The John Clark and Jeremy Jacob Library of Protocols

* - Indicates a flawed protocol

6.1 Symetric Key Protocols Without Trusted Third Part

6.1.1    ISO Symmetric Key One-Pass Unilateral Authentication Protocol

Known: A.KAB = B.KAB

A -> B: txt2, {[Ta|Na], B, txt1}KAB

6.1.2    ISO Symmetric Key Two-Pass Unilateral Authentication Protocol

A -> B: RB, txt1

B -> A: txt3, {RB, B, txt2}KAB

6.1.3    ISO Symmetric Key One-Pass Mutual Authentication Protocol

A -> B: txt2, {[Ta|Na], B, txt1}KAB

B -> A: txt4, {[Ta|Na], A, txt1}KAB

Note: same as 6.1.1 except B sends message as well

6.1.4    ISO Symmetric Key Three-Pass Unilateral Authentication Protocol

A -> B: RB, txt1

B -> A: txt3, {RA, RB, B, txt2}KAB

A -> B: txt5, {RB, RA, txt4} KAB

6.1.5    Using Non-Reversible Functions

A -> B: B, RB

B -> A: A, {hash(RB), RA, A, K}KAB

B -> A: B, {hash(RA)}KAB

Question: What purpose does hashing serve in this protocol?  Any?

6.1.6    Andrew Secure RPC Protocol*

A -> B: A, {NA}KAB

B -> A: {NA+1, NB}KAB

A -> B: {NB+1}KB

B -> A: {K’AB, N’B}KAB

6.2 Authentication Using Cryptographic Check Functions

6.2.1 ISO One-Pass Unilateral Authentication with CryptographicCheckFunctions

A->B: [Ta|Na], B, txt2, hash{[Ta|Na], B, txt1}Kab

6.2.2 ISO Two-Pass Unilateral Authentication with CCFs

B->A: Rb, txt1

A->B: txt3, hash{Rb, B, txt2}Kab

6.2.3 ISO Two-Pass Mutual Authentication with CCFs

A -> B: [Ta|Na], txt2, hash{[Ta|Na], B, txt1}Kab

B -> A: [Tb|Nb], txt4, hash{[Tb|Nb], A, txt3}Kab

6.2.4    ISO Three-Pass Mutual Authentication with CCF

A -> B: RB, txt1

B -> A: txt3, {RA, RB, B, txt2}KAB

A -> B: txt5, {RB, RA, txt4} KAB

6.3     Symmetric Key Protocols Involving Trusted Third Parties

6.3.1    Needham Schroeder Protocol with Conventional Keys*

A -> S:  A, B, Na

S -> A:  {Na, B, Kab, {Kab, A}Kbs}Kas

A -> B:  {Kab, A}Kbs

B -> A:  {Nb}Kab

A -> B:  {Nb – 1}Kab

6.3.2    Denning Sacco Protocol

A->S:  A, B

S->A:  {B, Kab, T, {A, Kab, T}Kbs}Kas

A->B:  {A, Kab, T}Kbs

6.3.3        Otway-Rees Protocol*

A->B:  M, A, B, {Na, M, A, B}Kas

B->S:  M, A, B, {Na, M, A, B}Kas, {Nb, M, A, B}Kbs

S->B:  M, {Na, Kab}Kas, {Nb, Kab}Kbs

B->A:  M, {Na, Kab}Kas

6.3.4        Amended Needham Schroeder Protocol

A->B:  A

B->A:  {A, Nb­’}Kbs

A->S:  A, B, Na, {A, Nb’}Kbs

S->A:  {Na, B, Kab, {Kab, Nb’, A}Kbs

A->B:  {Kab, Nb’, A}Kbs

B->A:  {Nb}Kab

A->B:  {Nb-1}Kab

Note: Last two messages confirm Kab and msg 6 authenticates B

6.3.5        Wide Mouthed Frog Protocol*

A->S:  A, {Ta, B, Kab}Kas

S->B:  {Ts, A, Kab}Kbs

Goal: Supposed to authenticate A, transport session key to B

6.3.6        Yahalom*

A->B:  A, Na

B->S:  B, {A, Na, Nb}Kbs

S->A:  {B, Kab, Na, Nb}Kas, {A, Kab}Kbs

A->B:  {A, Kab}Kbs, {Nb}Kab

* - Attack is based on {A, Na, Nb}Kbs replacing {A, Kab}Kbs in msg 4 (this only works if length(Keys) = length(Na,Nb)), second part of message 4 from attacker is {Nb}NaNb but I don’t know how the attacker is supposed to discover Nb. p49

6.3.7        Carlsen’s Secret Key Initiator Protocol

A->B:  A, Na

B->S:  A, Na, B, Nb

S->B:  {Kab, Nb, A}Kbs, {Na, B, Kab}Kas

B->A: {Na, B, Kab}Kas, {Na}Kab, N’b

A->B:  {N’b}Kab

6.3.8        ISO Four-Pass Authentication Protocol

A->B:  TVPa, B, txt1

S->A:  txt4, {TVPa, Kab, B, txt3}Kas, {[Ts|Ns], Kab, A, txt2}Kbs

A->B:  txt6, {[Ts|Ns], Kab, A, txt2}Kbs, {[Ta|Na], B, txt5}Kab

B->A:  txt8, {[Tb|Nb], A, txt7}Kab

6.3.9        ISO Five-Pass Authentication Protocol

A->B:  Ra, txt1

B->S:  R’b, Ra, A, txt2

S->B:  txt5, {R’b, Kab, A, txt4}Kbs, {Ra, Kab, B, txt3}Kas

B->A:  txt7, {Ra, Kab, B, txt3}Kas, {Rb, Ra, txt6}Kab

A->B:  txt9, {Ra, Rb, txt8}Kab

6.3.10    Woo and Lam Authentication Protocols

Assume: principals can detect replay

WL f

A->B:  A

B->A:  Nb

A->B:  {A, B, Nb}Kas

B->S:  {A, B, Nb, {A, B, Nb}Kas}Kbs

S->B:  {A, B, Nb}Kbs

WL 1

A->B:  A

B->A:  Nb

A->B:  {A, B, Nb}Kas

B->S:  {A, B, {A, B, Nb}Kas}Kbs

S->B:  {A, B, Nb}Kbs

WL 2

A->B:  A

B->A:  Nb

A->B:  {A, Nb}Kas

B->S:  {A, {A, Nb}Kas}Kbs

S->B:  {A, Nb}Kbs

WL 3

A->B:  A

B->A:  Nb

A->B:  {Nb}Kas

B->S:  {A, {Nb}Kas}Kbs

S->B:  {A, Nb}Kbs

WL final simplification*

A->B:  A

B->A:  Nb

A->B:  {Nb}Kas

B->S:  {A, {Nb}Kas}Kbs

S->B:  {Nb}Kbs

* - Don’t follow first attack. p52.  But do follow second one.

6.3.11    Woo and Lam Mutual Authenticaiton Protocol*

P->Q:  P, Np

Q->P:  Q, Nq

P->Q:  {P, Q, Np, Nq}Kps

Q->S:  {P, Q, Np, Nq}Kps, {P, Q, Np, Nq}Kqs

S->Q:  {Q, Np, Nq, Kpq}, {P, Np, Nq, Kpq}Kqs

Q->P:  {Q, Np, Nq, Kpq}, {Np, Nq}Kpq

P->Q:  {Kq}Kpq

* - Attack allows one participant to get two sessions going with same key.  Weak

6.4             Signatures with Conventional Key Encryption

6.4.1        Needham-Schroeder Signature Protocol

A->S:  A, {hash(msg)}Ka

S->A:  {A, hash(msg)}Ks

A->B:  msg, {A, hash(msg)}Ks

B->S:  B, {A, hash(msg)}Ks

S->B:  {A, hash(msg)}Kb

6.5         Symmetric Key Repeated Authentication Protocols

6.5.1        Kerberos Version 5

U         user

C         client

G         Ticket granting server

A         Key Distribution center

S          server

Tcg      {U, C, G, Kcg, Tstart, Texpire}Kag

Acg      {C, T}Kcg

Tcs       {U, C, S, Kcs, T’start, T’expire}Kcg

Acs      {C, T’}Kcs

Ku       key known to C, shared, U’s password allows it to decrypt

C->A:  U, G, L1, N1

A->C:  U, Tcg, {G, Kcg, Tstart, Texpire, N1}Ku

C->G:  S, L2, N2, Tcg, Acg

G->C:  U, Tcs, {S, Kcs, T’start, T’expire}Kcg

C->S:  Tcs, Acs

S->C:  {T’}Kcs

6.5.2        Neumann Stubblebine*

Initial Protocol

A->B:  A, Na

B->S:  B, {A, Na, Tb}Kbs, Nb

S->A:  {B, Na, Kab, Tb}Kas, }{A, Kab, Tb}Kbs, Nb

A->B:  {A, Kab, Tb}Kbs, {Nb}Kab

Repeated Authentication

A->B:  N’a, {A, Kab, Tb}Kbs

B->A:  N’b, {N’a}Kab

A->B:  {N’b}Kab

6.5.3        Kehne Langendorfer Schoenwalder KLS*

Initial

A->B:  A, Na

B->S:  Na, A, Nb, B

S->B:  {Nb, A, Kab}Kbs, {Na, B, Kab}Kas

B->A:  {Na, B, Kab}Kas, {Tb, A, Kab}Kbb, Nc, {Na}Kab

A->B:  {Nc}Kab

Repeated

A->B:  N’a, {Tb, A, Kab}Kbb

B->A:  N’b, {N’a}Kab

A->B:  {N’b}Kab

6.5.4        The Kao Chow Repeated Authentication Protocols

One*

A->S:  A, B, Na

S->B:  {A, B, Na, Kab}Kas, {A, B, Na, Kab}Kbs

B->A:  {A, B, Na, Kab}Kas, {Na}Kab, Nb

A->A:  {Nb}Kab

Two

A->S:  A, B, Na

S->B:  {A, B, Na, Kab, Kt}Kas, {A, B, Na, Kab, Kt}Kbs

B->A:  {A, B, Na, Kab}Kas, {Na, Kab}Kt, Nb

A->B:  {Na, Kab}Kt

Three (tickets)

A->S:  A, B, Na

S->B:  {A, B, Na, Kab, Kt}Kas, {A, B, Na, Kab, Kt}Kbs

B->A:  {A, B, Na, Kab}Kas, {Na, Kab}Kt, Nb, {A, B, Ta, Kab}Kbs

A->B:  {Na, Kab}Kt, {A, B, Ta, Kab}Kbs

6.6         Public Key Protocols without Trusted Third Party

6.6.1        ISO Public Key One-Pass Unilateral Authentication Protocol

A->B:  CertA, [Ta|Na], B, txt2, {[Ta|Na], B, txt1}Ka-1

6.6.2        ISO Public Key Two-Pass Unilateral Authentication Protocol

B->A:  Tb, txt1

A->B:  CertA, Ra, Rb, B, txt3, {Ra, Rb, B, txt2}Ka-1

6.6.3        ISO Public Key Two-Pass Mutual Authentication Protocol

A->B:  CertA, [Ta|Na], B, txt2, {[Ta|Na], B, txt1}Ka-1

B->A:  CertB,[Tb|Nb], A, txt4, {[Tb|Nb], A, txt3}Kb-1

Note:  two above messages disjoint

6.6.4        ISO Three-Pass Mutual Authentication Protocol

B->A:  Rb, txt1

A->B:  CertA, Ra, Rb, B, txt3, {Ra, Rb, B, txt2}Ka-1

B->A:  CertB, Rb, Ra, A, txt5, {Rb, Ra, A, txt4}Kb-1

6.6.5        ISO Two Pass Parallel Mutual Authentication Protocol

A->B:  CertA, Ra, txt1

B->A:  CertB, Rb, txt2

B->A:  Rb, Ra, A, txt6, {Rb, Ra, A, txt5}Kb-1

A->B:  Ra, Rb, B, txt4, {Ra, Rb, B, txt3}Ka-1

6.6.6        Bilateral Key Exchange with Public Key

B->A:  B, {Nb, B}Ka+

A->B:  {f(Nb), Na, A, K}Kb+

B->A:  {f(Na)}K

Question:  What is the purpose of f()?  Well try to attack without, and maybe you can find out.

6.6.7        Diffie Hellman Exchange

A->B:  X = GX modN

B->A:  Y = GY modN

Note:  No guarantee of authenticity

6.7         Public Key Protocols with Trusted Third Party

6.7.1        Needham-Schroeder Public Key Protocol*

A->S:  A, B

S->A:  {Kb, B}Ks-1

A->B:  {Na, A}Kb

B->S:  B, A

S->B:  {Ka, A}Ks-1

B->A:  {Na, Nb}Ka

A->B:  {Nb}Kb

6.8          SPLICE/AS Authentication Protocol*

C->AS:  C, S, N1

AS->C:  AS, {AS, C, N1, Ks}Kas-1

C->S:  C, S, {C, T, L, {N2}Ks}Kc-1

S->AS:  S, C, N3

AS->S:  AS, {AS, S, N3, Kc}Kas-1

S->C:  S, C, {S, N2+1}Kc

6.8.1        Hwang and Chen’s Modified SPLICE/AS*

C->AS:  C, S, N1

AS->C:  AS, {AS, C, N1, S, Ks}Kas-1

C->S:  C, S, {C, T, L, {N2}Ks}Kc-1

S->AS:  S, C, N3

AS->S:  AS, {AS, S, N3, C, Kc}Kas-1

S->C:  S, C, {S, N2+1}Kc

6.9          Denning Sacco Key Distribution with Public Key*

A->S:  A, B

S->A:  CertA, CertB

A->B:  CertA, CertB, {{Kab, Ta}Ka-1)Kb

6.9.1        CCITT X.509*

A->B:  A, {Ta, Na, B, Xa, {Ya}Kb}Ka-1

B->A:  B, {Tb, Nb, A, Na, Xb, {Yb}Ka}Kb-1

A->B:  A, {Nb}Ka-1

Problem: signing after encryption

6.10        Miscellaneous

6.10.1    Shamir Rivest Adelman Three Pass Protocol*

A->B:  {M}Ka

B->A:  {{M}Ka}Kb

A->B:  {M}Kb

6.10.2    Gong Mutual Authentication Protocol

Pa                                secret shared between A and A

(k, Ha, Hb)                  hash(Ns, Na, B, Pa),

hash(Ns, Nb, A, Pb)    B xors with 2nd field of message 2 to get (K, Ha, Hb)

k                                  a secret to be shared between clients

Ha, Hb                         handshake numbers

A->B:  A, B, Na

B->S:  A, B, Na, Nb

S->B:  Ns, hash(Ns, Nb, A, Pb) xor (K, Ha, Hb), hash(k, Ha, Hb, Pb)

B->A:  Ns, Hb

A->B:  Ha

6.10.3    Encrypted Key Exchange – EKE*

R          Randomly generated session key

A->B:  {Ka}P

B->A:  {{R}Ka}P

A->B:  {Na}R

B->A:  {Na, Nb}R

A->B:  {Nb}R

Note: To analyze a password protocol you must also look at the weakness of P.  That is, P is subject to brute force attack If it is used to encrypt a value that is not random, it can be determined.

* - Attack seems to be base upon A accepting password for key exchange.  This may not fit a client server model.

6.10.4    Davis Swick Private Key Certificates* - “Network Security via Private-Key Certificates”

One*

B->A:  {A, msg}Kbt

A->T:  {A, msg}Kbt, B

T->A:  {msg, B}Kat

Two – Scaled up Key Translation

B->A:  {A, msg}Kbt

A->T:  {A, msg}Kbt, {Kbt, B, Lb}Kt, {Kat, A, La}Kt

T->A:  {msg, B}Kat

Three

B->T:  {Kbt, B, Lb}Kt

T->B:  {K’bt, B, L’b}Kt, {K’bt, T, L’b, checksum}Kbt

Four

A->T:  {Kat, A, La}Kt, {Kbt, B, Lb}Kt

T->A:  {Kab, A, Lab}Kbt, {Kab, B, Lab, checksum}Kat

A->B:  {msg, A}Kab, {Kab, A, Lab}Kbt