Otway–Rees protocol

Otway–Rees protocol is a authentication designed for use on (e.g. the ). It allows individuals communicating over such a network to prove their identity to each other while also preventing or and allowing for the detection of modification.

The protocol can be specified as follows in , where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are ):

  1. A rightarrow B: M,A,B,{N_A,M,A,B}_{K_{AS}}
  2. B rightarrow S: M,A,B,{N_A,M,A,B}_{K_{AS}},{N_B, M,A,B}_{K_{BS}}
  3. S rightarrow B: M,{N_A,K_{AB}}_{K_{AS}},{N_B,K_{AB}}_{K_{BS}}
  4. B rightarrow A: M,{N_A,K_{AB}}_{K_{AS}}

Note: The above steps do not authenticate B to A.

Attacks on the protocol

There are a variety of attacks on this protocol currently published.

One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key K_{AB}. The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key K'_{AB}, subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with K'_{AB} instead of K_{AB}.

Another problem is that although the server tells B that A used a nonce, B doesn’t know if this was a replay of an old message. Specifically, an intruder could discover an older nonce. The older nonce could be reused to authenticate against B.

See Also on BitcoinWiki