Man in the Middle Attacks
1
Man in the Middle
• SSH authentication with agent is an
example of (benign) “man in the middle”
in authentication
• M-i-M is a fundamental problem in all
authentication protocols
– The protocols can only prove that the
legitimate party is talking
– But does it yield the desired protection against
adversaries?
2
Building a Secure Channel
• What is a secure channel?
– Messages sent between Alice and Bob
should not be
• eavesdropped by the attacker
• tampered with by the attacker
– Provide assurance on who you are talking
to
Building a secure channel out of
an insecure medium
• Use symmetric cipher
– Faster than public-key cipher
– Encryption ensures confidentiality of
communication
– Authentication and data integrity ensured by
applying message authentication code
• Need to establish a shared secret
Building a secure channel out of
an insecure medium
I am Alice
I am Bob, inc
PKB
PKB is Bob’s
public key
E(PKB , s)
{m}KC || MACKM(m)
Alice
Bob
KC, KM = h(s)
SSL/TLS
I am Alice
I am Bob, inc
PKB
PKB is Bob’s
public key
E(PKB , s)
{m}KC || MACKM(m)
Alice
Bob
KC, KM = h(s)
Borrowed from Vitaly Shmatikov’s lecture slides
MiM Attack Example:
Needham-Schroeder
• Very (in)famous example
– Appeared in a 1979 paper
– Goal: authentication in a network of workstations
– In 1995, Gavin Lowe discovered unintended
property while preparing formal analysis using
FDR system
• Background: public-key cryptography
– Every agent A has a key pair Ka, Ka-1
– Everybody knows public key Ka and can encrypt
messages to A with it (we’ll use {m}Ka notation)
– Only A knows secret key Ka-1, therefore, only A
can decrypt messages encrypted with Ka
Borrowed from Vitaly Shmatikov’s lecture slides
Needham-Schroeder Public-Key
Protocol
A’s identity
Fresh random number
generated by A
{ A, NonceA } Kb
A
{ NonceA, NonceB }
Ka
B
{ NonceB}
Kb
A’s reasoning:
The only person who could know NonceA
is the person who decrypted 1st message
Only B can decrypt message encrypted with Kb
Therefore, B is on the other end of the line
B is authenticated!
B’s reasoning:
The only way to learn NonceB is
to decrypt 2nd message
Only A can decrypt 2nd message
Therefore, A is on the other end
A is authenticated!
Borrowed from Vitaly Shmatikov’s lecture slides
What Does This Protocol Achieve?
{ A, NonceA }
A
Kb
{ NonceA, NonceB }
Ka
{ NonceB}
B
Kb
• Protocol aims to provide both authentication and secrecy
• After this the exchange, only A and B know NonceA and NonceB
• NonceA and NonceB can be used to derive a shared key
Adapted from Vitaly Shmatikov’s lecture slides
Anomaly in Needham-Schroeder
[published by Lowe]
{ A, Na }Kb
A
{ Na, Nc }Ka
{ Nc }
B can’t decrypt this
message,
but he can forward it
Evil agent B tricks
honest A into revealing
C’s private value Nc
C is convinced that he is talking to A!
B
Kb
Evil B pretends
that he is A
{ Nc }Kc
{ A, Na } Kc
{ Na, Nc } Ka
C
Adapted from Vitaly Shmatikov’s lecture slides
Lessons of NeedhamSchroeder
• Classic man-in-the-middle attack
• Exploits participants’ reasoning to fool them
• A is correct that B must have decrypted {A,Na}Kb
message, but this does not mean that message {Na,Nb}Ka
came from B
• The attack has nothing to do with cryptography!
• It is important to realize limitations of attacks
– The attack requires that A willingly talk to adversary
– In the original setting, each workstation is assumed
to be well-behaved, and the protocol is correct!
Fixing Needham-Schroeder’s protocol
{ A, NonceA }
A
Kb
{ NonceA, NonceB, B}
{ NonceB}
Ka
B
Kb
12
Adapted from Vitaly Shmatikov’s lecture slides
The attack no longer works
[published by Lowe]
{ A, Na } Kb
A
{ Na, Nc, C } Ka
B
Evil B pretends
that he is A
A will detect that the message
was actually sent by C.
{ A, Na } Kc
{ Na, Nc, C } Ka
C