Attacking the Interlock
Protocol
Abstract:
The Interlock Protocol is used as a mechanism to foil the Man in the Middle Attack, however by the attack proposed below, it is shown that the Interlock Protocol is insecure. It involves faking the first packet of the communication and the 'man in the middle' sending forth half of the (n) th packet when he receives half of the (n+1) th packet and completes the attack.
Keywords:
Man in the
Middle Attack, Interlock
Protocol.
Introduction
Let Alice and Bob be two legitimate users attempting secure communication with out a shared secret and Mallory be the Man in the Middle.
The following are the sequences of the
Man in the
Middle Attack.
1.
2. Bob sends
3. Then
4. Then Bob sends a message to Alice, encrypted using "
The following are the sequences that define the Interlock Protocol.
1.
2. Bob sends
3.
4. Bob encrypts his message using
5.
6. Bob puts the two halves of
7.
Here Mallory can still substitute his own public key for Alice and Bob. Now
when he intercepts half of
The
Attack:
The
attack involves faking the first full-transmitted packets of Alice and Bob.
Then Mallory transmits the half of the (n) th packet when he receives the (n+1)
th packet.
It is explained as below.
Let:
A = Alice
B = Bob
M = Mallory
1:1 indicate first packet, first half
1:2 indicate first packet, second half
2:1 indicate second packet, first half
2:2 indicate second packet, second half
and so on.
An empty column in the table denotes the actual sender.
|
No: |
|
Mallory |
Bob |
|
1 |
|
A->1:1 |
M->1:1 |
|
2 |
M->1:1 |
B->1:1 |
|
|
3 |
|
A->1:2 |
M->1:2 |
|
4 |
M->1:2 |
B->1:2 |
|
|
5 |
|
A->2:1 |
A->1:1 |
|
6 |
B->1:1 |
B->2:1 |
|
|
7 |
|
A->2:2 |
A->1:2 |
Since the first full packet is faked, Mallory has one full packet of Alice with
which he can decrypt with his private key and re-encrypt it with Bob's public
key and vice versa and successfully launch the Man in the
Man in the
Middle Attack .It is assumed that a delay in the first block does not rise
uspicion and for the
attack to be successful more than one block is to be transmitted. This attack
on the Interlock
protocol
works even if an initialization vector or hash be used, since it can be faked
by Mallory.
E.g.: Consider that every message except the very first one has a hash of the
previously received message as follows
A -> (M ->) B: half 1 of message A1
B -> (M ->) A: half 1 of message B1 | hash (half 1 of
message A1)
A -> (M ->) B: half 2 of message A1 | hash (half 1 of
message B1)
B -> (M ->) A: half 2 of message B1 | hash (half 2 of
message A1)
A -> (M ->) B: half 1 of message A2 | hash (half 2 of
message B1)
... and so on. Since M captures A1 and B1, he can compute the hashes for both
the initial message and the one that follows. Hence the attack still
works.
E.g.: Consider they send the hash of the other half as follows
A -> (M ->) B: half 1 of message A1 | hash (half 2 of message A1)
B -> (M ->) A: half 1 of message B1 | hash (half 2 of message B1)
A -> (M ->) B: half 2 of message A1 | hash (half 1 of message A1)
B -> (M ->) A: half 2 of message B1 | hash (half 1 of message B1)
... and so on. M fakes the first message in both direction, and then computes
the hashes. The
attack still works.
