Cryptography Reference
In-Depth Information
r
B
||
It's Bob, are you OK?
r
B
||
It's Alice, are you OK?
r
B
||
Yes, I'm OK
MAC
K
(
r
B
||
Yes, I'm OK
)
Alice
Attacker
Bob
r
B
||
Yes, I'm OK
MAC
K
(
r
B
||
Yes, I'm OK
)
Figure 9.5.
Reflection attack against Protocol 3
To see how the reflection attack works, we assume that an attacker is able to
intercept and block all communication between Alice and Bob. We also assume
that Bob normally recognises that incoming traffic may be from Alice through
the use of the channel, rather than an explicit identifier. This is perhaps an
unreasonable assumption, but we are trying to keep it simple. Thus, even if Alice
is no longer alive, the attacker can pretend to be Alice by sending messages on
this channel. The reflection attack works as follows:
1. Bob initiates a run of Protocol 3 by issuing a request message.
2. The attacker intercepts the request message and sends it straight back to Bob,
except that the text
It's Bob
is replaced by the text
It's Alice
.
3. At this point it is tempting to suggest that Bob will regard the receipt of a
message containing his nonce
r
B
as rather strange and will surely reject it.
However, we must resist the temptation to anthropomorphise the analysis of
a cryptographic protocol and recall that in most applications of this type of
protocol both Alice and Bob will be computing devices following programmed
instructions. In this case Bob will simply see a request message that appears
to come from Alice and, since he is alive, will compute a corresponding reply
message. He then sends this reply to Alice.
4. The attacker intercepts this reply message and sends it back to Bob.
5. Bob, who is expecting a reply from Alice, checks that it contains the expected
fields and that the MAC is correct. Of course it is, because he computed it
himself!
We can regard the reflection attack described in Figure 9.5 as two nested runs of
Protocol 3:
• The first run is initiated by Bob, who asks if Alice is alive. He thinks that he is
running it with Alice, but instead he is running it with the attacker.
