Attack on the Needham-Schroeder protocol
Needham-Schroeder protocol is vulnerable to replay attacks. If an attacker uses old compromised value , it can resend the Message 4 to a third party, which will take him, without being able to check a key date.
Fixing an attack
This vulnerability has been fixed in the modification of the protocol by replacing nonces with timestamps.
This protocol is used for a mutual authentication and shard secret key generation for establishing a secure connection with the use of trusted third party. Later on this protocol became a base for a range of symmetric authentication protocols, in particular Kerberos.
The protocol is used by two users and and a trusted party (Key Generator Center), which has shared symmetric keys with users ( and respectively).
- sends a plaintext information about the requested connection to the trusted party: his ID, 's ID and a timestamp :
- generates a session key and forms a package for , which contains the timestamp , calculated by , 's IS, session key and a package for : a session key and 's ID, encrypted with . encrypt the whole package with a key, shared between him and and sends it to :
- decrypts the package and checks and 's ID. This makes impossible for malefactor to spoof or impersonate , by changing the recepient ID in 's first message. Then resends to his part of the package:
- Having decrypted the message, discovers the session key and interlocutor's ID. After that the checking happens: calculates a timestamp and sends it, encrypted with a session key, to :
- decrypts a message and sends to the confirmation of the successful session establishment: , decreased by 1 and encrypted with the session key:
- Gavin Lowe. A family of attacks upon authentication protocols. Technical Report 1997/5, Department of Mathematics and Computer Science, University of Leicester, 1997
- Denning-Sacco shared key. Dorothy E. Denning and Giovanni Maria Sacco 1981