Man in the Middle Attacks

Man in the Middle SSH authentication with agent is an example of (benign) “man in the middle” in authentication M-i-M is a fundamental problem in all authentication protocols The protocols can only prove that the legitimate party is talking But does it yield the desired protection against adversaries?

Building a Secure Channel What is a secure channel? Messages sent between Alice and Bob should not be eavesdropped by the attacker tampered with by the attacker Provide assurance on who you are talking to

Building a secure channel out of an insecure medium Use symmetric cipher Faster than public-key cipher Encryption ensures confidentiality of communication Authentication and data integrity ensured by applying message authentication code Need to establish a shared secret

Building a secure channel out of an insecure medium I am Alice I am Bob, inc PKB is Bob’s public key PKB E(PKB , s) {m}KC || MACKM(m) It is important that Alice start the secret communication first. Otherwise an attacker can replace s with his own and trick Bob into leaking sensitive information. Alice Bob KC, KM = h(s)

SSL/TLS I am Alice I am Bob, inc PKB is Bob’s public key PKB E(PKB , s) {m}KC || MACKM(m) Alice Bob KC, KM = h(s)

MiM Attack Example: Needham-Schroeder Borrowed from Vitaly Shmatikov’s lecture slides MiM Attack Example: Needham-Schroeder Very (in)famous example Appeared in a 1979 paper Goal: authentication in a network of workstations In 1995, Gavin Lowe discovered unintended property while preparing formal analysis using FDR system Background: public-key cryptography Every agent A has a key pair Ka, Ka-1 Everybody knows public key Ka and can encrypt messages to A with it (we’ll use {m}Ka notation) Only A knows secret key Ka-1, therefore, only A can decrypt messages encrypted with Ka

Needham-Schroeder Public-Key Protocol Borrowed from Vitaly Shmatikov’s lecture slides Needham-Schroeder Public-Key Protocol A’s identity Fresh random number generated by A Kb { A, NonceA } Ka { NonceA, NonceB } A B Kb { NonceB} A’s reasoning: The only person who could know NonceA is the person who decrypted 1st message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated! B’s reasoning: The only way to learn NonceB is to decrypt 2nd message Only A can decrypt 2nd message Therefore, A is on the other end A is authenticated!

What Does This Protocol Achieve? Borrowed from Vitaly Shmatikov’s lecture slides What Does This Protocol Achieve? Kb { A, NonceA } Ka { NonceA, NonceB } A B Kb { NonceB} Protocol aims to provide both authentication and secrecy After this the exchange, only A and B know NonceA and NonceB NonceA and NonceB can be used to derive a shared key

Anomaly in Needham-Schroeder Adapted from Vitaly Shmatikov’s lecture slides Anomaly in Needham-Schroeder [published by Lowe] { A, Na } Kb A B { Na, Nc } Ka { Nc } Kb { Na, Nc } Ka { A, Na } Kc C Evil B pretends that he is A B can’t decrypt this message, but he can forward it { Nc } Kc Evil agent B tricks honest A into revealing C’s private value Nc C is convinced that he is talking to A!

Lessons of Needham-Schroeder Adapted from Vitaly Shmatikov’s lecture slides Lessons of Needham-Schroeder Classic man-in-the-middle attack Exploits participants’ reasoning to fool them A is correct that B must have decrypted {A,Na}Kb message, but this does not mean that message {Na,Nb}Ka came from B The attack has nothing to do with cryptography! It is important to realize limitations of attacks The attack requires that A willingly talk to adversary In the original setting, each workstation is assumed to be well-behaved, and the protocol is correct!

Fixing Needham-Schroeder’s protocol Kb { A, NonceA } Ka { NonceA, NonceB, B} A B Kb { NonceB}

The attack no longer works Adapted from Vitaly Shmatikov’s lecture slides The attack no longer works [published by Lowe] { A, Na } Kb A { Na, Nc, C } Ka B { Na, Nc, C } Ka { A, Na } Kc C Evil B pretends that he is A A will detect that the message was actually sent by C.