Alice, Bob and Oscar
Carlo U. Nicola,
Institut für mobile und verteilte Systeme (IMVS),
Fachhochschule Nordwestschweiz (FHNW)
Topics
Q: What can go wrong when Alice and Bob try to
exchange confidential messages?
Mathematical aids to protect your privacy:
1. RSA Protocol → SSL, certificates
2. Diffie-Hellman Protocol → IPSec
Other man-in-the-middle attacks:
1. Phishing
2. DNS Cache poisoning
3. The (unsolvable) covert channel
FAEL 5. 11.2008 2
1
The man in the middle
Alice
Bob
Oscar
FAEL 5. 11.2008 3
Privacy with symmetric cryptography: AES
Both Alice and Bob share the same secret (key)
key
Alice
plaintext
encrypt
n
o
o
ciphertext
key
decrypt
p
Bob
plaintext
n
Man-in-the-middle lines of attack
Practical issues:
→ security of end systems
→ how to establish a shared secret key (Diffie-Hellman)
FAEL 5. 11.2008 4
2
Privacy with asymmetric (public) key: RSA
Everybody
can use them
KAlice
Alice and Bob do not share the same secret (key).
FAEL 5. 11.2008 5
The 2nd face of the RSA-Public-Key: authentication
KBob
If Bob's private key is really kept private then every
message encrypted with it will authenticate automatically Bob.
FAEL 5. 11.2008 6
3
Man-in-the-middle and RSA-Public-Key
The whole RSA system rests on the mathematicians'
hunch that it is (today) impossible to find efficiently the
prime factors of a very big odd natural number.
(We know, of course, that Euclid solved this problem
2000 years ago, but its method is not what we call an
efficient one in regards to time.)
Oscar's strategy: Find a fast
Example:
method to factorise big odd
n = 70557 n = 3 × 29 × 811
natural numbers.
It can be done quite easily
with quantum computers.
A challenge for you:
n = 41564624307 n = 3 × 295861 × 46829
(Maple solves it in a matter of ms …)
FAEL 5. 11.2008 7
Diffie-Hellman Algorithm
The big picture:
– Two strangers (Alice and Bob) have a public
conversation;
– The result of this public conversation is a secret
shared between them;
– All and sundry can hear the conversation but no
eavesdroppers can learn the shared secret
between Alice and Bob.
– This sounds almost like a miracle, but it isn't. The
Diffie-Hellmann protocol just does that!
FAEL 5. 11.2008 8
4
The magic of Diffie-Hellman
The magic relies upon the difficulty of calculating discrete
logarithms in a finite field, as compared with the ease of
calculating exponentiation in the same field.
– A trivial example will show this: g = 2, p = 11and we
will calculate gx mod 11:
Given 1,2,3 … 10 find the
exponent x in 2x mod 11.
Difficult specially for very big
g and p.
FAEL 5. 11.2008 9
Diffie-Hellman in action
Public conversation
Alice
agree upon g and p:
p, g are big primes ∈ P
and g is a generator
of Zp*
Bob
generate random number A ∈ [1,…,p-1] generate random number B ∈ [1,…,p-1]
Ma = gA mod p
Mb = gB mod p
Ma
compute K = MbA mod p
= gBA mod p
Mb
compute K = MaB mod p
= gAB mod p
FAEL 5. 11.2008 10
5
But now the man-in-the-middle …
Alice
Oscar
Bob
Ma
Ea
M' b
Eb
encrypted data
Oscar uses two sets of
keys: one for Bob and
one for Alice. He must
decrypt/encrypt in real
time: neither Bob nor
Alice should notice
suspect latency times
in the communication.
encrypted data
FAEL 5. 11.2008 11
Why does this happen?
→ The DH protocol gives you only a private connection
to somebody;
→ But you don’t know who this somebody at the other
end is!
→ You need to take separate steps to prevent a manin-the-middle attack:
1. Either you digitally sign the Diffie-Hellman
messages Ma, Mb
or:
2. You must later authenticate Alice and Bob with
certificates.
FAEL 5. 11.2008 12
6
Practical man-in-the-middle attacks
FAEL 5. 11.2008 13
Phishing
FAEL 5. 11.2008 14
7
Phishing: lessons learned
No amount of sophisticated mathematics embedded
within crypto logical tools can defeat phishing.
No SPAM Filter however sophisticated can defeat
phishing.
Phishing can only be solved by the users themselves
using commonsense and a lot of scepticism.
Unfortunately these virtues are not well spread within
the users' community.
FAEL 5. 11.2008 15
DNS Cache poisoning
1.
2.
3.
Poisoning of a DNS cache means entering in the cache a
fake IP address for a well known hostname.
What makes DNS cache poisoning a slightly difficult exploit is
the use of a 16-bits transaction ID integer that is sent with
every DNS query. This integer is supposed to be randomly
generated. That is, when an application running on your
computer needs to resolve a symbolic hostname for a remote
host, it sends out a DNS query along with the 16-bits
transaction ID integer.
If the name server to which the DNS query is sent does not
contain the IP address either in its cache or in its zones for
which its has authority, it will forward the query to name
servers higher up in the tree of name servers. Each such
query will be accompanied with its own 16-bits transaction ID
number.
FAEL 5. 11.2008 16
8
DNS poisoning attack: Correct recursive query
TTL: In seconds. 86400 → 24 h.
FAEL 5. 11.2008 17
DNS poisoning attack: Overview
FAEL 5. 11.2008 18
9
Random not so random (1)
If a sequence exhibits strong attractor behaviour, then future values in the
sequence will be close to the values used to construct previous points in
the attractor.
Linux
Windows
FAEL 5. 11.2008 19
Random not so random (2)
What we see above is a trivial, probably microsecond clock-based time
dependency at its finest with most of the points attracted to one point with
"echos" around.
IOS Cisco
FAEL 5. 11.2008 20
10
The (insoluble) covert channel's problem
HAL: The
man in the
middle as
lips' reader
2001 Space Odyssey: Stanley Kubrik
FAEL 5. 11.2008 21
Lessons learned
The problem of the man(woman)-in-the-middle will
stay with us for a very long time!
FAEL 5. 11.2008 22
11