NeedhamSchroeder Protocol Authentication Key Establishment CS 470 Introduction

Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk CS 470, A. Selcuk Needham-Schroeder 1

Key Establishment and Authentication with KDC A simple protocol: KA{Bob, KAB} KDC KB{Alice, KAB} Bob Alice, Bob Problem: Potential delayed key delivery to Bob. (besides others) CS 470, A. Selcuk Needham-Schroeder 2

Another simple protocol: KA{Bob, KAB}, ticket. B where ticket. B= KB{Alice, KAB} KDC Bob Alice, ticket. B Problems: • No freshness guarantee for KAB • Alice & Bob need to authenticate CS 470, A. Selcuk Needham-Schroeder 3

Needham-Schroeder Protocol N 1, Alice, Bob ticket. B, KAB{N 2} KDC Bob Alice KA{N 1, Bob, KAB, ticket. B} where ticket. B= KB{KAB, Alice} KAB{N 2 -1, N 3} KAB{N 3 -1} CS 470, A. Selcuk Needham-Schroeder 4

Needham-Schroeder Protocol • N 1: for authenticating KDC & freshness of KAB. • Ticket is double-encrypted. (unnecessary) • N 2, N 3: for key confirmation, mutual authentication • Why are the challenges N 2, N 3 encrypted? • Problem: Bob doesn’t have freshness guarantee for KAB (i. e. , can’t detect replays). CS 470, A. Selcuk Needham-Schroeder 5

Messages should be integrity protected. Otherwise, cut-and-paste reflection attacks possible: KAB{N 2 -1, N 3} Bob Trudy replay ticket. B, KAB{N 2} KAB{N 3 -1} CS 470, A. Selcuk KAB{N 3 -1, N 4} Needham-Schroeder Bob Trudy ticket. B, KAB{N 3} 6

Expanded Needham-Schroeder Protocol hello KB{NB} KA{N 1, Bob, KAB, ticket. B} where ticket. B= KB{KAB, Alice, NB} KDC Bob Alice N 1, Alice, Bob, KB{NB} ticket. B, KAB{N 2} KAB{N 2 -1, N 3} KAB{N 3 -1} CS 470, A. Selcuk Needham-Schroeder 7

Otway-Rees Protocol NC, “Alice”, “Bob”, KA{NA, NC, “Alice”, “Bob”} KB{NB, NC, “Alice”, “Bob”} NC, KA{NA, KAB}, KB{NB, KAB} Bob Alice KDC KA{NA, KAB} KAB{anything recognizable} CS 470, A. Selcuk Needham-Schroeder 8

Otway-Rees Protocol • NA, NB: Provides freshness guarantee for A & B, as well as authentication of KDC. • NC: Binds Alice, Bob, and the session. Also authenticates Bob. • Having separate NA & NC is redundant for security, though it’s good for functional separation of nonces and uniformity of KDC messages. CS 470, A. Selcuk Needham-Schroeder 9

Basic Kerboros Protocol N 1, Alice, Bob KDC Bob Alice KA{N 1, Bob, KAB, ticket. B} where ticket. B= KB{KAB, Alice, expiration time} ticket. B, KAB{T} KAB{T+1} T: timestamp CS 470, A. Selcuk Needham-Schroeder 10