Needham-Schroeder Protocol Authentication - PowerPoint PPT Presentation

About This Presentation
Title:

Needham-Schroeder Protocol Authentication

Description:

Title: SECURITY HANDSHAKE PITFALLS--II Author: Ali Aydin Selcuk Last modified by: Aydin Created Date: 11/10/2002 9:28:57 PM Document presentation format – PowerPoint PPT presentation

Number of Views:1054
Avg rating:3.0/5.0
Slides: 11
Provided by: AliA75
Category:

less

Transcript and Presenter's Notes

Title: Needham-Schroeder Protocol Authentication


1
Needham-Schroeder ProtocolAuthentication Key
Establishment
  • CS 470
  • Introduction to Applied Cryptography
  • Instructor Ali Aydin Selcuk

2
Key Establishment and Authentication with KDC
  • A simple protocol
  • Problem Potential delayed key delivery to Bob.
    (besides others)

Alice, Bob
KBAlice, KAB
KDC
KABob, KAB
Alice
Bob
3
  • Another simple protocol
  • Problems
  • No freshness guarantee for KAB
  • Alice Bob need to authenticate

Alice, Bob
KABob, KAB, ticketB where ticketB KBAlice,
KAB
KDC
Alice
Bob
Alice, ticketB
4
Needham-Schroeder Protocol
N1, Alice, Bob
KAN1, Bob, KAB, ticketB where ticketB
KBKAB, Alice
KDC
ticketB, KABN2
Bob
Alice
KABN2-1, N3
KABN3-1
5
Needham-Schroeder Protocol
  • N1 for authenticating KDC freshness of KAB.
  • Ticket is double-encrypted. (unnecessary)
  • N2, N3 for key confirmation, mutual
    authentication
  • Why are the challenges N2, N3 encrypted?
  • Problem Bob doesnt have freshness guarantee for
    KAB (i.e., cant detect replays).

6
  • Messages should be integrity protected.
  • Otherwise, cut-and-paste reflection attacks
    possible

replay ticketB, KABN2
KABN2-1, N3
Trudy
Bob
KABN3-1
ticketB, KABN3
Trudy
Bob
KABN3-1, N4
7
Expanded Needham-Schroeder Protocol
hello
KBNB
N1, Alice, Bob, KBNB
KAN1, Bob, KAB, ticketB where ticketB
KBKAB, Alice, NB
KDC
Alice
Bob
ticketB, KABN2
KABN2-1, N3
KABN3-1
8
Otway-Rees Protocol
NC, Alice, Bob, KANA, NC, Alice, Bob
KANA, NC, Alice, Bob KBNB, NC, Alice,
Bob
KDC
NC, KANA, KAB, KBNB, KAB
Bob
Alice
KANA, KAB
KABanything recognizable
9
Otway-Rees Protocol
  • NA, NB Provides freshness guarantee for A B,
    as well as authentication of KDC.
  • NC Binds Alice, Bob, and the session. Also
    authenticates Bob.
  • Having separate NA NC is redundant for
    security,though its good for functional
    separation of nonces and uniformity of KDC
    messages.

10
Basic Kerboros Protocol
N1, Alice, Bob
KAN1, Bob, KAB, ticketB where ticketB
KBKAB, Alice, expiration time
KDC
Bob
Alice
ticketB, KABT
KABT1
T timestamp
Write a Comment
User Comments (0)
About PowerShow.com