6

I've been asked to solve this security problem, as an exercise, but I have some difficulties.

Some notation:

  • C1 means Computer1
  • S1 means Server1,
  • TA means Trusted Autentication system,
  • X -> Y | Z means X sends message Z to Y,
  • K_X,Y(m) means that m is ciphered with the symmetric key shared by X and Y.

Suppose you have C1 who wants to be identified by S1 using a TA, the protocol works as follows:

  • C1 -> S1 | C1
  • S1 -> C1 | nonce1
  • C1 -> S1 | K_C1,TA(nonce1)
  • S1 -> TA | K_S1,TA(C1, K_C1,TA(nonce1))
  • TA -> S1 | K_S1,TA(nonce1)

Why is this not secure? Maybe because C1 sends it's identity as a plaintext to S1, and Eve could try to fake her identity using C1's, using the replay attack? Or what else?

Matthew
  • 27,381
  • 7
  • 91
  • 103
Holyclaus
  • 61
  • 3

1 Answers1

1

This is vulnerable to a MITM. All Eve has to do is sit in the middle and forward traffic from C1 to S1, and from S1 to C1. This entire handshake could occur, and Eve could still be communicating with S1.

Daisetsu
  • 5,120
  • 1
  • 16
  • 25
  • C1 should also be able to choose a nonce. Then he would have sent K_C1,TA(nonce1+nonce2). Then when it gets decrypted in the final step, C1 and S1 could generate a session key using nonce1+nonce2. – Daisetsu Apr 24 '16 at 17:49
  • Also, it's not a good idea in general to have anyone simply encrypting only content sent from another user, they should always append their own nonce or time stamp, or something, to prevent against someone potentially decrypting something encrypted since symmetric encryption uses the same key for both operations. – Daisetsu Apr 24 '16 at 17:51