Weeks 4-5: Protocols Flashcards
What are the eleven Protocol Goals?
1.) Keys are secret and fresh.
2.) Both parties are authenticated.
3.) Forward secrecy.
4.) No weak cipher used.
5.) Protocol should not be complex.
6.) Minimum possible damage from key leakage (No key compromise impersonation attacks).
7.) No offline guessing attacks against weak secrets.
8.) No “state machine” attacks (attacks in error handling).
9.) Open public design process.
10.) Post compromise security.
11.) Reveals as little meta data as possible.
What is the Needham-Schroeder public key protocol + one disadvantage of it?
- A -> B: EB(Na, A)
Can be MITM’d here. - B -> A: EA(Na, Nb) -> Add identity B here to fix.
- A -> B: EB(Nb)
What is Forward Secrecy?
When messages are safe from an attacker who has a recording of a protocol run and long-term keys of the principals.
What is Diffie-Hellman?
- Alice and Bob pick rA + rB and find tA(= g^rA mod p) and tB respectively.
- Exchange these numbers.
- Calculate tA^rB mod p and tB^rB mod p.
Key = g^rArB mod p
What is Station-to-Station Protocol?
- A -> B: g^x
- B -> A: g^y, {SB(g^y, g^x)}g^xy
- A -> B: {SA(g^x, g^y)}g^xy
- B -> A: {M}g^xy
Forward secrecy - g, x and y not stored after run.
What is TLS (1.2)?
- C -> S: Nc
- S -> C: Ns, CertS
- C -> S: Es(K_Seed), {Hash1}KCS
- S -> C: {Hash2}KCS
Where Hash = hash of entire run
and KCS = session key.
How was TLS fixed to include forward secrecy?
TLS-DHE.
- C -> S: Nc, Possible Ciphersuites
- S -> C: Ns, g^x, CertS, SignS(#(Nc, Ns, g^x)), CipherSuite
- C -> S: g^y, {#(prev. messages)}K
- S -> C: {#(prev. messages)}K
Where K = kdf(Nc, Ns, g^xy)
What is a Key Compromise Impersonation Attack?
With static client certificate - attack can control client’s key.
Attack is successful if attack can pretend to be any server - forces to static DH, attacker knows client key.
E.g: Client certificate in a place of work - MITM.
What is one downside of DHE?
No authentication - must be done separately.
Why is TLS 1.2 a mess?
Too many cipher suites/options - lots of attacks.
2 round trips before sending data.
Complexity allows for mistakes in implementations - attacks.
How does TLS 1.3 improve over 1.2?
Only 5 very secure ciphers.
All ECDH (forward secrecy).
Few modes of operation (e.g. RSA, not static DH).
Hides server name from passive eavesdroppers.
Starts sending data after one round trip of messages.
What is TLS 1.3?
C -> S: ClientHello
S -> C: ServerHello, {Certificate}, {CertVerify}, {Finished}
C -> S: {Finished}, Data encrypted with kdf5(g^xy, log5)
S -> C: Data encrypted with kdf6(g^xy, log5)
How does ECDH work?
- A + B agree on curve and point P.
- A generates random n and sends nP, B generates random M and sends mP.
- A does n(mP), B does m(nP) - Key = nmP.
Only way to find m/n is through brute force.
Why must a curve be picked carefully for ECDH?
There may be small subgroups, e.g. 16P = P - no security (brute forceable).
What are some downsides of WPA?
Anyone can read nonces, and with the password, can generate the key required to decrypt traffic - no forward secrecy.
Can brute force keys offline with Na, Nb and some encrypted traffic.
