Denning–Sacco (protocol)

From Bauman National Library
This page was last modified on 8 June 2016, at 14:21.

Denning–Sacco is a modified version of the Needham-Schroeder protocol with timestamps to fix the freshness flaw. It is used in Kerberos infrastructure [1].


Attack on the Needham-Schroeder protocol

Needham-Schroeder protocol is vulnerable to replay attacks[2]. If an attacker uses old compromised value , it can resend the Message 4 to a third party, which will take him, without being able to check a key date.

Fixing an attack

This vulnerability has been fixed in the modification of the protocol by replacing nonces with timestamps[3].

The Protocol


This protocol is used for a mutual authentication and shard secret key generation for establishing a secure connection with the use of trusted third party. Later on this protocol became a base for a range of symmetric authentication protocols, in particular Kerberos.


The protocol is used by two users and and a trusted party (Key Generator Center), which has shared symmetric keys with users ( and respectively).


  1. sends a plaintext information about the requested connection to the trusted party: his ID, 's ID and a timestamp :
  2. generates a session key and forms a package for , which contains the timestamp , calculated by , 's IS, session key and a package for : a session key and 's ID, encrypted with . encrypt the whole package with a key, shared between him and and sends it to :
  3. decrypts the package and checks and 's ID. This makes impossible for malefactor to spoof or impersonate , by changing the recepient ID in 's first message. Then resends to his part of the package:
  4. Having decrypted the message, discovers the session key and interlocutor's ID. After that the checking happens: calculates a timestamp and sends it, encrypted with a session key, to :
  5. decrypts a message and sends to the confirmation of the successful session establishment: , decreased by 1 and encrypted with the session key:


  2. Gavin Lowe. A family of attacks upon authentication protocols. Technical Report 1997/5, Department of Mathematics and Computer Science, University of Leicester, 1997
  3. Denning-Sacco shared key. Dorothy E. Denning and Giovanni Maria Sacco 1981