Needham–Schroeder protocol

The term Needham–Schroeder protocol can refer to one of two communication protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder.^[1] These are:

The Needham–Schroeder Symmetric Key Protocol is based on a symmetric encryption algorithm. It forms the basis for the Kerberos protocol. This protocol aims to establish a session key between two parties on a network, typically to protect further communication.
The Needham–Schroeder Public-Key Protocol, based on public-key cryptography. This protocol is intended to provide mutual authentication between two parties communicating on a network, but in its proposed form is insecure.

1 The symmetric protocol
- 1.1 Attacks on the protocol
- 1.2 Fixing the attack
2 The public-key protocol
- 2.1 An attack on the protocol
- 2.2 Fixing the man-in-the-middle attack
3 See also
4 References
5 External links

The symmetric protocol

Here, Alice (A) initiates the communication to Bob (B). S is a server trusted by both parties. In the communication:

A and B are identities of Alice and Bob respectively
K_AS is a symmetric key known only to A and S
K_BS is a symmetric key known only to B and S
N_A and N_B are nonces generated by A and B respectively
K_AB is a symmetric, generated key, which will be the session key of the session between A and B

The protocol can be specified as follows in security protocol notation:

$A \rightarrow S: \left . A,B,N_A \right .$

Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob.

$S \rightarrow A: \{N_A, K_{AB}, B, \{K_{AB}, A\}_{K_{BS}}\}_{K_{AS}}$

The server generates

K A B

and sends back to Alice a copy encrypted under

K B S

for Alice to forward to Bob and also a copy for Alice. Since Alice may be requesting keys for several different people, the nonce assures Alice that the message is fresh and that the server is replying to that particular message and the inclusion of Bob's name tells Alice who she is to share this key with.

$A \rightarrow B: \{K_{AB}, A\}_{K_{BS}}$

Alice forwards the key to Bob who can decrypt it with the key he shares with the server, thus authenticating the data.

$B \rightarrow A: \{N_B\}_{K_{AB}}$

Bob sends Alice a nonce encrypted under

K A B

to show that he has the key.

$A \rightarrow B: \{N_B-1\}_{K_{AB}}$

Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key.

Attacks on the protocol

The protocol is vulnerable to a replay attack (as identified by Denning and Sacco^[2]). If an attacker uses an older, compromised value for K_AB, he can then replay the message $\{K_{AB}, A\}_{K_{BS}}$ to Bob, who will accept it, being unable to tell that the key is not fresh.

Fixing the attack

This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of nonces as described below.^[3] At the beginning of the protocol:

$A \rightarrow B: A$

Alice sends to Bob a request.

$B \rightarrow A: \{A,\mathbf{N_B'}\}_{K_{BS}}$

Bob responds with a nonce encrypted under his key with the Server.

$A \rightarrow S: \left . A,B,N_A,\{A,\mathbf{N_B'}\}_{K_{BS}} \right .$

Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob.

$S \rightarrow A: \{N_A, K_{AB}, B, \{K_{AB}, A,\mathbf{N_B'}\}_{K_{BS}}\}_{K_{AS}}$

Note the inclusion of the nonce.

The protocol then continues as described through the final three steps as described in the original protocol above. Note that $N B'$ is a different nonce from $N B$ .The inclusion of this new nonce prevents the replaying of a compromised version of $\{K_{AB}, A\}_{K_{BS}}$ since such a message would need to be of the form $\{K_{AB}, A,\mathbf{N_B'}\}_{K_{BS}}$ which the attacker can't forge since she does not have $K B S$ .

The public-key protocol

This assumes the use of a public-key encryption algorithm.

Here, Alice (A) and Bob (B) use a trusted server (S) to distribute public keys on request. These keys are:

K_PA and K_SA, respectively public and private halves of an encryption key-pair belonging to A
K_PB and K_SB, similar belonging to B
K_PS and K_SS, similar belonging to S. (Note this has the property that K_SS is used to encrypt and K_PS to decrypt).

The protocol runs as follows:

$A \rightarrow S: \left . A, B \right .$

A requests B's public keys from S

$S \rightarrow A: \{K_{PB}, B\}_{K_{SS}}$

S responds with public key K_PB alongside B's identity, signed by the server for authentication purposes.

$A \rightarrow B: \{N_A, A\}_{K_{PB}}$

A invents N_A and sends it to B.

$B \rightarrow S: \left. B, A \right .$

B requests A's public keys.

$S \rightarrow B: \{K_{PA}, A\}_{K_{SS}}$

Server responds.

$B \rightarrow A: \{N_A, N_B\}_{K_{PA}}$

B invents N_B, and sends it to A along with N_A to prove ability to decrypt with K_SB.

$A \rightarrow B: \{N_B\}_{K_{PB}}$

A confirms N_B to B, to prove ability to decrypt with K_SA

At the end of the protocol, A and B know each other's identities, and know both N_A and N_B. These nonces are not known to eavesdroppers.

An attack on the protocol

Unfortunately, this protocol is vulnerable to a man-in-the-middle attack. If an impostor I can persuade A to initiate a session with him, he can relay the messages to B and convince B that he is communicating with A.

Ignoring the traffic to and from S, which is unchanged, the attack runs as follows:

$A \rightarrow I: \{N_A, A\}_{K_{PI}}$

A sends N_A to I, who decrypts the message with K_SI

$I \rightarrow B: \{N_A, A\}_{K_{PB}}$

I relays the message to B, pretending that A is communicating

$B \rightarrow I: \{N_A, N_B\}_{K_{PA}}$

B sends N_B

$I \rightarrow A: \{N_A, N_B\}_{K_{PA}}$

I relays it to A

$A \rightarrow I: \{N_B\}_{K_{PI}}$

A decrypts N_B and confirms it to I, who learns it

$I \rightarrow B: \{N_B\}_{K_{PB}}$

I re-encrypts N_B, and convinces B that he's decrypted it

At the end of the attack, B falsely believes that A is communicating with him, and that N_A and N_B are known only to A and B.

Fixing the man-in-the-middle attack

The attack was first described in a 1995 paper by Gavin Lowe.^[4] The paper also describes a fixed version of the scheme, referred to as the Needham-Schroeder-Lowe protocol. The fix involves the modification of message six, that is we replace:

$B \rightarrow A: \{N_A, N_B\}_{K_{PA}}$

with the fixed version:

$B \rightarrow A: \{N_A, N_B, B\}_{K_{PA}}$

References

^ Needham, Roger; Schroeder, Michael (December 1978). "Using encryption for authentication in large networks of computers.". Communications of the ACM 21 (12): 993–999. doi:10.1145/359657.359659
^ Denning, Dorothy E.; Sacco, Giovanni Maria (1981). "Timestamps in key distributed protocols". Communication of the ACM 24 (8): 533–535. doi:10.1145/358722.358740.
^ Needham, R. M.; Schroeder, M. D. (1987). "Authentication revisited". ACM SIGOPS Operating Systems Review 21 (1): 7. doi:10.1145/24592.24593.
^ Lowe, Gavin (November 1995). "An attack on the Needham-Schroeder public key authentication protocol.". Information Processing Letters 56 (3): 131–136. doi:10.1016/0020-0190(95)00144-2. http://web.comlab.ox.ac.uk/oucl/work/gavin.lowe/Security/Papers/NSPKP.ps. Retrieved 2008-04-17

External links

http://www.lsv.ens-cachan.fr/spore/nspk.html - description of the Public-key protocol
http://www.lsv.ens-cachan.fr/spore/nssk.html - the Symmetric-key protocol
http://www.lsv.ens-cachan.fr/spore/nspkLowe.html - the public-key protocol amended by Lowe

Categories:

Cryptographic protocols
Computer access control protocols

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

Needham-Schroeder protocol — The term Needham Schroeder protocol can refer to one of two communication protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder.Citation | last1=Needham | first1=Roger | last2=Schroeder | first2 … Wikipedia
Needham-Schroeder Protokoll — Das Needham Schroeder Protokoll ist ein Protokoll für sicheren Datenaustausch in einem dezentralen Netzwerk. Es vereint Schlüsselaustausch und Authentifikation mit dem Ziel, eine sichere Kommunikation zwischen zwei Parteien in einem dezentralen… … Deutsch Wikipedia
Needham-Schroeder-Protokoll — Das Needham Schroeder Protokoll ist ein Protokoll für sicheren Datenaustausch in einem dezentralen Netzwerk. Es vereint Schlüsselaustausch und Authentifikation mit dem Ziel, eine sichere Kommunikation zwischen zwei Parteien in einem dezentralen… … Deutsch Wikipedia
Needham-Schroeder — Protocole de Needham Schroeder Pour les articles homonymes, voir Needham et Schroeder. Needham Schroeder est un protocole d authentification dans les réseaux informatiques conçu pour être utilisé dans des réseaux non sûrs (Internet par exemple),… … Wikipédia en Français
Needham-schroeder — Protocole de Needham Schroeder Pour les articles homonymes, voir Needham et Schroeder. Needham Schroeder est un protocole d authentification dans les réseaux informatiques conçu pour être utilisé dans des réseaux non sûrs (Internet par exemple),… … Wikipédia en Français
Needham — is a surname, and may refer to: Ben Needham, British infant missing since 1991 Col Needham, co founder of the Internet Movie Database David Needham, English football player Ernest Needham (1873–1936), English football player Francis Needham, 3rd… … Wikipedia
Protocole de Needham-Schroeder — Pour les articles homonymes, voir Needham et Schroeder. Needham Schroeder est un protocole d authentification dans les réseaux informatiques conçu pour être utilisé dans des réseaux non sûrs (Internet par exemple), et inventé par Roger Needham et … Wikipédia en Français
Needham, Roger Michael — ▪ 2004 British engineer and computer scientist (b. Feb. 9, 1935, Sheffield, Eng. d. Feb. 28, 2003, Cambridge, Eng.), devised a secure way of protecting computer password files that became the basis for all systems currently used. Needham… … Universalium
Schroeder — an umlaut converted representation of Schröder is a common German surname. It can specifically refer to several people: * Andreas Schroeder, a German born Canadian poet, novelist, and nonfiction writer * Barbet Schroeder, a Swiss movie director… … Wikipedia
Needham-Schroder — Protocole de Needham Schroeder Pour les articles homonymes, voir Needham et Schroeder. Needham Schroeder est un protocole d authentification dans les réseaux informatiques conçu pour être utilisé dans des réseaux non sûrs (Internet par exemple),… … Wikipédia en Français

Academic Dictionaries and Encyclopedias

Needham–Schroeder protocol

Contents