The Needham–Schroeder protocol is one of the two key transport protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder. [1] These are:
Here, Alice initiates the communication to Bob . is a server trusted by both parties. In the communication:
The protocol can be specified as follows in security protocol notation:
The protocol is vulnerable to a replay attack (as identified by Denning and Sacco [2]). If an attacker uses an older, compromised value for , he can then replay the message to Bob, who will accept it, being unable to tell that the key is not fresh.
This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of nonces as described below. [3] At the beginning of the protocol:
The protocol then continues as described through the final three steps as described in the original protocol above. Note that is a different nonce from . The inclusion of this new nonce prevents the replaying of a compromised version of since such a message would need to be of the form which the attacker can't forge since she does not have .
This assumes the use of a public-key encryption algorithm.
Here, Alice and Bob use a trusted server to distribute public keys on request. These keys are:
The protocol runs as follows:
At the end of the protocol, and know each other's identities, and know both and . These nonces are not known to eavesdroppers.
This protocol is vulnerable to a man-in-the-middle attack. If an impostor can persuade to initiate a session with them, they can relay the messages to and convince that he is communicating with .
Ignoring the traffic to and from , which is unchanged, the attack runs as follows:
At the end of the attack, falsely believes that is communicating with him, and that and are known only to and .
The following example illustrates the attack. Alice () would like to contact her bank (). We assume that an impostor () successfully convinces that they are the bank. As a consequence, uses the public key of instead of using the public key of to encrypt the messages she intends to send to her bank. Therefore, sends her nonce encrypted with the public key of . decrypts the message using their private key and contacts sending it the nonce of encrypted with the public key of . has no way to know that this message was actually sent by . responds with their own nonce and encrypts the message with the public key of . Since is not in possession of the private key of they have to relay the message to without knowing the content. A decrypts the message with her private key and respond with the nonce of encrypted with the public key of . decrypts the message using their private key and is now in possession of nonce and . Therefore, they can now impersonate the bank and the client respectively.
The attack was first described in a 1995 paper by Gavin Lowe. [4] The paper also describes a fixed version of the scheme, referred to as the Needham–Schroeder–Lowe protocol. The fix involves the modification of message six to include the responder's identity, that is we replace:
with the fixed version:
and the intruder cannot successfully replay the message because A is expecting a message containing the identity of I whereas the message will have identity of .
The Needham–Schroeder protocol is one of the two key transport protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder. [1] These are:
Here, Alice initiates the communication to Bob . is a server trusted by both parties. In the communication:
The protocol can be specified as follows in security protocol notation:
The protocol is vulnerable to a replay attack (as identified by Denning and Sacco [2]). If an attacker uses an older, compromised value for , he can then replay the message to Bob, who will accept it, being unable to tell that the key is not fresh.
This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of nonces as described below. [3] At the beginning of the protocol:
The protocol then continues as described through the final three steps as described in the original protocol above. Note that is a different nonce from . The inclusion of this new nonce prevents the replaying of a compromised version of since such a message would need to be of the form which the attacker can't forge since she does not have .
This assumes the use of a public-key encryption algorithm.
Here, Alice and Bob use a trusted server to distribute public keys on request. These keys are:
The protocol runs as follows:
At the end of the protocol, and know each other's identities, and know both and . These nonces are not known to eavesdroppers.
This protocol is vulnerable to a man-in-the-middle attack. If an impostor can persuade to initiate a session with them, they can relay the messages to and convince that he is communicating with .
Ignoring the traffic to and from , which is unchanged, the attack runs as follows:
At the end of the attack, falsely believes that is communicating with him, and that and are known only to and .
The following example illustrates the attack. Alice () would like to contact her bank (). We assume that an impostor () successfully convinces that they are the bank. As a consequence, uses the public key of instead of using the public key of to encrypt the messages she intends to send to her bank. Therefore, sends her nonce encrypted with the public key of . decrypts the message using their private key and contacts sending it the nonce of encrypted with the public key of . has no way to know that this message was actually sent by . responds with their own nonce and encrypts the message with the public key of . Since is not in possession of the private key of they have to relay the message to without knowing the content. A decrypts the message with her private key and respond with the nonce of encrypted with the public key of . decrypts the message using their private key and is now in possession of nonce and . Therefore, they can now impersonate the bank and the client respectively.
The attack was first described in a 1995 paper by Gavin Lowe. [4] The paper also describes a fixed version of the scheme, referred to as the Needham–Schroeder–Lowe protocol. The fix involves the modification of message six to include the responder's identity, that is we replace:
with the fixed version:
and the intruder cannot successfully replay the message because A is expecting a message containing the identity of I whereas the message will have identity of .