1 / 13

Man in the Middle Attacks

Man in the Middle Attacks. Man in the Middle. SSH authentication with agent is an example of (benign) “ man in the middle ” in authentication M-i-M is a fundamental problem in all authentication protocols The protocols can only prove that the legitimate party is talking

Download Presentation

Man in the Middle Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Man in the Middle Attacks

  2. Man in the Middle • SSH authentication with agent is an example of (benign) “man in the middle” in authentication • M-i-M is a fundamental problem in all authentication protocols • The protocols can only prove that the legitimate party is talking • But does it yield the desired protection against adversaries?

  3. Building a Secure Channel • What is a secure channel? • Messages sent between Alice and Bob should not be • eavesdropped by the attacker • tampered with by the attacker • Provide assurance on who you are talking to

  4. Building a secure channel out of an insecure medium • Use symmetric cipher • Faster than public-key cipher • Encryption ensures confidentiality of communication • Authentication and data integrity ensured by applying message authentication code • Need to establish a shared secret

  5. PKB is Bob’s public key Building a secure channel out of an insecure medium I am Alice I am Bob, inc PKB E(PKB , s) {m}KC || MACKM(m) Alice Bob KC, KM = h(s)

  6. PKB is Bob’s public key SSL/TLS I am Alice I am Bob, inc PKB E(PKB , s) {m}KC || MACKM(m) Alice Bob KC, KM = h(s)

  7. Borrowed from Vitaly Shmatikov’s lecture slides MiM Attack Example: Needham-Schroeder • Very (in)famous example • Appeared in a 1979 paper • Goal: authentication in a network of workstations • In 1995, Gavin Lowe discovered unintended property while preparing formal analysis using FDR system • Background: public-key cryptography • Every agent A has a key pair Ka, Ka-1 • Everybody knows public key Ka and can encrypt messages to A with it (we’ll use {m}Ka notation) • Only A knows secret key Ka-1, therefore, only A can decrypt messages encrypted with Ka

  8. Borrowed from Vitaly Shmatikov’s lecture slides {A, NonceA} Kb {NonceA, NonceB } Ka { NonceB} Kb Needham-Schroeder Public-Key Protocol A’s identity Fresh random number generated by A A B B’s reasoning: The only way to learn NonceB is to decrypt 2nd message Only A can decrypt 2nd message Therefore, A is on the other end A is authenticated! A’s reasoning: The only person who could know NonceA is the person who decrypted 1st message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated!

  9. Borrowed from Vitaly Shmatikov’s lecture slides {A, NonceA} Kb {NonceA, NonceB } Ka { NonceB} Kb What Does This Protocol Achieve? • Protocol aims to provide both authentication and secrecy • After this the exchange, only A and B know NonceA and NonceB • NonceA and NonceB can be used to derive a shared key A B

  10. { A, Na } Kb { Na, Nc } Ka { Nc } Kb { A, Na } { Na, Nc } Kc Ka C Adapted from Vitaly Shmatikov’s lecture slides Anomaly in Needham-Schroeder [published by Lowe] A B Evil B pretends that he is A B can’t decrypt this message, but he can forward it { Nc } Kc Evil agent B tricks honest A into revealing C’s private value Nc C is convinced that he is talking to A!

  11. Adapted from Vitaly Shmatikov’s lecture slides Lessons of Needham-Schroeder • Classic man-in-the-middle attack • Exploits participants’reasoning to fool them • A is correct that B must have decrypted {A,Na}Kb message, but this does not mean that message {Na,Nb}Ka came from B • The attack has nothing to do with cryptography! • It is important to realize limitations of attacks • The attack requires that A willingly talk to adversary • In the original setting, each workstation is assumed to be well-behaved, and the protocol is correct!

  12. {A, NonceA} Kb {NonceA, NonceB, B} Ka { NonceB} Kb Fixing Needham-Schroeder’s protocol A B

  13. { A, Na } Kb { Na, Nc, C } Ka { A, Na } { Na, Nc, C } Kc Ka C Adapted from Vitaly Shmatikov’s lecture slides The attack no longer works [published by Lowe] A B Evil B pretends that he is A A will detect that the message was actually sent by C.

More Related