NeedhamSchroeder protocol

1
NeedhamSchroeder protocol
The term NeedhamSchroeder protocol can refer to one of the two communication protocols intended for use over
an insecure network, both proposed by Roger Needham and Michael Schroeder. These are:
The NeedhamSchroeder Symmetric Key Protocol is based on a symmetric encryption algorithm. It forms the
basis for the Kerberos protocol. This protocol aims to establish a session key between two parties on a network,
typically to protect further communication.
The NeedhamSchroeder Public-Key Protocol, based on public-key cryptography. This protocol is intended to
provide mutual authentication between two parties communicating on a network, but in its proposed form is
insecure.
The symmetric protocol
Here, Alice (A) initiates the communication to Bob (B). S is a server trusted by both parties. In the communication:
A and B are identities of Alice and Bob respectively
K
AS
is a symmetric key known only to A and S
K
BS
is a symmetric key known only to B and S
N
A
and N
B
are nonces generated by A and B respectively
K
AB
is a symmetric, generated key, which will be the session key of the session between A and B
The protocol can be specified as follows in security protocol notation:
Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate
with Bob.
The server generates and sends back to Alice a copy encrypted under for Alice to forward to Bob
and also a copy for Alice. Since Alice may be requesting keys for several different people, the nonce assures
Alice that the message is fresh and that the server is replying to that particular message and the inclusion of
Bob's name tells Alice who she is to share this key with.
Alice forwards the key to Bob who can decrypt it with the key he shares with the server, thus authenticating
the data.
Bob sends Alice a nonce encrypted under to show that he has the key.
Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive
and that she holds the key.
NeedhamSchroeder protocol
2
Attacks on the protocol
The protocol is vulnerable to a replay attack (as identified by Denning and Sacco). If an attacker uses an older,
compromised value for K
AB
, he can then replay the message to Bob, who will accept it, being
unable to tell that the key is not fresh.
Fixing the attack
This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of
nonces as described below. At the beginning of the protocol:
Alice sends to Bob a request.
Bob responds with a nonce encrypted under his key with the Server.
Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate
with Bob.
Note the inclusion of the nonce.
The protocol then continues as described through the final three steps as described in the original protocol above.
Note that is a different nonce from .The inclusion of this new nonce prevents the replaying of a
compromised version of since such a message would need to be of the form
which the attacker can't forge since she does not have .
The public-key protocol
This assumes the use of a public-key encryption algorithm.
Here, Alice (A) and Bob (B) use a trusted server (S) to distribute public keys on request. These keys are:
K
PA
and K
SA
, respectively public and private halves of an encryption key-pair belonging to A (S stands for
"secret key" here)
K
PB
and K
SB
, similar belonging to B
K
PS
and K
SS
, similar belonging to S. (Note this has the property that K
SS
is used to encrypt and K
PS
to decrypt).
The protocol runs as follows:
A requests B's public keys from S
S responds with public key K
PB
alongside B's identity, signed by the server for authentication purposes.
B requests A's public keys.
Server responds.
A chooses a random N
A
and sends it to B.
NeedhamSchroeder protocol
3
B chooses a random N
B
, and sends it to A along with N
A
to prove ability to decrypt with K
SB
.
A confirms N
B
to B, to prove ability to decrypt with K
SA
At the end of the protocol, A and B know each other's identities, and know both N
A
and N
B
. These nonces are not
known to eavesdroppers.
An attack on the protocol
Unfortunately, this protocol is vulnerable to a man-in-the-middle attack. If an impostor can persuade A to initiate a
session with him, he can relay the messages to B and convince B that he is communicating with A.
Ignoring the traffic to and from S, which is unchanged, the attack runs as follows:
A sends N
A
to I, who decrypts the message with K
SI
I relays the message to B, pretending that A is communicating
B sends N
B
I relays it to A
A decrypts N
B
and confirms it to I, who learns it
I re-encrypts N
B
, and convinces B that he's decrypted it
At the end of the attack, B falsely believes that A is communicating with him, and that N
A
and N
B
are known only to
A and B.
Fixing the man-in-the-middle attack
The attack was first described in a 1995 paper by Gavin Lowe. The paper also describes a fixed version of the
scheme, referred to as the NeedhamSchroederLowe protocol. The fix involves the modification of message six,
that is we replace:
with the fixed version:
References
External links
http:/ / www. lsv. ens-cachan. fr/ spore/ nspk. html - description of the Public-key protocol
http:/ / www. lsv. ens-cachan. fr/ spore/ nssk. html - the Symmetric-key protocol
http:/ / www. lsv. ens-cachan. fr/ spore/ nspkLowe. html - the public-key protocol amended by Lowe
Article Sources and Contributors
4
Article Sources and Contributors
NeedhamSchroeder protocol Source: http://en.wikipedia.org/w/index.php?oldid=623991991 Contributors: .snoopy., Alexei Kopylov, Bah23, Bender235, Chrismiceli, Danny, Econrad,
Epbr123, Gareth Jones, IanHarvey, Imran, KennethJ, Leobold1, Matt Crypto, Michael Hardy, Nageh, PabloCastellano, Pnm, Soltwisch, Steffen Michels, Strait, Syp, The Anome, Tobias
Bergemann, Topbanana, Velle, Yaronf, 42 anonymous edits
License
Creative Commons Attribution-Share Alike 3.0
//creativecommons.org/licenses/by-sa/3.0/