Interlock Protocol - Akanksha Srivastava 2002A7PS589

Motivation Prior establishment of secret / public keys or passwords. Public Key Cryptography – communicate securely without prior arrangement.  Let α,β be large publicly known numbers.  A wants to talk to B.  A and B pick random numbers – A R and B R respectively.

Exponential Key Exchange Protocol A B α A R mod β α B R mod β Thus, A and B can calculate the shared key as α A R B R mod β

Vulnerable to – MITM attack A Z B α A R mod β α Z R mod β α B R mod β α Z’ R mod β Here, A and Z can compute the key as (α A R ) Z’ R mod β Ξ (α Z ’R ) A R mod β Ξ α A R Z’ R mod β

Similarly, Z and B can compute the key as (α Z R ) B R mod β Ξ (α B R ) Z R mod β Ξ α Z R B R mod β After the key exchange, message M should be sent across to B by A as E a,b (M) ie message M, (say, its password for authentication) encrypted using the private key derived from the exponential key exchange. Instead, A sends its password P A across as E a,z’ (P A ) which is intercepted by Z, decrypted using its private key α A R Z’ R mod β. He, then encrypts it using B’s public key and sends it to B as E Z,B (P A ). B responds with its Password P B encrypted as E Z,B (P B ) which is again deciphered by Z and forwarded as E z’,a (P B ).

Implication A decrypts E a,z’ (P B ) to get P B, hashes it and matches it with the stored hash and verifies it to be correct. Similarly, B authenticates “A” as genuine. A and B communicate oblivious of the presence of the man-in-the-middle (Z). Z knows not only knows the keys used by A and B to encrypt messages but also their passwords. Z can not only eavesdrop on all the messages exchanged between A and B but can also change them or substitute them with new ones. Z, aware of the passwords of A and B can potentially sneak into the information not explicitly exchanged by A and B during the session.

Solution (suggested by Davies and Price) – Interlock Protocol Originally proposed by R.L. Rivest and A. Shamir. Based on the “interlocking” of message halves, such that incomplete message is unintelligible to Z.

Actual Model AB E a,b (P A )(1) E a,b (P B )(1) E a,b (P B )(2) E a,b (P A )(2) This time, even if Z eavesdrops on the 1 st half of password sent by A, it will not be able to decrypt it until the 2 nd half is received. This means Z will not be able to re-encrypt it using its shared key with B. Similar is the case with B’s half –password. So, A and b can detect if Z tries to intrude after the passwords have been exchanged.

Bellovin – Merritt Attack AZ E z’,a (P A )(1) E z’,a (P A )(2) E z’,a (P ? )(1)

Bellovin – Merritt attack (Contd…) Z B E z,b (P A )(1) E z,b (P B )(1) E z,b (P A )(1) E z,b (P B )(2)

A case of interest here, can be on where A is the user and B is the host. This means B would need to send the first data so that A can verify it be genuine before it sends it password. This would require z to first obtain P B and then communicate with A.

Forced Latency Interlock Protocol Here, B (say, the server) delays its responses each time (say, by time Dt) A sends messages across. A ZB KaKz Kz’Kb E a,z’ (P A )(1) E a,z’ (P A )(2) E a,z’ (P ? )(1) E a,z’ (P ? )(2) E b,z (P A )(1) E b,z (P B )(1) E b,z (P A )(2) E b,z (P B )(2) (Dt) data

Implications After A has sent its password, it receives data only after Dt * 2 time intervals, whereas it was expecting the data after Dt. This detects the presence of Z. But, Z could also keep communicating with A, posing as B and not talk to B at all. This means there would be no delays. This means, Interlock Protocol with latency can prevent a third party from eavesdropping on the communication but cannot provide authentication.

Thanks!