Needham-Schroeder Protocol Authentication

1
Needham-Schroeder ProtocolAuthentication Key
Establishment

• CS 470
• Introduction to Applied Cryptography
• Instructor Ali Aydin Selcuk

2
Key Establishment and Authentication with KDC

• A simple protocol
• Problem Potential delayed key delivery to Bob.
  (besides others)

Alice, Bob
KBAlice, KAB
KDC
KABob, KAB
Alice
Bob
3

• Another simple protocol
• Problems
• No freshness guarantee for KAB
• Alice Bob need to authenticate

Alice, Bob
KABob, KAB, ticketB where ticketB KBAlice,
KAB
KDC
Alice
Bob
Alice, ticketB
4
Needham-Schroeder Protocol
N1, Alice, Bob
KAN1, Bob, KAB, ticketB where ticketB
KBKAB, Alice
KDC
ticketB, KABN2
Bob
Alice
KABN2-1, N3
KABN3-1
5
Needham-Schroeder Protocol

• N1 for authenticating KDC freshness of KAB.
• Ticket is double-encrypted. (unnecessary)
• N2, N3 for key confirmation, mutual
  authentication
• Why are the challenges N2, N3 encrypted?
• Problem Bob doesnt have freshness guarantee for
  KAB (i.e., cant detect replays).

6

• Messages should be integrity protected.
• Otherwise, cut-and-paste reflection attacks
  possible

replay ticketB, KABN2
KABN2-1, N3
Trudy
Bob
KABN3-1
ticketB, KABN3
Trudy
Bob
KABN3-1, N4
7
Expanded Needham-Schroeder Protocol
hello
KBNB
N1, Alice, Bob, KBNB
KAN1, Bob, KAB, ticketB where ticketB
KBKAB, Alice, NB
KDC
Alice
Bob
ticketB, KABN2
KABN2-1, N3
KABN3-1
8
Otway-Rees Protocol
NC, Alice, Bob, KANA, NC, Alice, Bob
KANA, NC, Alice, Bob KBNB, NC, Alice,
Bob
KDC
NC, KANA, KAB, KBNB, KAB
Bob
Alice
KANA, KAB
KABanything recognizable
9
Otway-Rees Protocol

• NA, NB Provides freshness guarantee for A B,
  as well as authentication of KDC.
• NC Binds Alice, Bob, and the session. Also
  authenticates Bob.
• Having separate NA NC is redundant for
  security,though its good for functional
  separation of nonces and uniformity of KDC
  messages.

10
Basic Kerboros Protocol
N1, Alice, Bob
KAN1, Bob, KAB, ticketB where ticketB
KBKAB, Alice, expiration time
KDC
Bob
Alice
ticketB, KABT
KABT1
T timestamp