The John Clark and Jeremy Jacob Library of Protocols

 

* - Indicates a flawed protocol

 

6.1 Symetric Key Protocols Without Trusted Third Part

 

6.1.1 ISO Symmetric Key One-Pass Unilateral Authentication Protocol

Known: A.KAB = B.KAB

 

A -> B: txt2, {[Ta|Na], B, txt1}KAB

 

6.1.2 ISO Symmetric Key Two-Pass Unilateral Authentication Protocol

 

A -> B: RB, txt1

B -> A: txt3, {RB, B, txt2}KAB

 

6.1.3 ISO Symmetric Key One-Pass Mutual Authentication Protocol

 

A -> B: txt2, {[Ta|Na], B, txt1}KAB

B -> A: txt4, {[Ta|Na], A, txt1}KAB

 

Note: same as 6.1.1 except B sends message as well

 

6.1.4 ISO Symmetric Key Three-Pass Unilateral Authentication Protocol

 

A -> B: RB, txt1

B -> A: txt3, {RA, RB, B, txt2}KAB

A -> B: txt5, {RB, RA, txt4} KAB

 

6.1.5 Using Non-Reversible Functions

 

A -> B: B, RB

B -> A: A, {hash(RB), RA, A, K}KAB

B -> A: B, {hash(RA)}KAB

 

Question: What purpose does hashing serve in this protocol? Any?

 

6.1.6 Andrew Secure RPC Protocol*

 

A -> B: A, {NA}KAB

B -> A: {NA+1, NB}KAB

A -> B: {NB+1}KB

B -> A: {KAB, NB}KAB

 

6.2 Authentication Using Cryptographic Check Functions

 

6.2.1 ISO One-Pass Unilateral Authentication with CryptographicCheckFunctions

 

A->B: [Ta|Na], B, txt2, hash{[Ta|Na], B, txt1}Kab

 

6.2.2 ISO Two-Pass Unilateral Authentication with CCFs

 

B->A: Rb, txt1

A->B: txt3, hash{Rb, B, txt2}Kab

 

6.2.3 ISO Two-Pass Mutual Authentication with CCFs

 

A -> B: [Ta|Na], txt2, hash{[Ta|Na], B, txt1}Kab

B -> A: [Tb|Nb], txt4, hash{[Tb|Nb], A, txt3}Kab

 

6.2.4 ISO Three-Pass Mutual Authentication with CCF

 

A -> B: RB, txt1

B -> A: txt3, {RA, RB, B, txt2}KAB

A -> B: txt5, {RB, RA, txt4} KAB

 

6.3 Symmetric Key Protocols Involving Trusted Third Parties

 

6.3.1 Needham Schroeder Protocol with Conventional Keys*

 

A -> S: A, B, Na

S -> A: {Na, B, Kab, {Kab, A}Kbs}Kas

A -> B: {Kab, A}Kbs

B -> A: {Nb}Kab

A -> B: {Nb 1}Kab

 

6.3.2 Denning Sacco Protocol

 

A->S: A, B

S->A: {B, Kab, T, {A, Kab, T}Kbs}Kas

A->B: {A, Kab, T}Kbs

 

6.3.3        Otway-Rees Protocol*

 

A->B: M, A, B, {Na, M, A, B}Kas

B->S: M, A, B, {Na, M, A, B}Kas, {Nb, M, A, B}Kbs

S->B: M, {Na, Kab}Kas, {Nb, Kab}Kbs

B->A: M, {Na, Kab}Kas

 

6.3.4        Amended Needham Schroeder Protocol

 

A->B: A

B->A: {A, Nb}Kbs

A->S: A, B, Na, {A, Nb}Kbs

S->A: {Na, B, Kab, {Kab, Nb, A}Kbs

A->B: {Kab, Nb, A}Kbs

B->A: {Nb}Kab

A->B: {Nb-1}Kab

 

Note: Last two messages confirm Kab and msg 6 authenticates B

 

6.3.5        Wide Mouthed Frog Protocol*

 

A->S: A, {Ta, B, Kab}Kas

S->B: {Ts, A, Kab}Kbs

 

Goal: Supposed to authenticate A, transport session key to B

 

6.3.6        Yahalom*

 

A->B: A, Na

B->S: B, {A, Na, Nb}Kbs

S->A: {B, Kab, Na, Nb}Kas, {A, Kab}Kbs

A->B: {A, Kab}Kbs, {Nb}Kab

 

* - Attack is based on {A, Na, Nb}Kbs replacing {A, Kab}Kbs in msg 4 (this only works if length(Keys) = length(Na,Nb)), second part of message 4 from attacker is {Nb}NaNb but I dont know how the attacker is supposed to discover Nb. p49

 

6.3.7        Carlsens Secret Key Initiator Protocol

 

A->B: A, Na

B->S: A, Na, B, Nb

S->B: {Kab, Nb, A}Kbs, {Na, B, Kab}Kas

B->A: {Na, B, Kab}Kas, {Na}Kab, Nb

A->B: {Nb}Kab

 

6.3.8        ISO Four-Pass Authentication Protocol

 

A->B: TVPa, B, txt1

S->A: txt4, {TVPa, Kab, B, txt3}Kas, {[Ts|Ns], Kab, A, txt2}Kbs

A->B: txt6, {[Ts|Ns], Kab, A, txt2}Kbs, {[Ta|Na], B, txt5}Kab

B->A: txt8, {[Tb|Nb], A, txt7}Kab

 

6.3.9        ISO Five-Pass Authentication Protocol

 

A->B: Ra, txt1

B->S: Rb, Ra, A, txt2

S->B: txt5, {Rb, Kab, A, txt4}Kbs, {Ra, Kab, B, txt3}Kas

B->A: txt7, {Ra, Kab, B, txt3}Kas, {Rb, Ra, txt6}Kab

A->B: txt9, {Ra, Rb, txt8}Kab

 

6.3.10    Woo and Lam Authentication Protocols

Assume: principals can detect replay

 

WL f

A->B: A

B->A: Nb

A->B: {A, B, Nb}Kas

B->S: {A, B, Nb, {A, B, Nb}Kas}Kbs

S->B: {A, B, Nb}Kbs

 

WL 1

A->B: A

B->A: Nb

A->B: {A, B, Nb}Kas

B->S: {A, B, {A, B, Nb}Kas}Kbs

S->B: {A, B, Nb}Kbs

 

WL 2

A->B: A

B->A: Nb

A->B: {A, Nb}Kas

B->S: {A, {A, Nb}Kas}Kbs

S->B: {A, Nb}Kbs

 

WL 3

A->B: A

B->A: Nb

A->B: {Nb}Kas

B->S: {A, {Nb}Kas}Kbs

S->B: {A, Nb}Kbs

 

WL final simplification*

A->B: A

B->A: Nb

A->B: {Nb}Kas

B->S: {A, {Nb}Kas}Kbs

S->B: {Nb}Kbs

 

* - Dont follow first attack. p52. But do follow second one.

 

6.3.11    Woo and Lam Mutual Authenticaiton Protocol*

 

P->Q: P, Np

Q->P: Q, Nq

P->Q: {P, Q, Np, Nq}Kps

Q->S: {P, Q, Np, Nq}Kps, {P, Q, Np, Nq}Kqs

S->Q: {Q, Np, Nq, Kpq}, {P, Np, Nq, Kpq}Kqs

Q->P: {Q, Np, Nq, Kpq}, {Np, Nq}Kpq

P->Q: {Kq}Kpq

 

* - Attack allows one participant to get two sessions going with same key. Weak

 

6.4             Signatures with Conventional Key Encryption

 

6.4.1        Needham-Schroeder Signature Protocol

 

A->S: A, {hash(msg)}Ka

S->A: {A, hash(msg)}Ks

A->B: msg, {A, hash(msg)}Ks

B->S: B, {A, hash(msg)}Ks

S->B: {A, hash(msg)}Kb

 

6.5         Symmetric Key Repeated Authentication Protocols

6.5.1        Kerberos Version 5

 

U user

C client

G Ticket granting server

A Key Distribution center

S server

Tcg {U, C, G, Kcg, Tstart, Texpire}Kag

Acg {C, T}Kcg

Tcs {U, C, S, Kcs, Tstart, Texpire}Kcg

Acs {C, T}Kcs

Ku key known to C, shared, Us password allows it to decrypt

 

C->A: U, G, L1, N1

A->C: U, Tcg, {G, Kcg, Tstart, Texpire, N1}Ku

C->G: S, L2, N2, Tcg, Acg

G->C: U, Tcs, {S, Kcs, Tstart, Texpire}Kcg

C->S: Tcs, Acs

S->C: {T}Kcs

 

6.5.2        Neumann Stubblebine*

 

Initial Protocol

A->B: A, Na

B->S: B, {A, Na, Tb}Kbs, Nb

S->A: {B, Na, Kab, Tb}Kas, }{A, Kab, Tb}Kbs, Nb

A->B: {A, Kab, Tb}Kbs, {Nb}Kab

 

Repeated Authentication

A->B: Na, {A, Kab, Tb}Kbs

B->A: Nb, {Na}Kab

A->B: {Nb}Kab

 

6.5.3        Kehne Langendorfer Schoenwalder KLS*

 

Initial

A->B: A, Na

B->S: Na, A, Nb, B

S->B: {Nb, A, Kab}Kbs, {Na, B, Kab}Kas

B->A: {Na, B, Kab}Kas, {Tb, A, Kab}Kbb, Nc, {Na}Kab

A->B: {Nc}Kab

 

Repeated

A->B: Na, {Tb, A, Kab}Kbb

B->A: Nb, {Na}Kab

A->B: {Nb}Kab

 

6.5.4        The Kao Chow Repeated Authentication Protocols

 

One*

A->S: A, B, Na

S->B: {A, B, Na, Kab}Kas, {A, B, Na, Kab}Kbs

B->A: {A, B, Na, Kab}Kas, {Na}Kab, Nb

A->A: {Nb}Kab

 

Two

A->S: A, B, Na

S->B: {A, B, Na, Kab, Kt}Kas, {A, B, Na, Kab, Kt}Kbs

B->A: {A, B, Na, Kab}Kas, {Na, Kab}Kt, Nb

A->B: {Na, Kab}Kt

 

Three (tickets)

A->S: A, B, Na

S->B: {A, B, Na, Kab, Kt}Kas, {A, B, Na, Kab, Kt}Kbs

B->A: {A, B, Na, Kab}Kas, {Na, Kab}Kt, Nb, {A, B, Ta, Kab}Kbs

A->B: {Na, Kab}Kt, {A, B, Ta, Kab}Kbs

 

6.6         Public Key Protocols without Trusted Third Party

 

6.6.1        ISO Public Key One-Pass Unilateral Authentication Protocol

 

A->B: CertA, [Ta|Na], B, txt2, {[Ta|Na], B, txt1}Ka-1

 

6.6.2        ISO Public Key Two-Pass Unilateral Authentication Protocol

 

B->A: Tb, txt1

A->B: CertA, Ra, Rb, B, txt3, {Ra, Rb, B, txt2}Ka-1

 

6.6.3        ISO Public Key Two-Pass Mutual Authentication Protocol

 

A->B: CertA, [Ta|Na], B, txt2, {[Ta|Na], B, txt1}Ka-1

B->A: CertB,[Tb|Nb], A, txt4, {[Tb|Nb], A, txt3}Kb-1

 

Note: two above messages disjoint

 

6.6.4        ISO Three-Pass Mutual Authentication Protocol

 

B->A: Rb, txt1

A->B: CertA, Ra, Rb, B, txt3, {Ra, Rb, B, txt2}Ka-1

B->A: CertB, Rb, Ra, A, txt5, {Rb, Ra, A, txt4}Kb-1

 

6.6.5        ISO Two Pass Parallel Mutual Authentication Protocol

 

A->B: CertA, Ra, txt1

B->A: CertB, Rb, txt2

B->A: Rb, Ra, A, txt6, {Rb, Ra, A, txt5}Kb-1

A->B: Ra, Rb, B, txt4, {Ra, Rb, B, txt3}Ka-1

 

6.6.6        Bilateral Key Exchange with Public Key

 

B->A: B, {Nb, B}Ka+

A->B: {f(Nb), Na, A, K}Kb+

B->A: {f(Na)}K

 

Question: What is the purpose of f()? Well try to attack without, and maybe you can find out.

 

6.6.7        Diffie Hellman Exchange

 

A->B: X = GX modN

B->A: Y = GY modN

 

Note: No guarantee of authenticity

 

6.7         Public Key Protocols with Trusted Third Party

 

6.7.1        Needham-Schroeder Public Key Protocol*

 

A->S: A, B

S->A: {Kb, B}Ks-1

A->B: {Na, A}Kb

B->S: B, A

S->B: {Ka, A}Ks-1

B->A: {Na, Nb}Ka

A->B: {Nb}Kb

 

6.8          SPLICE/AS Authentication Protocol*

 

C->AS: C, S, N1

AS->C: AS, {AS, C, N1, Ks}Kas-1

C->S: C, S, {C, T, L, {N2}Ks}Kc-1

S->AS: S, C, N3

AS->S: AS, {AS, S, N3, Kc}Kas-1

S->C: S, C, {S, N2+1}Kc

 

6.8.1        Hwang and Chens Modified SPLICE/AS*

 

C->AS: C, S, N1

AS->C: AS, {AS, C, N1, S, Ks}Kas-1

C->S: C, S, {C, T, L, {N2}Ks}Kc-1

S->AS: S, C, N3

AS->S: AS, {AS, S, N3, C, Kc}Kas-1

S->C: S, C, {S, N2+1}Kc

 

6.9          Denning Sacco Key Distribution with Public Key*

 

A->S: A, B

S->A: CertA, CertB

A->B: CertA, CertB, {{Kab, Ta}Ka-1)Kb

 

6.9.1        CCITT X.509*

 

A->B: A, {Ta, Na, B, Xa, {Ya}Kb}Ka-1

B->A: B, {Tb, Nb, A, Na, Xb, {Yb}Ka}Kb-1

A->B: A, {Nb}Ka-1

 

Problem: signing after encryption

 

6.10        Miscellaneous

 

6.10.1    Shamir Rivest Adelman Three Pass Protocol*

 

A->B: {M}Ka

B->A: {{M}Ka}Kb

A->B: {M}Kb

 

6.10.2    Gong Mutual Authentication Protocol

 

Pa secret shared between A and A

(k, Ha, Hb) hash(Ns, Na, B, Pa),

hash(Ns, Nb, A, Pb) B xors with 2nd field of message 2 to get (K, Ha, Hb)

k a secret to be shared between clients

Ha, Hb handshake numbers

 

A->B: A, B, Na

B->S: A, B, Na, Nb

S->B: Ns, hash(Ns, Nb, A, Pb) xor (K, Ha, Hb), hash(k, Ha, Hb, Pb)

B->A: Ns, Hb

A->B: Ha

 

6.10.3    Encrypted Key Exchange EKE*

 

P Password

R Randomly generated session key

 

A->B: {Ka}P

B->A: {{R}Ka}P

A->B: {Na}R

B->A: {Na, Nb}R

A->B: {Nb}R

 

Note: To analyze a password protocol you must also look at the weakness of P. That is, P is subject to brute force attack If it is used to encrypt a value that is not random, it can be determined.

* - Attack seems to be base upon A accepting password for key exchange. This may not fit a client server model.

 

6.10.4    Davis Swick Private Key Certificates* - Network Security via Private-Key Certificates

 

One*

B->A: {A, msg}Kbt

A->T: {A, msg}Kbt, B

T->A: {msg, B}Kat

 

Two Scaled up Key Translation

B->A: {A, msg}Kbt

A->T: {A, msg}Kbt, {Kbt, B, Lb}Kt, {Kat, A, La}Kt

T->A: {msg, B}Kat

 

Three

B->T: {Kbt, B, Lb}Kt

T->B: {Kbt, B, Lb}Kt, {Kbt, T, Lb, checksum}Kbt

 

Four

A->T: {Kat, A, La}Kt, {Kbt, B, Lb}Kt

T->A: {Kab, A, Lab}Kbt, {Kab, B, Lab, checksum}Kat

A->B: {msg, A}Kab, {Kab, A, Lab}Kbt