Foundations of Computer SecurityLecture 61: Attacks on Needham-SchroederDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 61: 1 Attacks on Needham-SchroederAttacks on ProtocolsRecall our earlier list of things to ask about a protocol.Are both authentication and secrecy assured?Is it possible to impersonate one or more of the parties?Is it possible to interject messages from an earlier exchange(replay attack)?What tools can an attacker deploy?If any key is compromised, what are the consequences?Lecture 61: 2 Attacks on Needham-SchroederFlaws in Needham-Schroeder1. A → S : A, B, Na2. S → A : {Na, B, Kab, {Kab, A}Kbs}Kas3. A → B : {Kab, A}Kbs4. B → A : {Nb}Kab5. A → B : {Nb− 1}KabDenning and Sacco pointed out that the compromise of a sessionkey has bad consequences. An intruder can reuse an old sessionkey and pass it off as a new one as though it were fresh.Suppose C has cracked Kabfrom last week’s run of the protocol,and has squirreled away message 3 from that session: {Kab, A}Kbs.3. C → B : {Kab, A}Kbs4. B → C : {Nb}Kab5. C → B : {Nb− 1}KabB will believe it is talking to A.Lecture 61: 3 Attacks on Needham-SchroederFlaws in Needham-SchroederProblem: Message 3 is not protected by nonces. There is no wayfor B to know if the Kabit receives is current. An intruder hasunlimited time to crack an old session key and reuse it as if it werefresh.Example Attack: an employee runs the first few steps of theprotocol multiple times, gathering up tickets {Kab, A}Kbsfor eachdifferent server B in the system. If he’s fired, he can still log ontoall of the company’s servers.Lecture 61: 4 Attacks on Needham-SchroederFlaws in Needham-SchroederBauer, et al. pointed out that if key Kaswere compromised,anyone could impersonate A and establish communication with anyother party.1A → S : A, B, Na2S → A : {Na, B, Kab, {Kab, A}Kbs}Kas3A → B : {Kab, A}Kbs4B → A : {Nb}Kab5A → B : {Nb− 1}KabThese flaws persisted for almost 10 years before they werediscovered.Lecture 61: 5 Attacks on Needham-SchroederIs it Fair?The “attacks” discovered by Denning and Sacco and by Bauer, etal. ask what happens if a key is broken.Is it fair to ask that question? Isn’t a presumption of anycryptographic protocol that the encryption is strong?How might you address these flaws if you were the protocoldesigner?Lecture 61: 6 Attacks on Needham-SchroederLessonsResearchers have pointed out flaws in the N-S protocol.They illustrate how hard it is to make a protocol secure.Next lecture: The Otway-Rees ProtocolLecture 61: 7 Attacks on
View Full Document
Unlocking...