Ross Anderson

Security Engineering


Скачать книгу

a flight of SAAF Impala bombers raided a target in Angola. Then the MIGs turned sharply and flew openly through the SAAF's air defenses, which sent IFF challenges. The MIGs relayed them to the Angolan air defense batteries, which transmitted them at a SAAF bomber; the responses were relayed back to the MIGs, who retransmitted them and were allowed through – as in Figure 4.2. According to my informant, this shocked the general staff in Pretoria. Being not only outfought by black opponents, but actually outsmarted, was not consistent with the world view they had held up till then.

      After this tale was published in the first edition of my book, I was contacted by a former officer in SA Communications Security Agency who disputed the story's details. He said that their IFF equipment did not use cryptography yet at the time of the Angolan war, and was always switched off over enemy territory. Thus, he said, any electronic trickery must have been of a more primitive kind. However, others tell me that ‘Mig-in-the-middle’ tricks were significant in Korea, Vietnam and various Middle Eastern conflicts.

Schematic illustration of the MIG-in-the middle attack.

      We will come across such attacks again and again in applications ranging from Internet security protocols to Bluetooth. They even apply in gaming. As the mathematician John Conway once remarked, it's easy to get at least a draw against a grandmaster at postal chess: just play two grandmasters at once, one as white and the other as black, and relay the moves between them!

      4.3.4 Reflection attacks

      Further interesting problems arise when two principals have to identify each other. Suppose that a challenge-response IFF system designed to prevent anti-aircraft gunners attacking friendly aircraft had to be deployed in a fighter-bomber too. Now suppose that the air force simply installed one of their air gunners' challenge units in each aircraft and connected it to the fire-control radar.

      But now when a fighter challenges an enemy bomber, the bomber might just reflect the challenge back to the fighter's wingman, get a correct response, and then send that back as its own response:

StartLayout 1st Row 1st Column upper F right-arrow upper B 2nd Column colon 3rd Column upper N 2nd Row 1st Column upper B right-arrow upper F Superscript prime Baseline 2nd Column colon 3rd Column upper N 3rd Row 1st Column upper F prime right-arrow upper B 2nd Column colon 3rd Column StartSet upper N EndSet Subscript upper K 4th Row 1st Column upper B right-arrow upper F 2nd Column colon 3rd Column StartSet upper N EndSet Subscript upper K EndLayout

      There are a number of ways of stopping this, such as including the names of the two parties in the exchange. In the above example, we might require a friendly bomber to reply to the challenge:

upper F right-arrow upper B colon upper N

      with a response such as:

upper B right-arrow upper F colon StartSet upper B comma upper N EndSet Subscript upper K Baseline

      Thus a reflected response StartSet upper F prime comma upper N EndSet from the wingman upper F prime could be detected5.

      This serves to illustrate the subtlety of the trust assumptions that underlie authentication. If you send out a challenge upper N and receive, within 20 milliseconds, a response StartSet upper N EndSet Subscript upper K, then – since light can travel a bit under 3,730 miles in 20 ms – you know that there is someone with the key upper K within 2000 miles. But that's all you know. If you can be sure that the response was not computed using your own equipment, you now know that there is someone else with the key upper K within two thousand miles. If you make the further assumption that all copies of the key upper K are securely held in equipment which may be trusted to operate properly, and you see StartSet upper B comma upper N EndSet Subscript upper K, you might be justified in deducing that the aircraft with callsign upper B is within 2000 miles. A careful analysis of trust assumptions and their consequences is at the heart of security protocol design.

      By now you might think that we understand all the protocol design aspects of IFF. But we've omitted one of the most important problems – and one which the designers of early IFF systems didn't anticipate. As radar is passive the returns are weak, while IFF is active and so the signal from an IFF transmitter will usually be audible at a much greater range than the same aircraft's radar return. The Allies learned this the hard way; in January 1944, decrypts of Enigma messages revealed that the Germans were plotting British and American bombers at twice the normal radar range by interrogating their IFF. So more modern systems authenticate the challenge as well as the response. The NATO mode XII, for example, has a 32 bit encrypted challenge, and a different valid challenge is generated for every interrogation signal, of which there are typically 250 per second. Theoretically there is no need to switch off over enemy territory, but in practice an enemy who can record valid challenges can replay them as part of an attack. Relays are made difficult in mode XII using directionality and time-of-flight.

      Other IFF design problems include the difficulties posed by neutrals, error rates in dense operational environments, how to deal with equipment failure, how to manage keys, and how to cope with multinational coalitions. I'll return to IFF in Chapter 23. For now, the spurious-challenge problem serves to reinforce an important point: that the correctness of a security protocol depends on the assumptions made about the requirements. A protocol that can protect against one kind of attack (being shot down by your own side) but which increases the exposure to an even more likely attack (being shot down by the other side) might not help. In fact, the spurious-challenge problem became so serious in World War II that