Presentation is loading. Please wait.

Presentation is loading. Please wait.

Man in the Middle Attacks

Published byΜαία Παπακώστας Modified over 6 years ago

Similar presentations

Presentation on theme: "Man in the Middle Attacks"— Presentation transcript:

1 Man in the Middle Attacks

2 Man in the Middle SSH authentication with agent is an example of (benign) “man in the middle” in authentication M-i-M is a fundamental problem in all authentication protocols The protocols can only prove that the legitimate party is talking But does it yield the desired protection against adversaries?

3 Building a Secure Channel
What is a secure channel? Messages sent between Alice and Bob should not be eavesdropped by the attacker tampered with by the attacker Provide assurance on who you are talking to

4 Building a secure channel out of an insecure medium
Use symmetric cipher Faster than public-key cipher Encryption ensures confidentiality of communication Authentication and data integrity ensured by applying message authentication code Need to establish a shared secret

5 Building a secure channel out of an insecure medium
I am Alice I am Bob, inc PKB is Bob’s public key PKB E(PKB , s) {m}KC || MACKM(m) It is important that Alice start the secret communication first. Otherwise an attacker can replace s with his own and trick Bob into leaking sensitive information. Alice Bob KC, KM = h(s)

6 SSL/TLS I am Alice I am Bob, inc PKB is Bob’s public key PKB
E(PKB , s) {m}KC || MACKM(m) Alice Bob KC, KM = h(s)

7 MiM Attack Example: Needham-Schroeder
Borrowed from Vitaly Shmatikov’s lecture slides MiM Attack Example: Needham-Schroeder Very (in)famous example Appeared in a 1979 paper Goal: authentication in a network of workstations In 1995, Gavin Lowe discovered unintended property while preparing formal analysis using FDR system Background: public-key cryptography Every agent A has a key pair Ka, Ka-1 Everybody knows public key Ka and can encrypt messages to A with it (we’ll use {m}Ka notation) Only A knows secret key Ka-1, therefore, only A can decrypt messages encrypted with Ka

8 Needham-Schroeder Public-Key Protocol
Borrowed from Vitaly Shmatikov’s lecture slides Needham-Schroeder Public-Key Protocol A’s identity Fresh random number generated by A Kb { A, NonceA } Ka { NonceA, NonceB } A B Kb { NonceB} A’s reasoning: The only person who could know NonceA is the person who decrypted 1st message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated! B’s reasoning: The only way to learn NonceB is to decrypt 2nd message Only A can decrypt 2nd message Therefore, A is on the other end A is authenticated!

9 What Does This Protocol Achieve?
Borrowed from Vitaly Shmatikov’s lecture slides What Does This Protocol Achieve? Kb { A, NonceA } Ka { NonceA, NonceB } A B Kb { NonceB} Protocol aims to provide both authentication and secrecy After this the exchange, only A and B know NonceA and NonceB NonceA and NonceB can be used to derive a shared key

10 Anomaly in Needham-Schroeder
Adapted from Vitaly Shmatikov’s lecture slides Anomaly in Needham-Schroeder [published by Lowe] { A, Na } Kb A B { Na, Nc } Ka { Nc } Kb { Na, Nc } Ka { A, Na } Kc C Evil B pretends that he is A B can’t decrypt this message, but he can forward it { Nc } Kc Evil agent B tricks honest A into revealing C’s private value Nc C is convinced that he is talking to A!

11 Lessons of Needham-Schroeder
Adapted from Vitaly Shmatikov’s lecture slides Lessons of Needham-Schroeder Classic man-in-the-middle attack Exploits participants’ reasoning to fool them A is correct that B must have decrypted {A,Na}Kb message, but this does not mean that message {Na,Nb}Ka came from B The attack has nothing to do with cryptography! It is important to realize limitations of attacks The attack requires that A willingly talk to adversary In the original setting, each workstation is assumed to be well-behaved, and the protocol is correct!

12 Fixing Needham-Schroeder’s protocol
Kb { A, NonceA } Ka { NonceA, NonceB, B} A B Kb { NonceB}

13 The attack no longer works
Adapted from Vitaly Shmatikov’s lecture slides The attack no longer works [published by Lowe] { A, Na } Kb A { Na, Nc, C } Ka B { Na, Nc, C } Ka { A, Na } Kc C Evil B pretends that he is A A will detect that the message was actually sent by C.

Download ppt "Man in the Middle Attacks"

Similar presentations

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Overview and Basic Concepts Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus -

Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Overview and Basic Concepts Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus -
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Presented by: Suparita Parakarn 50-7038-103-2 Kinzang Wangdi 51-7018-007-8 Research Report Presentation Computer Network Security.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
CSCE 813 Internet Security Cryptographic Protocol Analysis.

CSCE 813 Internet Security Cryptographic Protocol Analysis.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.

Digital Signatures, Message Digest and Authentication Week-9.
6 June 2002 - Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Security Protocols Vitaly Shmatikov CS 6431. Security Protocols  Use cryptography to achieve some higher-level security objective Authentication, confidentiality,

Security Protocols Vitaly Shmatikov CS Security Protocols  Use cryptography to achieve some higher-level security objective Authentication, confidentiality,
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
INCS 741: Cryptography Overview and Basic Concepts.

INCS 741: Cryptography Overview and Basic Concepts.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

Similar presentations

Ads by Google