2

Assuming I've securely exchanged keys with another computer (using Diffie-Hellman perhaps), here's my tentative solution:

packet number + encrypted data + message authentication code (MAC)

The packet number is an incrementally-increased number starting at 0. After that is the encrypted data itself, followed by a MAC of them both. If someone attempts a MITM attack, the MAC should fail to compute. If they attempt a replay attack, the recipient will notice it has already received that packet number.

Is there any flaw in my reasoning here?

4

4 回答 4

1

Assuming I've securely exchanged keys with another computer (using Diffie-Hellman perhaps)

This is where you face the biggest danger - if the man-in-the-middle manages to control the key exchange (for example, by establishing one key with the client and itself, and establishing another key with server and itself), then the MITM can decrypt (and re-encrypt) everything. Once you've established the secure key exchange, you should be invulnerable to the MITM attack. But the hard part is ensuring that the key exchange is truly secure.

Consult Practical Cryptography (or at Amazon) by Ferguson and Schneier for information about this.

于 2009-05-03T22:16:43.737 回答
0

一旦密钥被交换,数据就不能被第三方拦截或欺骗。(除非您的数据包#计数器循环。假设来自旧窗口的数据包可能会被重播为来自新窗口。)这个问题的解决方案是时间戳(正如其他人提到的那样。)同样,如果攻击者能够以某种方式破坏系统时间。(如果他们是中间人,他们可以假设模仿一个 NTP 服务器并以此方式修改客户端的系统时间。)

然而,窃听者可以做的是将自己插入两方之间并破坏频道。这可能会导致发生可以观察到的新密钥交换。为了使密钥交换真正安全,您必须使用只有两个通信者知道的第 3 方验证或预共享密钥。

于 2009-05-11T02:42:56.643 回答
0

你不是在描述一个中间攻击的人,而是一个重放攻击。

通过 MITM 攻击,密钥交换被拦截,并且您说您已经安全地交换了密钥 - 所以这不是问题。

重放攻击很容易缓解,您包含一个唯一的消息 ID,然后在接收方检查它的唯一性。通常,每条消息都有一个到期日期和时间,因此您无需保留不断增长的消息 ID 列表来进行验证。

于 2009-05-03T20:28:29.190 回答
0

您保护免受重放攻击的方法对我来说似乎是合理的。您本质上是在描述一种称为timestamping的方法。您的数据包编号是一个“虚拟时间”,收件人使用它来验证之前没有发送过消息。

于 2009-05-03T20:43:20.950 回答