Otway–Rees protocol is a authentication designed for use on (e.g. the ). It allows individuals communicating over such a network to prove their identity to each other while also preventing or and allowing for the detection of modification.
The protocol can be specified as follows in , where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are ):
Note: The above steps do not authenticate B to A.
Attacks on the protocol
There are a variety of attacks on this protocol currently published.
One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key . The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key , subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with instead of .
Another problem is that although the server tells B that A used a nonce, B doesn’t know if this was a replay of an old message. Specifically, an intruder could discover an older nonce. The older nonce could be reused to authenticate against B.