In the last post I talked a bit about some of the attack scenarios that people might use to get at the system. In essence what we’ve got is a PKI system, where we, centrally assert that a users public key is is authentic and that you can trust us.
But, what if you couldn’t? If I take a flight, from London to Japan, I can stop over in any number of countries. Some of whom don’t have a particularly fantastic track record when it comes to respecting peoples rights, not just the right to privacy but things like the right not to be tortured. Some people building similar protocols have spoken about how they’d rather go to prison than let the system be compromised. Thing is that’s the wrong sort of mindset to have. If I land in an unfriendly country, it’s not if I have to collude in breaking the system, it’s when. If someone wants to start chopping off digits I’ll do just about anything they want me to. Even if you’re the sort of person who’ll die to protect peoples privacy, what about your sysadmins, do they have children or developers or someone else who works on the system. Are they all SERE trained ninjas? Because I’m not.
No the trick has go to be that the system detects attempts by people to break it in such a way as to be so risky as to attempt and not be the weakest link in the chain.
So let’s go back to the system. Alice and Bob use the system. They’ve been through the authentication process and come up gleaming, sat in our directory is Alice1 and Bob1, their public keys. As Alice and Bob know each other they have each others public keys in their address books. Now, I’m holidaying in Palawan, Southern Philipines and I’m abducted by Katy the Kidnaper and Tim the Torturer. Tim has become interested in Alice and Bob and wants to tap their communications. He’s got me tied to a chair with electrodes attached and I’m in full compliance mode.
Now Tim and Kate can’t ask me to decrypt their chats, I don’t have the keys. I can block the chats but they’ll likely work out something is wrong, either way I can’t read the communications. But Tim is cunning (and you have to absolutely bank on the fact that the world is rammed with cunning people), he proposes to generate new key pairs and replace them in the directory with his own, AliceEvil1. Tim in turn captures the negotiation from Bob, pretends to be Alice, completes the negotiation and forwards the message on to Alice. Problem is Bob signs this negotiation message and as soon as Alice gets it, she checks the signature and as it fails verification (because Tim can’t pretend to be Bob too) she knows something is up and gives passing thought to a programmer in a dungeon somewhere. But Tim is a cunning fox, and realizes if this is to work he has to be pretend to be Bob, to Alice and Alice to Bob. He goes and replaces Bob’s public key too with BobEvil1.
We now have AliceEvil1 and BobEvil1 in the directory. We’ll also assume that neither Bob or Alice will think that this change is strange (in the protocol we’ll warn them). The next thing that will happen is when others refresh their address books they’ll get told that Alice or Bob have changed their keys. As this isn’t a hugely common event they’ll be asked if they want to check them, with Alice and Bob directly (bypassing the system and sending them a text message or phoning them). Better still as many people share contacts it’s entirely possible that Mike, friends with both Alice & Bob will get pinged about the change that’s happened at the same time. As will anyone else. So publishing duff keys to everyone is risky and Tim will likely get caught. But what! I hear you say about the text messages, if they’re willing to kidnap me they’re willing to kidnap someone who can manipulate text messages too. It’s a fair point. It’s why the real time nature of calling someone is useful (and one of the reasons phones are good for this application). Ok, but what about blocking calls, yes, but Tim would have to do that for all calls because he doesn’t know which one is from a concerned friend, which gets riskier still. Replace call with tweet, facebook update, whatever, a significant amount of noise to warn someone that there is a duff key in the directory.
Back to Tim. Tim really really really wants to read these messages so he’s come up with an alternative to publishing AliceEvil1 and BobEvil1 in the directory. So how’s about getting me (nipple clamps, car battery) to just publish AliceEvil1 and BobEvil1 to only Bob and Alice in turn. Clever bloke this Tim. Much reduced footprint, much less likely to get caught, he likes this idea. So now he’s setup as the perfect man in the middle. He can pretend to be Alice to Bob and vice versa and nobody else knows. He also controls all of the messages in and out of both Alice and Bob’s phone and all the phone calls. So, somehow Alice needs to verify that Bob’s public key is Bob’s, and she can’t be definition ask Bob. So she asks Mike. She wants to ask Mike, if Bob’s public key is legit. If Mike gets the message then he checks his phone book and the directory to see what’s there and sends a message back to Alice. But hang on, can’t Tim be a man-in-the-middle. Yes, but he’s also got to now pretend to be Alice to Bob, Bob to Alice and Mike to Alice too. This means publishing MikeEvil1 to Alice and seeing as how Alice has already just had Bob change his public key she’s totally suspect now. Better yet if we trend towards using the oldest keys offset by the most active users on the system in your address book we’ll use a well established public key in your address book (which would need replacing) and a prompt response (’cause Mike’s a chat fiend). If we then throw in a random selection from that subset then Tim can’t even know who he’s supposed to impersonate ahead of time (to make the key substitution beforehand, which also means he needs to act as the go between for all of Alice & Mike’s messages too).
Lastly, Tim controls all the messages in and out. Alice can know she’s asked Mike and if she get’s a response, Tim can block this message but Alice will get suspicious (we should tell her to be suspicious and try phoning Mike and Bob). Better yet if Alice picks someone she also chats too, she’d potentially notice that all the messages had stopped but this is probably minor.
ARGH! Tim being cunning doesn’t go kidnapping people lightly and having worked all this out decides that Katy just be better to kidnap Alice.
This is what I mean about being unpopular. The system is setup to, for 99% of users, to be entirely trustworthy but in the case where it might not be, to be so risky to interfere with as to not be the way to get at peoples messages without being discovered.