DOC PREVIEW
UT CS 361 - Lecture 62- The Otway-Rees Protocol

This preview shows page 1 out of 2 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 2 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 2 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Foundations of Computer SecurityLecture 62: The Otway-Rees ProtocolDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 62: 1 The Otway-Rees ProtocolOtway-ReesAnother very important and much studied protocol is theOtway-Rees protocol. Below is one of several variants.1A → B : M, A, B, {Na, M, A, B}Kas2B → S : M, A, B, {Na, M, A, B}Kas, {Nb, M, A, B}Kbs3S → B : M, {Na, Kab}Kas, {Nb, Kab}Kbs4B → A : M, {Na, Kab}KasHere M is a session identifier; Naand Nbare nonces.What are the assumptions? What seems to be the goal? Whatmight the principals believe after each step?Lecture 62: 2 The Otway-Rees ProtocolAttack on Otway-ReesA malicious intruder can arrange for A and B to end up withdifferent keys.1After step 3, B has received Kab.2An intruder then intercepts the fourth message.3The intruder resends message 2, so S generates a new keyK′ab, sent to B.4The intruder intercepts this message too, but sends to AM, {Na, K′ab}Kas.5A has K′ab, while B has Kab.Another problem: although the server tells B that A used a nonce,B doesn’t know if this was a replay of an old message.Lecture 62: 3 The Otway-Rees ProtocolA Flawed ProtocolRecall the following protocol, introduced previously.1. A → B : {{K }K−1a}Kb2. B → A : {{K }K−1b}KaSuppose an attacker C obtains the message (step 1):{{K }K−1a}Kb= K′. Then, C initiates a new run of the protocolwith B:1. C → B : {{K′}K−1c}Kb2. B → C : {{K′}K−1b}KcThe message that B sends back is:{{K′}K−1b}Kc= {{{{K }K−1a}Kb}K−1b}Kc= {{K }K−1a}Kcallowing C to extract the original K.Lecture 62: 4 The Otway-Rees ProtocolLessonsOtway-Rees is another important protocol historically.Like Needham-Schroeder it illustrates how difficult it is tobuild a secure cryptographic protocol.This is also illustrated by our simple public key protocol.Next lecture: Protocol VerificationLecture 62: 5 The Otway-Rees


View Full Document

UT CS 361 - Lecture 62- The Otway-Rees Protocol

Documents in this Course
Load more
Download Lecture 62- The Otway-Rees Protocol
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture 62- The Otway-Rees Protocol and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 62- The Otway-Rees Protocol 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?