# CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

## Presentation on theme: "CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:"— Presentation transcript:

CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

CS470, A.SelcukNeedham-Schroeder2 Key Establishment and Authentication with KDC A simple protocol: Problem: Potential delayed key delivery to Bob. (besides others) Alice Bob KDC Alice, Bob K A {Bob, K AB } K B {Alice, K AB }

CS470, A.SelcukNeedham-Schroeder3 Another simple protocol: Problems: No freshness guarantee for K AB Alice & Bob need to authenticate Alice Bob KDC Alice, Bob K A {Bob, K AB }, ticket B where ticket B = K B {Alice, K AB } Alice, ticket B

CS470, A.SelcukNeedham-Schroeder4 Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice} ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1}

CS470, A.SelcukNeedham-Schroeder5 Needham-Schroeder Protocol N 1 : for authenticating KDC & freshness of K AB. Ticket is double-encrypted. (unnecessary) N 2, N 3 : for key confirmation, mutual authentication Why are the challenges N2, N3 encrypted? Problem: Bob doesn’t have freshness guarantee for K AB (i.e., can’t detect replays).

CS470, A.SelcukNeedham-Schroeder6 Messages should be integrity protected. Otherwise, cut-and-paste reflection attacks possible: Trudy Bob replay ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } Trudy Bob ticket B, K AB {N 3 } K AB {N 3 -1, N 4 } K AB {N 3 -1}

CS470, A.SelcukNeedham-Schroeder7 Expanded Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob, K B {N B } K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, N B } ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1} hello K B {N B }

CS470, A.SelcukNeedham-Schroeder8 Otway-Rees Protocol Alice Bob KDC N C, K A {N A, K AB }, K B {N B, K AB } K A {N A, N C, “Alice”, “Bob”} K B {N B, N C, “Alice”, “Bob”} N C, “Alice”, “Bob”, K A {N A, N C, “Alice”, “Bob”} K A {N A, K AB } K AB {anything recognizable}

CS470, A.SelcukNeedham-Schroeder9 Otway-Rees Protocol N A, N B : Provides freshness guarantee for A & B, as well as authentication of KDC. N C : Binds Alice, Bob, and the session. Also authenticates Bob. Having separate N A & N C is redundant for security, though it’s good for functional separation of nonces and uniformity of KDC messages.

CS470, A.SelcukNeedham-Schroeder10 Basic Kerboros Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, expiration time} ticket B, K AB {T} K AB {T+1} T: timestamp

Similar presentations