150 likes | 467 Views
Interlock Protocol . Akanksha Srivastava 2002A7PS589. Motivation . Prior establishment of secret / public keys or passwords. Public Key Cryptography – communicate securely without prior arrangement. Let α , β be large publicly known numbers. A wants to talk to B.
E N D
Interlock Protocol Akanksha Srivastava 2002A7PS589
Motivation • Prior establishment of secret / public keys or passwords. • Public Key Cryptography – communicate securely without prior arrangement. • Let α,β be large publicly known numbers. • A wants to talk to B. • A and B pick random numbers – ARand BR respectively.
Exponential Key Exchange Protocol αARmod β A B αBRmod β Thus, A and B can calculate the shared key as αARBR mod β
Vulnerable to – MITM attack αARmod β αZRmod β B Z A αBRmod β αZ’Rmod β Here, A and Z can compute the key as (αAR )Z’R mod βΞ(αZ’R)AR mod βΞαARZ’R mod β
Similarly, Z and B can compute the key as (αZR)BRmod βΞ (αBR)ZR mod βΞαZRBR mod β • After the key exchange, message M should be sent across to B by A as Ea,b (M) ie message M, (say, its password for authentication) encrypted using the private key derived from the exponential key exchange. • Instead, A sends its password PA across as Ea,z’(PA) which is intercepted by Z, decrypted using its private key αARZ’Rmod β. He, then encrypts it using B’s public key and sends it to B as EZ,B(PA). • B responds with its Password PB encrypted as EZ,B(PB) which is again deciphered by Z and forwarded as Ez’,a(PB).
Implication • A decrypts Ea,z’(PB) to get PB, hashes it and matches it with the stored hash and verifies it to be correct. • Similarly, B authenticates “A” as genuine. • A and B communicate oblivious of the presence of the man-in-the-middle (Z). • Z knows not only knows the keys used by A and B to encrypt messages but also their passwords. • Z can not only eavesdrop on all the messages exchanged between A and B but can also change them or substitute them with new ones. • Z, aware of the passwords of A and B can potentially sneak into the information not explicitly exchanged by A and B during the session.
Solution (suggested by Davies and Price) – Interlock Protocol • Originally proposed by R.L. Rivest and A. Shamir. • Based on the “interlocking” of message halves, such that incomplete message is unintelligible to Z.
Actual Model A B Ea,b(PA)(1) Ea,b(PB)(1) Ea,b(PA)(2) Ea,b(PB)(2) This time, even if Z eavesdrops on the 1st half of password sent by A, it will not be able to decrypt it until the 2nd half is received. This means Z will not be able to re-encrypt it using its shared key with B. Similar is the case with B’s half –password. So, A and b can detect if Z tries to intrude after the passwords have been exchanged.
Bellovin – Merritt Attack A Z Ez’,a(PA)(1) Ez’,a(P?)(1) Ez’,a(PA)(2)
Bellovin – Merritt attack (Contd…) B Z Ez,b(PA)(1) Ez,b(PB)(1) Ez,b(PA)(1) Ez,b(PB)(2)
A case of interest here, can be on where A is the user and B is the host. This means B would need to send the first data so that A can verify it be genuine before it sends it password. • This would require z to first obtain PB and then communicate with A.
Forced Latency Interlock Protocol • Here, B (say, the server) delays its responses each time (say, by time Dt) A sends messages across. Ka Kz Z B A Kz’ Kb Ea,z’(PA)(1) Ea,z’(P?)(1) (Dt) (Dt) Ea,z’(PA)(2) Ea,z’(P?)(2) (Dt) Eb,z(PA)(1) Eb,z(PB)(1) Eb,z(PA)(2) (Dt) Eb,z(PB)(2) data data
Implications • After A has sent its password, it receives data only after Dt * 2 time intervals, whereas it was expecting the data after Dt. • This detects the presence of Z. • But, Z could also keep communicating with A, posing as B and not talk to B at all. This means there would be no delays. • This means, Interlock Protocol with latency can prevent a third party from eavesdropping on the communication but cannot provide authentication.