Previous | Table of Contents | Next |
The major security hole in this protocol is that old session keys are valuable. If Mallory gets access to an old K, he can launch a successful attack [461]. All he has to do is record Alices messages to Bob in step (3). Then, once he has K, he can pretend to be Alice:
Now, Mallory has Bob convinced that he is Alice.
A stronger protocol, using timestamps, can defeat this attack [461,456]. A time-stamp is added to Trents message in step (2) encrypted with Bobs key: EB(K,A,T). Timestamps require a secure and accurate system clocknot a trivial problem in itself.
If the key Trent shares with Alice is ever compromised, the consequences are drastic. Mallory can use it to obtain session keys to talk with Bob (or anyone else he wishes to talk to). Even worse, Mallory can continue to do this even after Alice changes her key [90].
Needham and Schroeder attempted to correct these problems in a modified version of their protocol [1160]. Their new protocol is essentially the same as the Otway-Rees protocol, published in the same issue of the same journal.
Otway-Rees
This protocol also uses symmetric cryptography [1224].
Assuming that all the random numbers match, and the index number hasnt changed along the way, Alice and Bob are now convinced of each others identity, and they have a secret key with which to communicate.
Kerberos
Kerberos is a variant of Needham-Schroeder and is discussed in detail in Section 24.5. In the basic Kerberos Version 5 protocol, Alice and Bob each share keys with Trent. Alice wants to generate a session key for a conversation with Bob.
This protocol works, but it assumes that everyones clocks are synchronized with Trents clock. In practice, the effect is obtained by synchronizing clocks to within a few minutes of a secure time server and detecting replays within the time interval.
Neuman-Stubblebine
Whether by system faults or by sabotage, clocks can become unsynchronized. If the clocks get out of sync, there is a possible attack against most of these protocols [644]. If the senders clock is ahead of the receivers clock, Mallory can intercept a message from the sender and replay it later when the timestamp becomes current at the receivers site. This attack is called suppress-replay and can have irritating consequences.
Previous | Table of Contents | Next |