Otway–Rees Protocol
   HOME

TheInfoList



OR:

The Otway–Rees protocol is a
computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...
designed for use on insecure networks (e.g. the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
). It allows individuals communicating over such a network to prove their identity to each other while also preventing
eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...
or
replay attack A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary wh ...
s and allowing for the detection of modification. The protocol can be specified as follows in
security protocol notation In cryptography, security (engineering) protocol notation, also known as protocol narrations and Alice & Bob notation, is a way of expressing a protocol of correspondence between entities of a dynamic system, such as a computer network. In the cont ...
, where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are nonces): # A \rightarrow B: M,A,B,\_ # B \rightarrow S: M,A,B,\_,\_ # S \rightarrow B: M,\_,\_ # B \rightarrow A: M,\_ Note: The above steps do not authenticate B to A. This is one of the protocols analysed by Burrows, Abadi and Needham in the paper that introduced an early version of
Burrows–Abadi–Needham logic Burrows–Abadi–Needham logic (also known as the BAN logic) is a set of rules for defining and analyzing information exchange protocols. Specifically, BAN logic helps its users determine whether exchanged information is trustworthy, secured agains ...
.


Attacks on the protocol

There are a variety of attacks on this protocol currently published.


Interception attacks

These attacks leave the intruder with the session key and may exclude one of the parties from the conversation. Boyd and Mao observe that the original description does not require that S check the plaintext A and B to be the same as the A and B in the two ciphertexts. This allows an intruder masquerading as B to intercept the first message, then send the second message to S constructing the second ciphertext using its own key and naming itself in the plaintext. The protocol ends with A sharing a session key with the intruder rather than B. Gürgens and Peralta describe another attack which they name an arity attack. In this attack the intruder intercepts the second message and replies to B using the two ciphertexts from message 2 in message 3. In the absence of any check to prevent it, M (or perhaps M,A,B) becomes the session key between A and B and is known to the intruder. Cole describes both the Gürgens and Peralta arity attack and another attack in his book Hackers Beware. In this the intruder intercepts the first message, removes the plaintext A,B and uses that as message 4 omitting messages 2 and 3. This leaves A communicating with the intruder using M (or M,A,B) as the session key.


Disruptive attacks

This attack allows the intruder to disrupt the communication but does not allow the intruder to gain access to it. One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key K_. The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key K'_, subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with K'_ instead of K_.


See also

* Kerberos (protocol) *
Needham–Schroeder protocol The Needham–Schroeder protocol is one of the two key transport protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder. These are: * The ''Needham–Schroeder Symmetric Key Protocol'', based on ...
* Yahalom (protocol) * Wide Mouth Frog protocol


References

{{DEFAULTSORT:Otway-Rees protocol Computer access control protocols Authentication protocols Key transport protocols Symmetric-key cryptography