# Denning–Sacco (protocol)

Denning–Sacco is a modified version of the Needham-Schroeder protocol with timestamps to fix the freshness flaw. It is used in Kerberos infrastructure [1].

## Background

### Attack on the Needham-Schroeder protocol

Needham-Schroeder protocol is vulnerable to replay attacks[2]. If an attacker uses old compromised value ${\displaystyle SK(S)}$, it can resend the Message 4 to a third party, which will take him, without being able to check a key date.

### Fixing an attack

This vulnerability has been fixed in the modification of the protocol by replacing nonces with timestamps[3].

## The Protocol

### Description

This protocol is used for a mutual authentication and shard secret key generation for establishing a secure connection with the use of trusted third party. Later on this protocol became a base for a range of symmetric authentication protocols, in particular Kerberos.

### Setup

The protocol is used by two users ${\displaystyle A}$ and ${\displaystyle B}$ and a trusted party ${\displaystyle KDC}$ (Key Generator Center), which has shared symmetric keys with users (${\displaystyle K_{AC}}$ and ${\displaystyle K_{BC}}$ respectively).

### Work

1. ${\displaystyle A}$ sends a plaintext information about the requested connection to the trusted party: his ID, ${\displaystyle B}$'s ID and a timestamp ${\displaystyle T_{A}}$:
${\displaystyle A: [A,B,T_A]\to KDC}$
2. ${\displaystyle KDC}$ generates a session key ${\displaystyle k}$ and forms a package for ${\displaystyle A}$, which contains the timestamp ${\displaystyle T_{A}}$, calculated by ${\displaystyle A}$, ${\displaystyle B}$'s IS, session key ${\displaystyle k}$ and a package for ${\displaystyle B}$: a session key and ${\displaystyle A}$'s ID, encrypted with ${\displaystyle K_{BC}}$. ${\displaystyle KDC}$ encrypt the whole package with a key, shared between him and ${\displaystyle A}$ and sends it to ${\displaystyle A}$:
${\displaystyle KDC: E_{K_{AC}}(T_A, B, k, E_{K_{BC}}(K,A))\to A}$
3. ${\displaystyle A}$ decrypts the package and checks ${\displaystyle T_{A}}$ and ${\displaystyle B}$'s ID. This makes impossible for malefactor to spoof ${\displaystyle KDC}$ or impersonate ${\displaystyle B}$, by changing the recepient ID in ${\displaystyle A}$'s first message. Then ${\displaystyle A}$ resends to ${\displaystyle B}$ his part of the package:
${\displaystyle A: E_{K_{BC}}(K,A)\to B}$
4. Having decrypted the message, ${\displaystyle B}$ discovers the session key and interlocutor's ID. After that the checking happens: ${\displaystyle B}$ calculates a timestamp ${\displaystyle T_{B}}$ and sends it, encrypted with a session key, to ${\displaystyle A}$:
${\displaystyle B: E_k(T_B)\to A}$
5. ${\displaystyle A}$ decrypts a message and sends to ${\displaystyle B}$ the confirmation of the successful session establishment: ${\displaystyle T_{B}}$, decreased by 1 and encrypted with the session key:
${\displaystyle A: E_k(T_B-1)\to B}$

## References

1. http://www.slashroot.in/needham-schroeder-protocol-explained
2. Gavin Lowe. A family of attacks upon authentication protocols. Technical Report 1997/5, Department of Mathematics and Computer Science, University of Leicester, 1997
3. Denning-Sacco shared key. Dorothy E. Denning and Giovanni Maria Sacco 1981