1994-07-26 - Re: CYPHERPUNKS TO THE RESCUE

Header Data

From: Matt Blaze <mab@research.att.com>
To: cypherpunks@toad.com
Message Hash: ec613f430729d55314cd32da90b1998852b88fe15d177e60d9ad184696a09849
Message ID: <9407261914.AA24348@big.info.att.com>
Reply To: N/A
UTC Datetime: 1994-07-26 19:18:32 UTC
Raw Date: Tue, 26 Jul 94 12:18:32 PDT

Raw message

From: Matt Blaze <mab@research.att.com>
Date: Tue, 26 Jul 94 12:18:32 PDT
To: cypherpunks@toad.com
Subject: Re: CYPHERPUNKS TO THE RESCUE
Message-ID: <9407261914.AA24348@big.info.att.com>
MIME-Version: 1.0
Content-Type: text/plain


norm@netcom.com (Norman Hardy) writes:

>At 09:51 1994/07/26 -0400, Russell Nelson wrote:
>>Why not generate a random number, checksum it, and sign it using a
>>public key?  Or is that overkill?
>...
>Seems good. But to thwart replay of the signed message the garage unit must
>never accept the same signed number twice. How about the car unit signing
>successive numbers. The garage unit would remember the last number that it
>accepted and only accept signed numbers larger than that. Garbled
>transmissions would then cause no problems. They would be fixed by yet new
>transmissions, just as with current units.
>

As Eric Hughes points out (a couple of messages after these), you don't
need public-key signatures for this; any secret key cipher or hash function
will do, since the  base and remote trust each other unconditionally
(at least for garage doors; nuclear weapons may be a different story).

Both base and remote need to store a shared key and a counter; the remote 
needs a transmitter and the base needs a receiver.  To authenticate
itself, the remote sends {counter, hash(key,counter)} and then increments
its counter.  The base calculates the hash for the received counter value,
verifies that it matches the received hash value, verifies that the counter
increases the stored counter value, stores the new value,  and opens
the door.  A practical system system also probably include some mechanism
for rekeying and for zeroizing the counters.

There is no need for public key cryptography, two way communication (except
for key setup), synchronized clocks, or extensive storage at either side.

This protocol as described is very simple, almost trivial; given the right
constraints it follows almost directly from the problem.  I mention
it because very small variations and poorly chosen parameters render
it vulnerable to several classic protocol failures.

First, observe that this system has a work factor to break of no more than
the SMALLER of the secret hash key and the size of the hash output.  Clearly,
a single {counter, hash(key,counter)} message contains enough information to
permit an conventional exhaustive search for key.  If the hash space is
too small (say, 16 bits or so), the adversary can select an unused counter
value and probe the receiver with random hash values until the door opens.
Worse, if the bad guy selects a counter value that is much larger than the 
remote's counter value, it has the added bonus of denial-of-service to the
real user.

Also, note that the order of operation on the receiver's part is critical.
If the received counter value is stored BEFORE the hash is received, we
are also vulnerable to denial-of-service (but at least not false
authentication).

Finally, there is the "man in the middle" attack, in which the bad guy
intercepts a message intended for but never received by the base,
records it, and plays it back later (but before the real owner returns
to increment the counter again).  A likely scenario involves pushing the
button twice on return home, but where only the first message is received by
the base. One way to deal with this is to encourage frequent resyncs between
the base and remote; for example, the remote, when in the garage, could send
periodic "null" commands that increment the counters without actually
opening the door.  (Of course, you'd need to make sure that these messages
themselves cannot be used to construct spoofed open-door messages.)  Basing
the counter in part on a real-time clock would also help here, but again,
this complicates the protocol greatly and increases the opportunities for
both denial-of-service (if the clocks get too far out of sync) and false
authentication (if the clocks get reset - say at daylight savings time...)

My point is not that this is a particularly hard problem, only that
even simple cryptographic protocols can have serious bugs.

-matt





Thread