5: Needham-Schroeder Public-key Authentication Protocol

Attack 2.2: An Attack on the Needham-Schroeder Symmetric key Authentication Protocol

Protocol 2. 5: Needham-Schroeder Public-key Authentication Protocol

Protocol

PREMISE Alice's public key is KA,

Bob's public key is KB,

Trent's public key is KT.

GOAL Alice and Bob establish a new and shared secret.

Alice sends to Trent: Alice, Bob;

Trent sends to Alice: {KB, Bob} ;

Alice verifies Trent's signature on "KB, Bob," creates her nonce NA at random,

and sends to Bob: {NA, Alice} KB; 3.

Bob decrypts, checks Alice's ID and sends to Trent: Bob, Alice;

Trent sends to Bob: {KA, Alice} ;

Bob verifies Trent's signature on "KA, Alice," creates his nonce N B at random,

and sends to Alice: {NA, NB}KA; 6.

Alice decrypts, and sends to Bob: {NB}KB. 7.

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.

Suppose that Trent has in his possession the public keys of all the client principals he serves. Also, every client principal has an authenticated copy of Trent's public key. Prot 2.5 specifies the Needham-Schroeder Public-key Authentication Protocol.

Here Alice is an initiator who seeks to establish a session with responder Bob, with the help of Trent. In step 1, Alice sends a message to Trent, requesting Bob's public key. Trent responds in step 2 by returning the key KB, along with Bob's identity (to prevent the sort of attacks in

§2.6.2), encrypted using Trent's private key . This forms Trent's digital signature on the protocol message which assures Alice that the message in step 2 is originated from Trent (Alice should verify the signature using Trent's public key). Alice then seeks to establish a connection with Bob by selecting a nonce NA at random, and sending it along with her identity to Bob (step

3), encrypted using Bob's public key. When Bob receives this message, he decrypts the message to obtain the nonce NA. He requests (step 4) and receives (step 5) the authentic copy of Alice's

public key. He then returns the nonce NA, along with his own new nonce NB, to Alice, encrypted

with Alice's public key (step 6). When Alice receives this message she should be assured that she is talking to Bob, since only Bob should be able to decrypt message 3 to obtain NA and this must

have been done after her action of sending the nonce out (a recent action). Alice then returns the nonce NB to Bob, encrypted with Bob's public key. When Bob receives this message he

should, too, be assured that he is talking to Alice, since only Alice should be able to decrypt message 6 to obtain NB (also a recent action). Thus, a successful run of this protocol does

achieve the establishment of the shared nonces NA and NB and they are shared secrets

exclusively between Alice and Bob. Further notice that since both principals contribute to these shared secrets recently, they have the freshness property. Also, each principal should trust the randomness of the secrets as long as her/his part of the contribution is sufficiently random. Needham and Schroeder suggest that NA and NB, which are from a large space, can be used to

initialize a shared secret key ("as the base for seriation of encryption blocks") [213] for subsequent secure communications between Alice and Bob.

Denning and Sacco have pointed out that this protocol provides no guarantee that the public keys obtained by the client principals are current, rather than replays of old, possibly

compromised keys [94]. This problem can be overcome in various ways, for example by

including timestamps in the key deliveries[a]. Below we assume that the clients' public keys that are obtained from Trent are current and good.

[a]_{Denning and Sacco propose such a fix [}₉₄_{]. However, their fix is flawed for a different reason. We will see}

their fix and study the reason of the flaw in §11.7.7.

2.6.6.3 Attack on the Needham-Schroeder Public-key Authentication Protocol

Lowe discovers an attack on the Needham-Schroeder Public-key Authentication Protocol [180].

Lowe observes that this protocol can be considered as the interleaving of two logically disjoint protocols; steps 1, 2, 4 and 5 are concerned with obtaining public keys, whereas steps 3, 6 and 7 are concerned with the authentication of Alice and Bob. Therefore, we can assume that each principal initially has the authentic copies of each other's public key, and restrict our attention to just the following steps (we only list message flows; the reader may refer to Prot 2.5 for

details):

3. Alice sends to Bob: {NA, Alice} KB;

6. Bob sends to Alice: {NA, NB}KA;

7. Alice sends to Bob: {NB}KB.

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

legitimate principal in the system, and so other principals may try to set up standard sessions with Malice. Indeed, the attack below starts with Alice trying to establish a session with Malice.

Attack 2.3 describes the attack.

The attack involves two simultaneous runs of the protocol; in the first run (steps 1-3, 1-6 and 1- 7), Alice establishes a valid session with Malice; in the second run (steps 2-3, 2-6 and 2-7), Malice impersonates Alice to establish a bogus session with Bob. In step 1-3, Alice starts to establish a normal session with Malice, sending him a nonce NA. In step 2-3, Malice

impersonates Alice to try to establish a bogus session with Bob, sending to Bob the nonce NA

from Alice. Bob responds in step 2-6 by selecting a new nonce NB, and trying to return it, along

with NA, to Alice. Malice intercepts this message, but cannot decrypt it because it is encrypted

with Alice's public key. Malice therefore seeks to use Alice to use Alice to do the decryption for him, by forwarding the message to Alice in step 1-6; note that this message is of the form expected by Alice in the first run of the protocol. Alice decrypts the message to obtain NB, and

returns this to Malice in step 1-7 (encrypted with Malice's public key). Malice can then decrypt this message to obtain NB, and returns this to Bob in step 2.7, thus completing the second run of

the protocol. Hence Bob believes that Alice has correctly established a session with him and they share exclusively the secret nonces NA and NB.

A crucial step for Malice to succeed in the attack is Alice's decryption of Bob's nonce NB for Malice

unwittingly. We say that a principal is used as an oracle or providing an oracle service when the principal performs a cryptographic operation inadvertently for an attacker. We will see many cases of oracle services in this book and will gradually develop a general methodology that cryptographic algorithms and protocols should be designed such that they are secure even if their users provide oracle services to attackers.

We can imagine the following consequences of this attack. Malice may include the shared nonces within a subsequent message suggesting a session key, and Bob will believe that this message originated from Alice. Similarly, if Bob is a bank, then Malice could impersonate Alice to send a message such as:

Malice("Alice") sends to Bob:

{NA, NB, Transfer £1,000,000 from my account to Malice's"}KB.

2.6.6.4 A Fix

It is fairly easy to change the protocol so as to prevent the attack. If we include the responder's identity in message 6 of the protocol

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Attack 2.3: Lowe's Attack on the Needham-Schroeder Public-

In document Modern Cryptography Theory & Practice pdf (Page 67-70)