Security protocols
A protocol is a fixed pattern of exchanges between 2 or more parties to achieve a certain task.
Protocol notation
A protocol can be described using protocol notation.
For example:
A $\rightarrow$ B: M1
B $\rightarrow$ A: M2
This describes A sending M1 to B, then B sending M2 to A.
Authentication protocols
Authentication protocols are used to authenticate communicating parties. This ensures the communicating parties are communicating with who they expect. Authentication can be achieved using digital signatures, digital certificates or passwords, but some methods are susceptible to attack.
Replay attack
Assume a digital signature is used so only B can authenticate A
(unilateral authentication) over an insecure channel. A sends a message
to B signed with their private key, denoted $[M]_A$, and B can verify
it. Using the protocol notation, this is:
A $\rightarrow$ B: $[A]_A$
B $\rightarrow$ A: $B$
If an attacker listened in on the channel and stored A's message, then
the attacker can replay this message to convince B they are A. This is a
replay attack.
Some solutions are using a session token, so A initiates contact with B, B sends a token and A sends the signed token back. The attacker can't replay the message as B will send back a different token and the attacker is unable to sign it. A could alternatively include a timestamp in their signed message to B so if the message is replayed it is clear the timestamps do not match.
Unilateral and mutual authentication
-
Unilateral - One party authenticates the other
-
Mutual - All parties authenticate each other
A simple mutual authentication protocol for two parties is as follows:
A $\rightarrow$ B: $R_A$
B $\rightarrow$ A: $R_B$, $[R_A]_B$
A $\rightarrow$ B: $[R_B]_A$
where $R$ is a token.
Authentication spoofing
An attacker, E, can pose as a genuine user. A initiates contact with E, E forwards the message to B, B sends a token to E, E sends the token to A, A signs the token, E forwards the signed token to B and now B thinks they are communicating with A, when it is in fact E. This is authentication spoofing.
A possible solution is including user identity in messages. When A receives the token to sign, they include that the token is being signed for E, so when B tries to verify it, they can see the token was not signed for them. If using encryption instead of digital signatures, B can include their identity when encrypting with A's key, so when A decrypts the message they can see the token is from B, not E.
Diffie-Hellman-Merkle key exchange
The Diffie-Hellman-Merkle (DHM) key exchange protocol allows two parties to establish a secure connection over an insecure channel.
-
A and B publicly decide on values of $y$ and $p$ to use in the one-way function $y^x \mathop{\mathrm{mod}}p$. $y$ needs to be the primitive root of $p$. An example is $y=7$ and $p=13$.
-
A and B choose secret numbers for $x$ in the one-way function. Suppose A chooses 8 can B chooses 11 then the result of the the one-way function would be $7^8 \mathop{\mathrm{mod}}13 = 3$ and $7^{11} \mathop{\mathrm{mod}}13 = 2$ respectively.
-
The results are then exchanged, so A sends 3 to B and B sends 2 to A.
-
A then applies the one-way function using the value received from B as $y$, their secret $x$ and the same $p$. For the example, A would find $2^8 \mathop{\mathrm{mod}}13 = 9$.
-
B does the same with their value from A, getting $3^{11} \mathop{\mathrm{mod}}13 = 9$.
-
The matching value, $9$, can now be used as their secret key for encryption. Obviously in practice a much larger value for $p$ and the secret numbers would be used so the secret key would be much larger as well.
A and B get the same result because of a property of modular arithmetic which states $(x^A \mathop{\mathrm{mod}}n)^B \mathop{\mathrm{mod}}n \equiv (x^B \mathop{\mathrm{mod}}n)^A \mathop{\mathrm{mod}}n$. The attacker can only know the result if they know the secret numbers chosen by A and B. Even though the attacker can see $y^A \mathop{\mathrm{mod}}p$ and $y^B \mathop{\mathrm{mod}}p$ it is not possible to work out what $A$ and $B$ are even given $y$ and $p$. It is important to note that in practice $p$ would be a very large prime number.