|
|
| Line 1: |
Line 1: |
| {{unreferenced|date=June 2013}}
| | I would love to introduce myself to you, I am Marshall though I don't really like being called like which in turn. To fix computers is what my relatives and I have the benefit of. Managing people is my day job now. Michigan is his birth place. I'm not good at webdesign but you really should check my website: http://euroseonews.wordpress.com |
| The '''Otway–Rees protocol''' is a [[computer network]] [[authentication]] [[communications protocol|protocol]] designed for use on [[insecure network]]s (e.g. the [[Internet]]). It allows individuals communicating over such a network to prove their identity to each other while also preventing [[eavesdropping]] or [[replay attack]]s and allowing for the detection of modification.
| |
| | |
| The protocol can be specified as follows in [[security protocol notation]], where '''A'''lice is authenticating herself to '''B'''ob using a server '''S''' ('''M''' is a session-identifier, '''N<sub>A</sub>''' and '''N<sub>B</sub>''' are [[Cryptographic nonce|nonce]]s):
| |
| | |
| # <math>A \rightarrow B: M,A,B,\{N_A,M,A,B\}_{K_{AS}}</math>
| |
| # <math>B \rightarrow S: M,A,B,\{N_A,M,A,B\}_{K_{AS}},\{N_B, M,A,B\}_{K_{BS}}</math>
| |
| # <math>S \rightarrow B: M,\{N_A,K_{AB}\}_{K_{AS}},\{N_B,K_{AB}\}_{K_{BS}}</math>
| |
| # <math>B \rightarrow A: M,\{N_A,K_{AB}\}_{K_{AS}}</math>
| |
| | |
| Note: The above steps do not authenticate '''B''' to '''A'''.
| |
| | |
| == Attacks on the protocol ==
| |
| There are a variety of attacks on this protocol currently published.
| |
| | |
| One problem with this protocol is that a malicious intruder can arrange for '''A''' and '''B''' to end up with different keys. Here is how: after '''A''' and '''B''' execute the first three messages, '''B''' has received the key <math>K_{AB}</math>. The intruder then intercepts the fourth message. He resends message 2, which results in '''S''' generating a new key <math>K'_{AB}</math>, subsequently sent to '''B'''. The intruder intercepts this message too, but sends to '''A '''the part of it that '''B''' would have sent to '''A'''. So now '''A''' has finally received the expected fourth message, but with <math>K'_{AB}</math> instead of <math>K_{AB}</math>.
| |
| | |
| Another problem is that although the server tells '''B''' that '''A''' used a nonce, '''B''' doesn't know if this was a replay of an old message. Specifically, an intruder could discover an older nonce. The older nonce could be reused to authenticate against '''B'''.
| |
| | |
| == See also ==
| |
| * [[Kerberos (protocol)]]
| |
| * [[Needham–Schroeder protocol]]
| |
| * [[Yahalom (protocol)]]
| |
| * [[Wide Mouth Frog protocol]]
| |
| | |
| {{DEFAULTSORT:Otway-Rees protocol}}
| |
| [[Category:Computer access control protocols]]
| |
| [[Category:Authentication protocols]]
| |
| [[Category:Key transport protocols]]
| |
| [[Category:Symmetric-key cryptography]]
| |
| | |
| | |
| {{crypto-stub}}
| |
I would love to introduce myself to you, I am Marshall though I don't really like being called like which in turn. To fix computers is what my relatives and I have the benefit of. Managing people is my day job now. Michigan is his birth place. I'm not good at webdesign but you really should check my website: http://euroseonews.wordpress.com