocol run to another.
• The most famous example of a single role oracle flaw was given by Rivest, Shamir, and Adelman. It consists of the following three-steps protocol:– Message 1 A -> B : {M}ka
– Message 2 B -> A : {{M}ka}kb
– Message 3 A -> B : {M}kb
• We assume that the encrypting function is commutative i.e. {{M}ka}kb ={{M}kb}ka
![Page 12: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/12.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
12
Single Oracle Flaws (2)
• The goal of this protocol is to transfer secret messages from one principal to another without the help of a trusted server.
• In step one, the principal playing the role A encrypts the messages M under its secret key ka (can be randomly generated) then sends the result to the principal playing the role B.
• In the second step, the principal playing the role B encrypts the received message with its secret key kb and sends the result to the principal playing the role A.
• Finally, the principal playing the role A decrypts the message {{M}ka}kb to obtain the message {M}kb (this can be achieved under the commutative assumption) which is sent to the principal playing the role B.
![Page 13: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/13.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
13
Single Oracle Flaws (3)
• This protocol can be attacked as follows:– Message 1 A -> I(B) : {M}ka
– Message 2 I(B) -> A : {M}ka
– Message 3 A -> I(B) : M
• At step one, the intruder intercepts the message {M}ka which is supposed to be sent to the principal playing the role B.
• At step two, the intruder sends the intercepted message to the principal playing the role A as a B’s response.
• Finally, the principal playing the role A decrypts the received message and sends the result (M) to the principal playing the role B.
• However, the intruder intercepts this message; hence, it learns the information that was supposed to be secret.
![Page 14: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/14.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
14
Multi-Role Oracle Flaws
• Multi-role oracle flaws occur when the protocol assumptions allow principals to change their role from one run to another.
• In this case, an intruder has more chance to attack the protocol.
• In fact, the intruder can participate in many runs executed concurrently; hence, messages of one run can be used to form messages that will be used in another run.
![Page 15: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/15.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
15
Multi-Role Oracle Flaws (2)
• A good example of multi-roles oracle flaws is:– Message 1 A -> B : {Na}kab
– Message 2 B -> A : {Na + 1}kab
• The objective of this protocol is to convince the principal playing role A that the principal playing role B is operational.
![Page 16: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/16.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
16
Multi-Role Oracle Flaws (3)• At step one, the principal playing role A sends a challenge, the
nonce Na encrypted using the key kab.• The principal playing role B can easily give a response ({Na
+1}kb) to this challenge at step two since it knows the key kab.
• This protocol can be attacked as follows:– Message 1.1 A -> I(B) : {Na}kab
– Message 2.1 I(B) -> A : {Na}kab
– Message 2.2 A -> I(B) : {Na + 1}kab
– Message 1.2 I(B) -> A : {Na + 1}kab
• At step one of the first protocol run, the intruder intercepts the message {Na}kab and uses it as its own challenge in the first step of the second protocol run.
![Page 17: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/17.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
17
Multi-Role Oracle Flaws (4)
• Therefore, it is not surprising that the principal playing the role A will answer by sending the message {Na + 1}kab in step two of the second protocol run.
• Furthermore, this message is also the necessary one to finish the first run.
• Finally, the principal playing the role A is convinced that the principal playing the role B is operational, however this principal may not exist any longer in the system.
![Page 18: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/18.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
18
Type Flaws
• The extraction of message components requires a full knowledge about their types.
• In fact, a message is implemented in a concrete level as a sequence of bits, then to extract the value of the first component, for example, we need its type (length).
• Such information can be implicit if the receiver has a previous knowledge about the message’s components, their types and their positions.
• Another solution is to represent types explicitly in the transmitted data structure.
• In this case, the receiver does not need to know previously the types since it will find them embedded within the received message.
![Page 19: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/19.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
19
Type Flaws (2)
• Type flaws occur when an adversary can induce the receiver to infer message component types which are different from their real one.
• The Andrew Secure RPC (From Andrew File System) Protocol, presented below, provides a good example for this class of flaws.– Message 1 A -> B : A, {Na}kab
– Message 2 B -> A : {Na + 1,Nb}kab
– Message 3 A -> B : {Nb + 1}kab
– Message 4 B -> A : {k’ab,N’b}kab
![Page 20: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/20.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
20
Type Flaws (3)
• In step one, the principal playing the role A sends its identity and a challenge {Na}kab to indicate to the principal playing the role B that it wishes to communicate with it.
• At the second step, the principal playing the role B sends the message {Na + 1,Nb}kab which is a challenge to the principal playing the role A.
• At step three, the principal playing the role A replies to the challenge of the principal playing the role B by sending the message {Nb + 1}kab.
• At the last step, the principal playing the role B creates a session key k’ab, concatenates it with N’b, an identifier for a future communication, encrypts the result with the key kab and sends it to principal playing the role A.
![Page 21: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/21.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
21
Type Flaws (4)
• Suppose that nonces and keys have the same length (x bits).
• This protocol can be attacked as follows:– an intruder I can intercept the message
{Na+1,Nb}kab sent at the second step and send it in step four as B’s reply.
– In this case, the principal playing the role A will consider the value of Na + 1 as the value of the key kab.
![Page 22: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/22.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
22
Type Flaws (5)
• The complete attack is:– Message 1 A -> B : A, {Na}kab
– Message 2 B -> A : {Na + 1,Nb}kab
– Message 3 A -> B : {Nb + 1}kab
– Message 4 I(B) -> A : {Na + 1,Nb}kab
![Page 23: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/23.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
23
Binding Flaws
• In public key cryptography, it would be catastrophic if a principal misjudges the key of another.
• In fact, a public key is used to send secret information, since only the principal having the appropriate private key can decrypt the encrypted message.
• However, if, for example, an intruder I having a public key ki can convince a principal A that B’s public key is ki, then the intruder can read all secret messages (encrypted by ki) coming from A and going to B.
• To avoid such a flaw, a veritable binding between agents and public keys must be established.
![Page 24: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/24.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
24
Binding Flaws (2)
• In general, with a distributed systems, a trusted server takes in charge the key distribution task.
• Each principal uses an authentication protocol to get public keys of other principals from the server.
• However, if the authentication protocol is not carefully designed, binding flaws can take place.
![Page 25: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/25.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
25
Binding Flaws (3)
• A good illustrative example of this class of flaws is given hereafter:– Message 1 A -> S : A,B,Na
– Message 2 S -> A : S, {S,A,Na, kb}ks-1
• Here, the principal playing the role A wishes to know the public key of the principal playing the role B with the help of the trusted server S.
• At step one, the principal playing the role A sends its identity, the identity of the principal playing the role B and a nonce Na to the server S.
• In step two, the server replies by a message containing its identity, A’s identity, the nonce Na (to ensure the freshness of the message) and the public key of the principal playing the role B.
• All these components are concatenated and encrypted under S’s private key (signature) allowing the principal playing the role A to be sure about the origin of the message.
![Page 26: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/26.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
26
Binding Flaws (4)
• As shown by Hwang and Chen, this protocol can be attacked as follows:– Message 1.1 A -> I(S) : A,B,Na
– Message 2.1 I(A) -> S : A, I,Na
– Message 2.2 S -> I(A) : S, {S,A,Na, ki}ks-1
– Message 1.2 I(S) -> A : S, {S,A,Na, ki}ks-1
• At step one of the first protocol run, the intruder I intercepts the message “A,B,Na”, substitutes the identity of B by its identity and sends the result as the first message of a new run of the protocol (Message 2.1).
• At step 2.2, the server replies by a message containing I’s public key, since it thinks that the principal playing the role A is asking for this public key.
• Finally, the intruder replays S’s message to the principal playing the role A. Thus, a binding flaw occurs, since the principal playing the role A thinks that the public key of the principal playing the role B is ki.
![Page 27: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/27.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
27
Binding Flaws (5)
• To avoid this flaw, Hwang and Chen proposed the following modification:– Message 1 A -> S : A,B,Na
– Message 2 S -> A : S, {S,A,Na,B, kb}ks-
1
![Page 28: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/28.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
28
Repudiation Flaws• We say that a cryptographic protocol contains a
repudiation flaw if at least one principal is able to deny its participation in any run of this protocol.
• A popular example of this category of flaws was given by the coin-flip protocol proposed by Toussaint.
• This protocol can be used by two principals to toss a coin over a “phone” as follows:– B sends his choice of Heads or Tails to A.– A
• chooses a key ka.• sends the message {ka, Heads}ka , {ka, Tails}ka to B.
– B chooses arbitrary one of {ka, Heads}ka and {ka, Tails}ka and sends his choice, say X, to A.
![Page 29: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/29.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
29
Repudiation Flaws (2)– A decrypts X, compares the result with B’s initial choice and sends
the key ka to B.– B decrypts X and compares the result with his initial choice.
• The probability that the principal A wins is equal to B’s one (1/2) as is shown by Toussaint.
• However, in this protocol, the result of the game is known by A before B.
• Then, if the principal A discovers that he has lost, he can abort the protocol at step four and never reveal the key ka to B at the last step.
• In other terms, the principal A can deny his participation in this protocol run and a repudiation flaw occurs.
![Page 30: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/30.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
30
Implementation-Dependent Flaws
• Cryptosystems used within cryptographic protocols are supposed to be perfect, modulo a set of properties containing at least integrity and confidentiality.
• However, some examples show that these conditions are not sufficient for some protocols, because their security can be severely affected by the implementation approach adopted for cryptographic functions.
• The interaction between cryptosystems and cryptographic protocols did not have the chance to be deeply studied and it is still an open area of research.
• However, it is clear that speaking about the security of a protocol combination with respect to a specific cryptosystem is better then speaking about the security of a protocol in absolute.
![Page 31: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/31.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
31
Implementation-Dependent Flaws (2)
• To be convinced by the severity of this problem let us see the example proposed by Massey as shown below:– Message 1 A -> B : {M}ka
– Message 2 B -> A : {{M}ka}kb
– Message 3 A -> B : {M}kb
• Suppose that we use the XOR function to cipher messages.• Hence, if k is a key and M is a message, encrypting M under
k turns to do the simple following operation: {M}k = M k.
• Since k k = 0 (0 0 = 0 and 1 1 = 0 ), the deciphering transformation is performed by using the same operation: {{M}k}k = M k k = M.
![Page 32: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/32.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
32
Implementation-Dependent Flaws (3)
• The intent of this protocol is to transmit a secret message M from a principal playing the role A to a principal playing the role B.
• However, if we compute the XOR of the three messages used in this protocol:– ({M}ka {{M}ka}kb {M}kb),
– then the result is M (the message which is supposed to be secret).
![Page 33: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/33.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
33
Other Flaws
• Elementary Flaws:– Some cryptographic protocols provide only a marginal
protection against an adversary. In general, this category of protocols is breakable with a little effort.
– A little protection or a non-protection of a protocol leads in almost all the cases to so-called elementary flaws.
– A simple example of these flaws can be given by the following protocol:
• Message 1 A -> B : {Na, kab}ka-1
• Message 2 B -> A : {Na}kab
![Page 34: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/34.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
34
Other Flaws (2)
• Password Guessing Flaws:– Password guessing flaws occur if it is easy to
an adversary to guess some secret key.– An intruder can do an exhaustive search in a
word space smaller than the whole key space to look for keys that are not randomly selected.
– This category of flaws is independent from the protocol design but it is related to cryptographic techniques used to generate keys.
![Page 35: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/35.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
35
Other Flaws (3)
• Calculi Flaws:– Normally, after receiving a message, the
receiver does some verification in order to know if this received message is the good expected one or not.
– However, if these computations are not completed or they are not correctly done, then a calculi flaw could arise.
![Page 36: October 7, 2003Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:](https://reader035.vdocuments.mx/reader035/viewer/2022062803/56649f575503460f94c7c768/html5/thumbnails/36.jpg)
October 7, 2003 Serguei A. Mokhov, [email protected]
36
References
• Dr. Mourad Debbabi• http://www.ciise.concordia.ca/~debbabi/inse7100.html