Otway–Rees protocol

From Wikipedia, the free encyclopedia

The Otway–Rees protocol[1] is a computer network authentication protocol designed for use on insecure networks (e.g. the Internet). It allows individuals communicating over such a network to prove their identity to each other while also preventing eavesdropping or replay attacks and allowing for the detection of modification.

The protocol can be specified as follows in security protocol notation, where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are nonces):

Note: The above steps do not authenticate B to A.

This is one of the protocols analysed by Burrows, Abadi and Needham in the paper[2] that introduced an early version of Burrows–Abadi–Needham logic.[3]

Attacks on the protocol[edit]

There are a variety of attacks on this protocol currently published.

Interception attacks[edit]

These attacks leave the intruder with the session key and may exclude one of the parties from the conversation.

Boyd and Mao[4] observe that the original description does not require that S check the plaintext A and B to be the same as the A and B in the two ciphertexts. This allows an intruder masquerading as B to intercept the first message, then send the second message to S constructing the second ciphertext using its own key and naming itself in the plaintext. The protocol ends with A sharing a session key with the intruder rather than B.

Gürgens and Peralta[5] describe another attack which they name an arity attack. In this attack the intruder intercepts the second message and replies to B using the two ciphertexts from message 2 in message 3. In the absence of any check to prevent it, M (or perhaps M,A,B) becomes the session key between A and B and is known to the intruder.

Cole describes both the Gürgens and Peralta arity attack and another attack in his book Hackers Beware.[6] In this the intruder intercepts the first message, removes the plaintext A,B and uses that as message 4 omitting messages 2 and 3. This leaves A communicating with the intruder using M (or M,A,B) as the session key.

Disruptive attacks[edit]

This attack allows the intruder to disrupt the communication but does not allow the intruder to gain access to it.

One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key . The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key , subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with instead of .

See also[edit]

References[edit]

  1. ^ Otway, Dave; Rees, Owen (1987-01-01). "Efficient and timely mutual authentication". ACM SIGOPS Operating Systems Review. 21 (1): 8–10. doi:10.1145/24592.24594. ISSN 0163-5980. S2CID 19784668.
  2. ^ Burrows, Michael; Abadi, Martín; Needham, Roger (1988). "Authentication: a practical study in belief and action". {{cite journal}}: Cite journal requires |journal= (help)
  3. ^ Burrows, Michael; Abadi, Martín; Needham, Roger (1990). "A logic of authentication". ACM Transactions on Computer Systems. 8: 18–36. CiteSeerX 10.1.1.115.3569. doi:10.1145/77648.77649. S2CID 52807150.
  4. ^ Boyd, Colin; Mao, Wenbo (1994), "On a Limitation of BAN Logic", Advances in Cryptology – EUROCRYPT ’93, Lecture Notes in Computer Science, vol. 765, Springer Berlin Heidelberg, pp. 240–247, doi:10.1007/3-540-48285-7_20, ISBN 978-3-540-57600-6
  5. ^ Gürgens, Sigrid; Peralta, René (1998). Efficient Automated Testing of Cryptographic Protocols. CiteSeerX 10.1.1.23.707.
  6. ^ Cole, Eric. (2002). Hackers beware. Indianapolis, Ind.: New Riders. ISBN 0-7357-1009-0. OCLC 46808903.