4

My question relates to the station-to-station protocol as described in https://en.wikipedia.org/wiki/Station-to-Station_protocol [1] and http://cacr.uwaterloo.ca/hac/ [2] p 519.

(1) Alice → Bob : gx
(2) Alice ← Bob : gy, EK(SB(gy, gx))
(3) Alice → Bob : EK(SA(gx, gy))

I fail to understand the reasons behind why Bob signs gy+gx (concatenated) and Alice signs gx+gy. [1, 2] say the order of gx and gy is important. Why? And why sign gy+gx? Are there variants of what is signed? A random challenge could be included?

Frans Lundberg
  • 375
  • 1
  • 7

2 Answers2

2

The 1992 paper http://people.scs.carleton.ca/~paulv/papers/sts-final.pdf by Diffie et al answers the question. It has an example of an insecure variant of the protocol that uses signatures of random challenges. Furthermore, the section "Signing only one’s own exponential" considers a variant where Alice signs only gx. According to the paper, there is an attack on this variant when RSA signatures are used. And it seems open to replay attacks (see DuBuisson's answer).

The section "Signing only the other party’s exponential" considers the variant where Alice signs only gy. For this case the authors of the paper say: "we know of no general attack which applies to this case, but there are some concerns". One concern is that "it is imprudent to sign arbitrary text supplied by a potential adversary".

Frans Lundberg
  • 375
  • 1
  • 7
1

No Signature

Let's look at a version where the responder does NOT sign message 2.

(1) Tom → Frans : gx
(2) Tom ← Frans : gy, EK(gx, gy)
(3) Tom → Frans : EK(SA(gx, gy))

What if there is someone in the middle?

(1) Tom → gx → DIRNSA → gd → Frans
(2) Tom ← gd, EK(gx, gd) ← DIRNSA ← gy, EK(gd, gy) ← Frans

Well shucks. Now I can't tell that DIRNSA just performed a MITM attack and I'm talking to him instead of (or addition to) you. If you just signed the message we wouldn't have had this problem (or DIRNSA would have had to work harder) but now the attack is stupidly trivial.

Notice the values ($g^x, g^y, g^d$) are ephemeral, not long term secrets, which allows this replacement to take place. There is no way to verify $g^d$ isn't the correct public value.

Signing a Challenge

(1) Tom → (gx,Challenge_1) → DIRNSA → (gd,Challenge_1) → Frans
(2) Tom ← gd, EK(gx, gd, Sig_Frans(Challenge_1)) ← DIRNSA ← gy, EK(gd, gy, Sig_Frans(Challenge_1)) ← Frans

It is easy to see that the existence of a signed challenge shows liveness but does nothing to assure us the channel is secure.

Signing $(g^x,g^y)$ instead of $(g^y, g^x)$

This is very much the same thing conceptually. So long as both sides agree on the order the signature provides the needed security. What you can't have is one side signing a message in one order and the other side trying to re-construct a message and verify a signature with the other order.

Signing One's own Ephemerial Public key (Bob Signing $g^y$)

This does not give Alice any proof of liveness and can result in replay attacks.

Thomas M. DuBuisson
  • 1,874
  • 15
  • 19
  • 1
    Thank you. I realize the possibility of a MITM when nothing is signed. But why does Bob sign (gy, gx) and not (gx, gy) or only (gx) or (gx, random-challenge-from-alice)? I have a feeling there may be variants. Sorry about the imprecise question. – Frans Lundberg Sep 27 '15 at 07:38
  • @FransLundberg OK, I edited it. – Thomas M. DuBuisson Sep 27 '15 at 20:39