Otway–Rees protocol

Otway–Rees protocol is a authentication designed for use on (e.g. the ). It allows individuals communicating over such a network to prove their identity to each other while also preventing or and allowing for the detection of modification.

The protocol can be specified as follows in , where Alice is authenticating herself to Bob using a server S (M is a session-identifier, N_A and N_B are ):

$A rightarrow B: M,A,B,{N_A,M,A,B}_{K_{AS}}$
$B rightarrow S: M,A,B,{N_A,M,A,B}_{K_{AS}},{N_B, M,A,B}_{K_{BS}}$
$S rightarrow B: M,{N_A,K_{AB}}_{K_{AS}},{N_B,K_{AB}}_{K_{BS}}$
$B rightarrow A: M,{N_A,K_{AB}}_{K_{AS}}$

Note: The above steps do not authenticate B to A.

Attacks on the protocol

There are a variety of attacks on this protocol currently published.

One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key $K_{AB}$ . The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key $K'_{AB}$ , subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with $K'_{AB}$ instead of $K_{AB}$ .

Another problem is that although the server tells B that A used a nonce, B doesn’t know if this was a replay of an old message. Specifically, an intruder could discover an older nonce. The older nonce could be reused to authenticate against B.

Source

http://wikipedia.org/

Categories:

Otway–Rees protocol

Attacks on the protocol

See Also on BitcoinWiki

Source