Foundations of Computer SecurityLecture 62: The Otway-Rees ProtocolDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 62: 1 The Otway-Rees ProtocolOtway-ReesAnother very important and much studied protocol is theOtway-Rees protocol. Below is one of several variants.1A → B : M, A, B, {Na, M, A, B}Kas2B → S : M, A, B, {Na, M, A, B}Kas, {Nb, M, A, B}Kbs3S → B : M, {Na, Kab}Kas, {Nb, Kab}Kbs4B → A : M, {Na, Kab}KasHere M is a session identifier; Naand Nbare nonces.What are the assumptions? What seems to be the goal? Whatmight the principals believe after each step?Lecture 62: 2 The Otway-Rees ProtocolAttack on Otway-ReesA malicious intruder can arrange for A and B to end up withdifferent keys.1After step 3, B has received Kab.2An intruder then intercepts the fourth message.3The intruder resends message 2, so S generates a new keyK′ab, sent to B.4The intruder intercepts this message too, but sends to AM, {Na, K′ab}Kas.5A has K′ab, while B has Kab.Another problem: although the server tells B that A used a nonce,B doesn’t know if this was a replay of an old message.Lecture 62: 3 The Otway-Rees ProtocolA Flawed ProtocolRecall the following protocol, introduced previously.1. A → B : {{K }K−1a}Kb2. B → A : {{K }K−1b}KaSuppose an attacker C obtains the message (step 1):{{K }K−1a}Kb= K′. Then, C initiates a new run of the protocolwith B:1. C → B : {{K′}K−1c}Kb2. B → C : {{K′}K−1b}KcThe message that B sends back is:{{K′}K−1b}Kc= {{{{K }K−1a}Kb}K−1b}Kc= {{K }K−1a}Kcallowing C to extract the original K.Lecture 62: 4 The Otway-Rees ProtocolLessonsOtway-Rees is another important protocol historically.Like Needham-Schroeder it illustrates how difficult it is tobuild a secure cryptographic protocol.This is also illustrated by our simple public key protocol.Next lecture: Protocol VerificationLecture 62: 5 The Otway-Rees
View Full Document