Security Protocols and common attacks.

11 Dec, 2007
Xebia Background Header Wave

I wanted to write a blog on Security Protocols. This was the course I liked the most during my College days. Lets look at some protocols and some of the ways these protocols can be attacked. These are some protocols that i studied during my college days.
The two most common words in Security world is Confidentiality and Integrity. Understanding these two terms is very crucial. In simple words Confidentiality means that only authorized entities can read information. Integrity means reassuring the recipient of the message that the message has not been altered since it was generated by a legitimate source.
In Public Key Cryptography
—Each user U has an encryption function Euthat is made public.
—Each user U has a decryption function (key) Du that is non-public.
Du(Eu(m)) = m
The encryption function Eu can be revealed without revealing the decryption function Du
As we Know Confidentiality can be provided by Encryption . Integrity can be provided by using digital signatures.
Lets plunge into some example protocol with the famous Alice and Bob example.
Now lets look at a session establishment protocol and some attacks on it. A protocol to establish a session key K between Alice and Bob must guarantee the following two properties.
After successful protocol execution:

  • Only Alice and Bob (and TTP’s involved if any. TTP is a trusted third party involved in generation of a session key) should know K.
    Alice and Bob should be assured that K is newly generated.

An Adversary can do the any of the following

  • Eavesdrop on all messages sent in a protocol
    Alter all messages sent in a protocol using any information available
    Re-route any message to any principal
    Generate and insert completely new messages
    Obtain the value of the session key used in any sufficiently old previous run of the protocol
    Start any number of parallel protocol runs between any principals.

Some Encryption assumptions are involved in Encryption.
The encryption of message M with key K (shared or public) is denoted by ciphertext {M}K

  • Without K or matching private key, it should be impossible to retrieve M from {M}K
    It should be impossible to retrieve K or matching private key from {M}K
    Without K even with knowledge of M it should be impossible to alter {M}Kwithout being detected

Here is what the notations used in this blog mean
{K}KAT — K is encrypted with shared key between Alice and Trent. KAT is known to both Alice and Trent.

Here Trent is the trusted third party.
In the first step Alice sends a message to Trent saying that it wants to have a session with Bob.
Trent finds keys KAT , KBT, generates K at random, creates {K}AT , {K}BT which are the shared keys between Alice and Trent, Bob and Trent respectively.
Alice decrypts {K}KAT to get K.. Bob decrypts {K}KBT to get K. And from now on Alice and Bob can communicate with key K.
Now lets look at the attack on this protocol.

  • Mallory(one who tries to break rules,may be a valid principal ) intercepts Alice’s message intended for Trent.
    Trent thinks Alice wants key with Mallory.
    Alice is fooled that Mallory is Bob.
    Attacker is (also) a legitimate principal.
    Here Mallory impersonates as Bob and Alice is made to believe it.


This protocol binds the session key to the intended users
If Mallory tries the previous attack, then Trent will include Mallory’s identity in the encrypted part intended for Alice, so she knows the decrypted key is not shared with Bob and therefore the attack will fail

Mallory records exchange between Alice and Bob as shown in the above figure.
Mallory replays messages in subsequent run like in the second step of the protocol
Here are some points to note

  • K’ is a not fresh
    But Alice does not know about this.
    K’ is known to Mallory. And Mallory can again fool Alice.
    This attack is called a replay/freshness attack.

The fix here is to challenge and expect a response so that No one can play replay attacks.
So here is the improved protocol

Alice (Bob) checks if Trent is there

  • Sends random challenge to Trent
    Trent responds with a message that binds the challenge to the session key as you can see in the second step of the new protocol above.
    Alice (Bob) verify the binding before accepting the key

Since Alice (Bob) expects a different response each time, Mallory cannot replay an old response without detection
This method is called challenge-response.
NA is called the nonce and its the challenge sent by Alice to Trent and trent responds for it. So a reply is always a fresh one. Now mallory canont replay the messages like it could in the previos version of the protocol.
This brand new protocol includes 2 challenge response exchanges. One is between Alice an Trent and other is between Bob and Alice.

  • Bob checks if Alice is there
    Sends challenge to A (Message 4)
    Response should be fresh (Message 5)

Friends unfortunately there is another attack on this improved protocol as well. Can You guess it???!!!!! [:)]


Get in touch with us to learn more about the subject and related solutions

Explore related posts