Abstract
The security community seems to be thoroughly familiar with man-in-the-middle attacks. However, the common perception of this type of attack is outdated. It originates from when network connections were fixed, not mobile, before 24/7 connectivity became ubiquitous. The common perception of this attack stems from an era before the vulnerability of the protocol’s context was realised. Thanks to revelations by Snowden and by currently available man-in-the-middle tools focused on protocol meta-data (such as so-called “Stingrays” for cellphones), this view is no longer tenable. Security protocols that only protect the contents of their messages are insufficient. Contemporary security protocols must also take steps to protect their context: who is talking to whom, where is the sender located, etc.
In short: the attacker has evolved. It’s high time for our security models and requirements to catch up.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For an overview, see EFF’s cell site simulator FAQ.
- 2.
E.g. the Navizon indoor triangulation system.
- 3.
CVE-2009-3555.
- 4.
In the GSM standard, the tower may choose unilaterally to stop encryption, and the client has to follow. An attacker can therefore simply shut down encryption (e.g. by using a downgrading attack to fall back to the old standard, and then to stop encryption). Thus, this shared key alone cannot ensure secure communication.
References
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Béguelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of 22nd Conference on Computer and Communications Security (CCS 2015), pp. 5–17. ACM (2015)
Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., Ksper, E., Cohney, S., Engels, S., Paar, C., Shavitt, Y.: DROWN: Breaking TLS using SSLv2 (2016)
Avoine, G., Mauw, S., Trujillo-Rasua, R.: Comparing distance bounding protocols: a critical mission supported by decision theory. Comput. Commun. 67, 92–102 (2015)
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: Proceedings of 36th Symposium on Security and Privacy (S&P 2015), pp. 535–552. IEEE Computer Society (2015)
Brands, S., Chaum, D.: Distance-bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). doi:10.1007/3-540-48285-7_30
Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.R.: IMSI-catch me if you can: IMSI-catcher-catchers. In: Proceedings of 30th Annual Computer Security Applications Conference (ACSAC 2014), pp. 246–255. ACM (2014)
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(12), 198–208 (1983)
Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of 10th Workshop on Computer Security Foundations (CSFW 1997), pp. 31–43. IEEE Computer Society (1997)
Meyer, U., Wetzel, S.: A man-in-the-middle attack on UMTS. In: Proceedings of 3rd Workshop on Wireless Security (WiSE 2004), New York, NY, USA, pp. 90–97. ACM (2004)
Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Jonker, H., Mauw, S., Trujillo-Rasua, R. (2017). Man-in-the-Middle Attacks Evolved... but Our Security Models Didn’t. In: Anderson, J., Matyáš, V., Christianson, B., Stajano, F. (eds) Security Protocols XXIV. Security Protocols 2016. Lecture Notes in Computer Science(), vol 10368. Springer, Cham. https://doi.org/10.1007/978-3-319-62033-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-62033-6_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62032-9
Online ISBN: 978-3-319-62033-6
eBook Packages: Computer ScienceComputer Science (R0)