How is MitM attack prevented when complete session is hijacked?

MichaelW

4/6/23, 7:25 AM

Lets say there is mutual authentication between a client which connects to a server on an otherwise unsecured TCP channel. Both parties create a random challenge and the other side answers with a keyd-hash, based on a pre-shared symmetric key.

$$C\rightarrow open \,\, connection \rightarrow S$$ $$C\rightarrow challenge_C \rightarrow S$$ $$C\leftarrow challenge_S \leftarrow S$$

$$C\rightarrow H_K(challenge_S) \rightarrow S$$ $$C\leftarrow H_K(challenge_C) \leftarrow S$$

$$C \leftarrow authenticated \rightarrow S$$

However, an adversary "man-in-the-middle" could listen on the network by whatever means. Whenever a client C is going to establish a TCP connection to the server, MitM could at the same moment establish another adversary client session C' and inject all communication he listens between C and S into the session between C' and S, so C' gets authenticated against S.

It seems too simple - so where is my mistake?

333

0 + 0

authentication

challenge-response

Score:4

Crypto

knaccc

4/6/23, 8:35 AM

It's not really that C or C` gets authenticated such that from then on S can trust data appearing to originate from C or C' in a general sense. If that were true, S would trust any plaintext unauthenticated information that appeared to be sent from C to S. That would clearly be liable to a man-in-the-middle attack, that just waited for the initial challenge-response steps to complete prior to then meddling with the information being communicated.

What's really happening in a secure protocol is that C and S mutually authenticate as part of a process to establish a symmetric session key that they then both use to communicate using authenticated symmetric encryption. This is what proves they are genuinely still talking to one another, and not a man-in-the-middle attacker.

If you don't care about having a per-session symmetric key so that there is forward secrecy, and if both sides maintain a long-term counter (to prevent replay attacks), then if you have a pre-shared symmetric key you could just jump directly to communicating via authenticated encryption (which uses and increments the counter with each message sent) without the need for the challenge-response steps you've outlined in your question.

0 + 0

MichaelW

4/6/23, 10:47 AM

"If you don't care...": That was what always surprised me: a session is set up, but within this a pre-shared key is used without agreeing on a session key. What is the point of this session then? Yes, in the protocol I talk about there is the option to use a session key, but it is not mandatory and we don't use this option. Everything depends on not accepting double initialization vectors for GCM/GMAC.

knaccc

4/6/23, 11:29 AM

@MichaelW if your IV for authenticated symmetric encryption is based on the challenges or challenge responses, then that would bind the encrypted channel to the challenge/response interchange that just occurred, and would protect you from a replay attack.

knaccc

4/6/23, 12:16 PM

@MichaelW if you both reliably maintained a list of previously used IVs, then that would prevent replay attacks where the server had already seen that IV. However, a MITM attacker could steal the IV and message and not let it reach the server, and then replay the message by hijacking a session that happens in the future. That is why if you're not cutting corners, the session should be bound to the challenge/response sequence either via an IV based on those challenges or via a newly determined session key based on the PSK and those challenges.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How is MitM attack prevented when complete session is hijacked?

TH: การโจมตี MitM จะป้องกันได้อย่างไรเมื่อเซสชันทั้งหมดถูกแย่งชิง

RO: Cum este prevenit atacul MitM atunci când sesiunea completă este deturnată?

RU: Как предотвратить атаку MitM при перехвате всего сеанса?

VI: Tấn công MitM bị ngăn chặn như thế nào khi toàn bộ phiên bị chiếm quyền điều khiển?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.