Question

B. The following is a key exchange protocol used by two clients, A and B, to obtain a symmetric key???, using a trusted server, S. Assume that A and B had previously obtained the symmetric keys ??? and ??? securely with the server. Also assume that anyone can securely obtain a secret symmetric key with the server.

I. A → S : A, B

II. S → A : (???) ??? ,( ???) ???

III. A → B : (???) ??? , A

 Identify the attack that can be executed against this protocol, assuming that an attacker C can eavesdrop, block, or modify all messages. The attacker also has access to old (expired) keys.

C. The above protocol is now modified to become

I. A → S : A, B

II. S → A : (???, B) ??? ,( ???, A) ???

III. A → B : (???, A) ???

 Why does the new modification improve the security over the old version? Identify the new vulnerability that exists in the new version

D. The above protocol is now modified to become

I. A → S : A, B, NA

II. S → A : (???, B, NA,( ???, A) ??? ) ???

III. A → B : (???, A) ??? IV. B → A : (NB) ??? V. A → B : (NB − 1) ???

 Identify the vulnerability in this new version.

E. Modify the protocol in part (D) to have a secure protocol.

Answer 1

SOLUTION

Two Clients A and B, Obtained Symmetric Key- KAB with a trusted server S.

Previously obtained symmetric keys KAS & KBS (securely with the server).

Assume anyone can secretly obtain the secure key with the server.

I. A -> S: A,B

II. S -> A: A: (KAB) KAS, (KAB) KBS

III. A-> B: (KAB) KBS , A

Since the attacker C can eavesdrop, block or modify all messages and has access to old expired keys, C able to reroute the messages to any client. And Hence C has the ability to break the protocol without even breaking the cipher.

Possible Attack 1:

I. A -> S: A,B

II. S -> A: (KAB) KAS, (KAB) KBS

III. A-> C: (KAB) KBS , A

IV. C ->B: (KAB) KBS, D

Here an attacker C interrupts the messages between A and B and modifies D’s Identity as A. So B is misunderstood that he shares information with D but communicates with A.

Possible Attack 2:

I. A -> C: A,B

II. C -> S: A,C

III. S -> C: (KAC) KAS, (KAC) KCS

IV. C -> A: (KAC) KAS, (KAC) KCS

V. A-> C: (KAC) KCS , A

Here an attacker C intervenes in the communication from A with B and reads all messages by A.

I. A -> S: A,B

II. S -> A: (KAB,B) KAS, (KAB,A) KBS

III. A-> B: (KAB,A) KBS .

The above protocol is improved by the previous one by adding the identity of the clients but still not secured since an attacker able to get the value of KAB in any previous run of the protocol.

Possible Attack 1:

I. A -> C: A,B

II. C -> A: (KAB’,B) KAS, (KAB’,A) KBS

III. A-> B: (KAB’,A) KBS .

KAB’ is the old session key used by A and B and try to break the key even breaking is not possible resend the old message will create lots of problems.

I. A -> S: A,B,NA

II. S -> A:(KAB, B, NA, (KAB,A),KBS) KAS

III. A-> B: (KAB, A)KBS

IV. B-> A: (NB ), KAB

V. A-> B: (NB-1), KAB

Time Stamp or Random Values (NA & NB) is added is an enhancement of this protocol, but still, it has some vulnerability since an attacker knows old session keys, he can use the same in the last three messages. B may think he communicates with a using new session key but communicates with an attacker using old session keys.

Final Secure Protocol:

I. A -> S: A,B,NA,NB

II. S -> A:(KAB, B, NA) KAS (KAB,A, NB) KBS

III. A-> B: (KAB, A, NB)KBS

IV. B-> A: B, NB