The John Clark and Jeremy Jacob Library of Protocols

* - Indicates a flawed protocol

6.1 Symetric Key Protocols Without Trusted Third Part

6.1.1 ISO Symmetric Key One-Pass Unilateral Authentication Protocol

Known: A.K_AB = B.K_AB

A -> B: txt2, {[Ta|Na], B, txt1}K_AB

6.1.2 ISO Symmetric Key Two-Pass Unilateral Authentication Protocol

A -> B: R_B, txt1

B -> A: txt3, {R_B, B, txt2}K_AB

6.1.3 ISO Symmetric Key One-Pass Mutual Authentication Protocol

A -> B: txt2, {[Ta|Na], B, txt1}K_AB

B -> A: txt4, {[Ta|Na], A, txt1}K_AB

Note: same as 6.1.1 except B sends message as well

6.1.4 ISO Symmetric Key Three-Pass Unilateral Authentication Protocol

A -> B: R_B, txt1

B -> A: txt3, {R_A, R_B, B, txt2}K_AB

A -> B: txt5, {R_B, R_A, txt4} K_AB

6.1.5 Using Non-Reversible Functions

A -> B: B, RB

B -> A: A, {hash(R_B), R_A, A, K}K_AB

B -> A: B, {hash(R_A)}K_AB

Question: What purpose does hashing serve in this protocol? Any?

6.1.6 Andrew Secure RPC Protocol*

A -> B: A, {N_A}K_AB

B -> A: {N_A+1, NB}K_AB

A -> B: {N_B+1}K_B

B -> A: {K’_AB, N’_B}K_AB

6.2 Authentication Using Cryptographic Check Functions

6.2.1 ISO One-Pass Unilateral Authentication with CryptographicCheckFunctions

A->B: [Ta|Na], B, txt2, hash{[Ta|Na], B, txt1}Kab

6.2.2 ISO Two-Pass Unilateral Authentication with CCFs

B->A: Rb, txt1

A->B: txt3, hash{Rb, B, txt2}Kab

6.2.3 ISO Two-Pass Mutual Authentication with CCFs

A -> B: [Ta|Na], txt2, hash{[Ta|Na], B, txt1}Kab

B -> A: [Tb|Nb], txt4, hash{[Tb|Nb], A, txt3}Kab

6.2.4 ISO Three-Pass Mutual Authentication with CCF

A -> B: R_B, txt1

B -> A: txt3, {R_A, R_B, B, txt2}K_AB

A -> B: txt5, {R_B, R_A, txt4} K_AB

6.3 Symmetric Key Protocols Involving Trusted Third Parties

6.3.1 Needham Schroeder Protocol with Conventional Keys*

A -> S: A, B, Na

S -> A: {Na, B, Kab, {Kab, A}Kbs}Kas

A -> B: {Kab, A}Kbs

B -> A: {Nb}Kab

A -> B: {Nb – 1}Kab

6.3.2 Denning Sacco Protocol

A->S: A, B

S->A: {B, Kab, T, {A, Kab, T}Kbs}Kas

A->B: {A, Kab, T}Kbs

6.3.3 Otway-Rees Protocol*

A->B: M, A, B, {Na, M, A, B}Kas

B->S: M, A, B, {Na, M, A, B}Kas, {Nb, M, A, B}Kbs

S->B: M, {Na, Kab}Kas, {Nb, Kab}Kbs

B->A: M, {Na, Kab}Kas

6.3.4 Amended Needham Schroeder Protocol

A->B: A

B->A: {A, Nb’}Kbs

A->S: A, B, Na, {A, Nb’}Kbs

S->A: {Na, B, Kab, {Kab, Nb’, A}Kbs

A->B: {Kab, Nb’, A}Kbs

B->A: {Nb}Kab

A->B: {Nb-1}Kab

Note: Last two messages confirm Kab and msg 6 authenticates B

6.3.5 Wide Mouthed Frog Protocol*

A->S: A, {Ta, B, Kab}Kas

S->B: {Ts, A, Kab}Kbs

Goal: Supposed to authenticate A, transport session key to B

6.3.6 Yahalom*

A->B: A, Na

B->S: B, {A, Na, Nb}Kbs

S->A: {B, Kab, Na, Nb}Kas, {A, Kab}Kbs

A->B: {A, Kab}Kbs, {Nb}Kab

* - Attack is based on {A, Na, Nb}Kbs replacing {A, Kab}Kbs in msg 4 (this only works if length(Keys) = length(Na,Nb)), second part of message 4 from attacker is {Nb}NaNb but I don’t know how the attacker is supposed to discover Nb. p49

6.3.7 Carlsen’s Secret Key Initiator Protocol

A->B: A, Na

B->S: A, Na, B, Nb

S->B: {Kab, Nb, A}Kbs, {Na, B, Kab}Kas

B->A: {Na, B, Kab}Kas, {Na}Kab, N’b

A->B: {N’b}Kab

6.3.8 ISO Four-Pass Authentication Protocol

A->B: TVPa, B, txt1

S->A: txt4, {TVPa, Kab, B, txt3}Kas, {[Ts|Ns], Kab, A, txt2}Kbs

A->B: txt6, {[Ts|Ns], Kab, A, txt2}Kbs, {[Ta|Na], B, txt5}Kab

B->A: txt8, {[Tb|Nb], A, txt7}Kab

6.3.9 ISO Five-Pass Authentication Protocol

A->B: Ra, txt1

B->S: R’b, Ra, A, txt2

S->B: txt5, {R’b, Kab, A, txt4}Kbs, {Ra, Kab, B, txt3}Kas

B->A: txt7, {Ra, Kab, B, txt3}Kas, {Rb, Ra, txt6}Kab

A->B: txt9, {Ra, Rb, txt8}Kab

6.3.10 Woo and Lam Authentication Protocols

Assume: principals can detect replay

WL f

A->B: A

B->A: Nb

A->B: {A, B, Nb}Kas

B->S: {A, B, Nb, {A, B, Nb}Kas}Kbs

S->B: {A, B, Nb}Kbs

WL 1

A->B: A

B->A: Nb

A->B: {A, B, Nb}Kas

B->S: {A, B, {A, B, Nb}Kas}Kbs

S->B: {A, B, Nb}Kbs

WL 2

A->B: A

B->A: Nb

A->B: {A, Nb}Kas

B->S: {A, {A, Nb}Kas}Kbs

S->B: {A, Nb}Kbs

WL 3

A->B: A

B->A: Nb

A->B: {Nb}Kas

B->S: {A, {Nb}Kas}Kbs

S->B: {A, Nb}Kbs

WL final simplification*

A->B: A

B->A: Nb

A->B: {Nb}Kas

B->S: {A, {Nb}Kas}Kbs

S->B: {Nb}Kbs

* - Don’t follow first attack. p52. But do follow second one.

6.3.11 Woo and Lam Mutual Authenticaiton Protocol*

P->Q: P, Np

Q->P: Q, Nq

P->Q: {P, Q, Np, Nq}Kps

Q->S: {P, Q, Np, Nq}Kps, {P, Q, Np, Nq}Kqs

S->Q: {Q, Np, Nq, Kpq}, {P, Np, Nq, Kpq}Kqs

Q->P: {Q, Np, Nq, Kpq}, {Np, Nq}Kpq

P->Q: {Kq}Kpq

* - Attack allows one participant to get two sessions going with same key. Weak

6.4 Signatures with Conventional Key Encryption

6.4.1 Needham-Schroeder Signature Protocol

A->S: A, {hash(msg)}Ka

S->A: {A, hash(msg)}Ks

A->B: msg, {A, hash(msg)}Ks

B->S: B, {A, hash(msg)}Ks

S->B: {A, hash(msg)}Kb

6.5 Symmetric Key Repeated Authentication Protocols

6.5.1 Kerberos Version 5

U user

C client

G Ticket granting server

A Key Distribution center

S server

Tcg {U, C, G, Kcg, Tstart, Texpire}Kag

Acg {C, T}Kcg

Tcs {U, C, S, Kcs, T’start, T’expire}Kcg

Acs {C, T’}Kcs

Ku key known to C, shared, U’s password allows it to decrypt

C->A: U, G, L1, N1

A->C: U, Tcg, {G, Kcg, Tstart, Texpire, N1}Ku

C->G: S, L2, N2, Tcg, Acg

G->C: U, Tcs, {S, Kcs, T’start, T’expire}Kcg

C->S: Tcs, Acs

S->C: {T’}Kcs

6.5.2 Neumann Stubblebine*

Initial Protocol

A->B: A, Na

B->S: B, {A, Na, Tb}Kbs, Nb

S->A: {B, Na, Kab, Tb}Kas, }{A, Kab, Tb}Kbs, Nb

A->B: {A, Kab, Tb}Kbs, {Nb}Kab

Repeated Authentication

A->B: N’a, {A, Kab, Tb}Kbs

B->A: N’b, {N’a}Kab

A->B: {N’b}Kab

6.5.3 Kehne Langendorfer Schoenwalder KLS*

Initial

A->B: A, Na

B->S: Na, A, Nb, B

S->B: {Nb, A, Kab}Kbs, {Na, B, Kab}Kas

B->A: {Na, B, Kab}Kas, {Tb, A, Kab}Kbb, Nc, {Na}Kab

A->B: {Nc}Kab

Repeated

A->B: N’a, {Tb, A, Kab}Kbb

B->A: N’b, {N’a}Kab

A->B: {N’b}Kab

6.5.4 The Kao Chow Repeated Authentication Protocols

One*

A->S: A, B, Na

S->B: {A, B, Na, Kab}Kas, {A, B, Na, Kab}Kbs

B->A: {A, B, Na, Kab}Kas, {Na}Kab, Nb

A->A: {Nb}Kab

Two

A->S: A, B, Na

S->B: {A, B, Na, Kab, Kt}Kas, {A, B, Na, Kab, Kt}Kbs

B->A: {A, B, Na, Kab}Kas, {Na, Kab}Kt, Nb

A->B: {Na, Kab}Kt

Three (tickets)

A->S: A, B, Na

S->B: {A, B, Na, Kab, Kt}Kas, {A, B, Na, Kab, Kt}Kbs

B->A: {A, B, Na, Kab}Kas, {Na, Kab}Kt, Nb, {A, B, Ta, Kab}Kbs

A->B: {Na, Kab}Kt, {A, B, Ta, Kab}Kbs

6.6 Public Key Protocols without Trusted Third Party

6.6.1 ISO Public Key One-Pass Unilateral Authentication Protocol

A->B: CertA, [Ta|Na], B, txt2, {[Ta|Na], B, txt1}Ka-1

6.6.2 ISO Public Key Two-Pass Unilateral Authentication Protocol

B->A: Tb, txt1

A->B: CertA, Ra, Rb, B, txt3, {Ra, Rb, B, txt2}Ka-1

6.6.3 ISO Public Key Two-Pass Mutual Authentication Protocol

A->B: Cert_A, [Ta|Na], B, txt2, {[Ta|Na], B, txt1}Ka^-1

B->A: Cert_B,[Tb|Nb], A, txt4, {[Tb|Nb], A, txt3}Kb^-1

Note: two above messages disjoint

6.6.4 ISO Three-Pass Mutual Authentication Protocol

B->A: Rb, txt1

A->B: Cert_A, Ra, Rb, B, txt3, {Ra, Rb, B, txt2}Ka^-1

B->A: Cert_B, Rb, Ra, A, txt5, {Rb, Ra, A, txt4}Kb^-1

6.6.5 ISO Two Pass Parallel Mutual Authentication Protocol

A->B: Cert_A, Ra, txt1

B->A: Cert_B, Rb, txt2

B->A: Rb, Ra, A, txt6, {Rb, Ra, A, txt5}Kb^-1

A->B: Ra, Rb, B, txt4, {Ra, Rb, B, txt3}Ka^-1

6.6.6 Bilateral Key Exchange with Public Key

B->A: B, {Nb, B}Ka+

A->B: {f(Nb), Na, A, K}Kb+

B->A: {f(Na)}K

Question: What is the purpose of f()? Well try to attack without, and maybe you can find out.

6.6.7 Diffie Hellman Exchange

A->B: X = G^XmodN

B->A: Y = G^YmodN

Note: No guarantee of authenticity

6.7 Public Key Protocols with Trusted Third Party

6.7.1 Needham-Schroeder Public Key Protocol*

A->S: A, B

S->A: {Kb, B}Ks-1

A->B: {Na, A}Kb

B->S: B, A

S->B: {Ka, A}Ks-1

B->A: {Na, Nb}Ka

A->B: {Nb}Kb

6.8 SPLICE/AS Authentication Protocol*

C->AS: C, S, N₁

AS->C: AS, {AS, C, N₁, Ks}Kas-¹

C->S: C, S, {C, T, L, {N₂}Ks}Kc^-1

S->AS: S, C, N₃

AS->S: AS, {AS, S, N₃, Kc}Kas^-1

S->C: S, C, {S, N₂+1}Kc

6.8.1 Hwang and Chen’s Modified SPLICE/AS*

C->AS: C, S, N₁

AS->C: AS, {AS, C, N₁, S, Ks}Kas^-1

C->S: C, S, {C, T, L, {N₂}Ks}Kc^-1

S->AS: S, C, N₃

AS->S: AS, {AS, S, N₃, C, Kc}Kas^-1

S->C: S, C, {S, N₂+1}Kc

6.9 Denning Sacco Key Distribution with Public Key*

A->S: A, B

S->A: CertA, CertB

A->B: CertA, CertB, {{Kab, Ta}Ka^-1)Kb

6.9.1 CCITT X.509*

A->B: A, {Ta, Na, B, Xa, {Ya}Kb}Ka^-1

B->A: B, {Tb, Nb, A, Na, Xb, {Yb}Ka}Kb^-1

A->B: A, {Nb}Ka^-1

Problem: signing after encryption

6.10 Miscellaneous

6.10.1 Shamir Rivest Adelman Three Pass Protocol*

A->B: {M}Ka

B->A: {{M}Ka}Kb

A->B: {M}Kb

6.10.2 Gong Mutual Authentication Protocol

Pa secret shared between A and A

(k, Ha, Hb) hash(Ns, Na, B, Pa),

hash(Ns, Nb, A, Pb) B xors with 2^nd field of message 2 to get (K, Ha, Hb)

k a secret to be shared between clients

Ha, Hb handshake numbers

A->B: A, B, Na

B->S: A, B, Na, Nb

S->B: Ns, hash(Ns, Nb, A, Pb) xor (K, Ha, Hb), hash(k, Ha, Hb, Pb)

B->A: Ns, Hb

A->B: Ha

6.10.3 Encrypted Key Exchange – EKE*

P Password

R Randomly generated session key

A->B: {Ka}P

B->A: {{R}Ka}P

A->B: {Na}R

B->A: {Na, Nb}R

A->B: {Nb}R

Note: To analyze a password protocol you must also look at the weakness of P. That is, P is subject to brute force attack If it is used to encrypt a value that is not random, it can be determined.

* - Attack seems to be base upon A accepting password for key exchange. This may not fit a client server model.

6.10.4 Davis Swick Private Key Certificates* - “Network Security via Private-Key Certificates”

One*

B->A: {A, msg}Kbt

A->T: {A, msg}Kbt, B

T->A: {msg, B}Kat

Two – Scaled up Key Translation

B->A: {A, msg}Kbt

A->T: {A, msg}Kbt, {Kbt, B, Lb}Kt, {Kat, A, La}Kt

T->A: {msg, B}Kat

Three

B->T: {Kbt, B, Lb}Kt

T->B: {K’bt, B, L’b}Kt, {K’bt, T, L’b, checksum}Kbt

Four

A->T: {Kat, A, La}Kt, {Kbt, B, Lb}Kt

T->A: {Kab, A, Lab}Kbt, {Kab, B, Lab, checksum}Kat

A->B: {msg, A}Kab, {Kab, A, Lab}Kbt